5 <title>Bug
663570 - Implement Content Security Policy via meta tag
</title>
6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
7 <script src=
"/tests/SimpleTest/SimpleTest.js"></script>
8 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
12 <iframe style=
"width:100%;" id=
"writemetacspframe"></iframe>
13 <iframe style=
"width:100%;" id=
"commentmetacspframe"></iframe>
16 <script class=
"testbody" type=
"text/javascript">
17 /* Description of the test:
18 * We load two frames, where the first frame does doc.write(meta csp) and
19 * the second does doc.write(comment out meta csp).
20 * We make sure to reuse/invalidate preloads depending on the policy.
23 SimpleTest.waitForExplicitFinish();
25 var writemetacspframe = document.getElementById(
"writemetacspframe");
26 var commentmetacspframe = document.getElementById(
"commentmetacspframe");
29 function checkTestsDone() {
31 if (seenResults <
2) {
37 // document.write(
<meta csp ...
>) should block resources from being included in the doc
38 function checkResultsBlocked() {
39 writemetacspframe.removeEventListener('load', checkResultsBlocked);
41 // stylesheet: default background color within FF is transparent
42 var bgcolor = window.getComputedStyle(writemetacspframe.contentDocument.body)
43 .getPropertyValue(
"background-color");
44 is(bgcolor,
"rgba(0, 0, 0, 0)",
"inital background value in FF should be 'transparent'");
46 // image: make sure image is blocked
47 var img = writemetacspframe.contentDocument.getElementById(
"testimage");
48 is(img.naturalWidth,
0,
"image width should be 0");
49 is(img.naturalHeight,
0,
"image height should be 0");
51 // script: make sure defined variable in external script is undefined
52 is(writemetacspframe.contentDocument.myMetaCSPScript, undefined,
"myMetaCSPScript should be 'undefined'");
57 // document.write(<--) to comment out meta csp should allow resources to be loaded
58 // after the preload failed
59 function checkResultsAllowed() {
60 commentmetacspframe.removeEventListener('load', checkResultsAllowed);
62 // stylesheet: should be applied; bgcolor should be red
63 var bgcolor = window.getComputedStyle(commentmetacspframe.contentDocument.body).getPropertyValue(
"background-color");
64 is(bgcolor,
"rgb(255, 0, 0)",
"background should be red/rgb(255, 0, 0)");
66 // image: should be completed
67 var img = commentmetacspframe.contentDocument.getElementById(
"testimage");
68 ok(img.complete,
"image should not be loaded");
70 // script: defined variable in external script should be accessible
71 is(commentmetacspframe.contentDocument.myMetaCSPScript,
"external-JS-loaded",
"myMetaCSPScript should be 'external-JS-loaded'");
76 // doc.write(meta csp) should should allow preloads but should block actual loads
77 writemetacspframe.src = 'file_docwrite_meta.html';
78 writemetacspframe.addEventListener('load', checkResultsBlocked);
80 // commenting out a meta CSP should result in loaded image, script, style
81 commentmetacspframe.src = 'file_doccomment_meta.html';
82 commentmetacspframe.addEventListener('load', checkResultsAllowed);