dom/security/test/csp/test_docwrite_meta.html

   1 <!DOCTYPE HTML>
   2 <html>
   3 <head>
   4   <meta charset="utf-8">
   5   <title>Bug 663570 - Implement Content Security Policy via meta tag</title>
   6   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
   7   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   8   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
   9 </head>
  10 <body>
  11 <p id="display"></p>
  12 <iframe style="width:100%;" id="writemetacspframe"></iframe>
  13 <iframe style="width:100%;" id="commentmetacspframe"></iframe>
  14
  15
  16 <script class="testbody" type="text/javascript">
  17 /* Description of the test:
  18  * We load two frames, where the first frame does doc.write(meta csp) and
  19  * the second does doc.write(comment out meta csp).
  20  * We make sure to reuse/invalidate preloads depending on the policy.
  21  */
  22
  23 SimpleTest.waitForExplicitFinish();
  24
  25 var writemetacspframe = document.getElementById("writemetacspframe");
  26 var commentmetacspframe = document.getElementById("commentmetacspframe");
  27 var seenResults = 0;
  28
  29 function checkTestsDone() {
  30   seenResults++;
  31   if (seenResults < 2) {
  32     return;
  33   }
  34   SimpleTest.finish();
  35 }
  36
  37 // document.write(<meta csp ...>) should block resources from being included in the doc
  38 function checkResultsBlocked() {
  39   writemetacspframe.removeEventListener('load', checkResultsBlocked);
  40
  41   // stylesheet: default background color within FF is transparent
  42   var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body)
  43                       .getPropertyValue("background-color");
  44   is(bgcolor, "rgba(0, 0, 0, 0)", "inital background value in FF should be 'transparent'");
  45
  46   // image: make sure image is blocked
  47   var img = writemetacspframe.contentDocument.getElementById("testimage");
  48   is(img.naturalWidth, 0, "image width should be 0");
  49   is(img.naturalHeight, 0, "image height should be 0");
  50
  51   // script: make sure defined variable in external script is undefined
  52   is(writemetacspframe.contentDocument.myMetaCSPScript, undefined, "myMetaCSPScript should be 'undefined'");
  53
  54   checkTestsDone();
  55 }
  56
  57 // document.write(<--) to comment out meta csp should allow resources to be loaded
  58 // after the preload failed
  59 function checkResultsAllowed() {
  60   commentmetacspframe.removeEventListener('load', checkResultsAllowed);
  61
  62   // stylesheet: should be applied; bgcolor should be red
  63   var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue("background-color");
  64   is(bgcolor, "rgb(255, 0, 0)", "background should be red/rgb(255, 0, 0)");
  65
  66   // image: should be completed
  67   var img = commentmetacspframe.contentDocument.getElementById("testimage");
  68   ok(img.complete, "image should not be loaded");
  69
  70   // script: defined variable in external script should be accessible
  71   is(commentmetacspframe.contentDocument.myMetaCSPScript, "external-JS-loaded", "myMetaCSPScript should be 'external-JS-loaded'");
  72
  73   checkTestsDone();
  74 }
  75
  76 // doc.write(meta csp) should should allow preloads but should block actual loads
  77 writemetacspframe.src = 'file_docwrite_meta.html';
  78 writemetacspframe.addEventListener('load', checkResultsBlocked);
  79
  80 // commenting out a meta CSP should result in loaded image, script, style
  81 commentmetacspframe.src = 'file_doccomment_meta.html';
  82 commentmetacspframe.addEventListener('load', checkResultsAllowed);
  83
  84 </script>
  85 </body>
  86 </html>