4 <title>Bug
1031530 and Bug
1139667 - Test mapping of XMLHttpRequest and fetch() to connect-src
</title>
5 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
6 <script src=
"/tests/SimpleTest/SimpleTest.js"></script>
7 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
11 <div id=
"content" style=
"visibility: hidden">
12 <iframe style=
"width:100%;" id=
"testframe"></iframe>
15 <script class=
"testbody" type=
"text/javascript">
18 * Description of the test:
19 * We load a page with a given CSP and verify that XMLHttpRequests and fetches are correctly
20 * evaluated through the
"connect-src" directive. All XMLHttpRequests are served
21 * using http://mochi.test:
8888, which allows the requests to succeed for the first
22 * two policies and to fail for the last policy. Please note that we have to add
23 * 'unsafe-inline' so we can run the JS test code in file_connect-src.html.
26 SimpleTest.waitForExplicitFinish();
30 file:
"file_connect-src.html",
32 policy :
"default-src 'none' script-src 'unsafe-inline'; connect-src http://mochi.test:8888"
35 file:
"file_connect-src.html",
37 policy :
"default-src 'none'; script-src 'unsafe-inline'; connect-src *"
40 file:
"file_connect-src.html",
42 policy :
"default-src 'none'; script-src 'unsafe-inline'; connect-src http://www.example.com"
45 file:
"file_connect-src-fetch.html",
47 policy :
"default-src 'none' script-src 'unsafe-inline'; connect-src http://mochi.test:8888"
50 file:
"file_connect-src-fetch.html",
52 policy :
"default-src 'none'; script-src 'unsafe-inline'; connect-src *"
55 file:
"file_connect-src-fetch.html",
57 policy :
"default-src 'none'; script-src 'unsafe-inline'; connect-src http://www.example.com"
61 // initializing to -
1 so we start at index
0 when we start the test
64 function checkResult(aResult) {
65 is(aResult, tests[counter].result,
"should be " + tests[counter].result +
" in test " + counter +
"!");
69 // We use the examiner to identify requests that hit the wire and requests
70 // that are blocked by CSP and bubble up the result to the including iframe
73 SpecialPowers.addObserver(this,
"csp-on-violate-policy");
74 SpecialPowers.addObserver(this,
"specialpowers-http-notify-request");
76 examiner.prototype = {
77 observe(subject, topic, data) {
78 if (topic ===
"specialpowers-http-notify-request") {
79 // making sure we do not bubble a result for something other
80 // then the request in question.
81 if (!data.includes(
"file_testserver.sjs?foo")) {
84 checkResult(
"allowed");
87 if (topic ===
"csp-on-violate-policy") {
88 // making sure we do not bubble a result for something other
89 // then the request in question.
90 var asciiSpec = SpecialPowers.getPrivilegedProps(
91 SpecialPowers.do_QueryInterface(subject,
"nsIURI"),
94 if (!asciiSpec.includes(
"file_testserver.sjs?foo")) {
97 checkResult(
"blocked");
101 SpecialPowers.removeObserver(this,
"csp-on-violate-policy");
102 SpecialPowers.removeObserver(this,
"specialpowers-http-notify-request");
105 window.ConnectSrcExaminer = new examiner();
107 function loadNextTest() {
109 if (counter == tests.length) {
110 window.ConnectSrcExaminer.remove();
115 var src =
"file_testserver.sjs";
116 // append the file that should be served
117 src +=
"?file=" + escape(
"tests/dom/security/test/csp/" + tests[counter].file);
118 // append the CSP that should be used to serve the file
119 src +=
"&csp=" + escape(tests[counter].policy);
121 document.getElementById(
"testframe").src = src;
124 // start running the tests