mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-15 06:15:43 +00:00
Bug 910139 - Tests for new nsIContentPolicy TYPE_XSLT via CSP. r=grobinson
This commit is contained in:
parent
9c4e72b4ed
commit
2c8afac51c
52
content/base/test/csp/file_CSP_bug910139.sjs
Normal file
52
content/base/test/csp/file_CSP_bug910139.sjs
Normal file
@ -0,0 +1,52 @@
|
||||
// Server side js file for bug 910139, see file test_CSP_bug910139.html for details.
|
||||
|
||||
Components.utils.import("resource://gre/modules/NetUtil.jsm");
|
||||
|
||||
function loadResponseFromFile(path) {
|
||||
var testHTMLFile =
|
||||
Components.classes["@mozilla.org/file/directory_service;1"].
|
||||
getService(Components.interfaces.nsIProperties).
|
||||
get("CurWorkD", Components.interfaces.nsILocalFile);
|
||||
var dirs = path.split("/");
|
||||
for (var i = 0; i < dirs.length; i++) {
|
||||
testHTMLFile.append(dirs[i]);
|
||||
}
|
||||
var testHTMLFileStream =
|
||||
Components.classes["@mozilla.org/network/file-input-stream;1"].
|
||||
createInstance(Components.interfaces.nsIFileInputStream);
|
||||
testHTMLFileStream.init(testHTMLFile, -1, 0, 0);
|
||||
var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available());
|
||||
return testHTML;
|
||||
}
|
||||
|
||||
var policies = [
|
||||
"default-src 'self'; script-src 'self'", // CSP for checkAllowed
|
||||
"default-src 'self'; script-src *.example.com" // CSP for checkBlocked
|
||||
]
|
||||
|
||||
function getPolicy() {
|
||||
var index;
|
||||
// setState only accepts strings as arguments
|
||||
if (!getState("counter")) {
|
||||
index = 0;
|
||||
setState("counter", index.toString());
|
||||
}
|
||||
else {
|
||||
index = parseInt(getState("counter"));
|
||||
++index;
|
||||
setState("counter", index.toString());
|
||||
}
|
||||
return policies[index];
|
||||
}
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
// avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
// set the required CSP
|
||||
response.setHeader("Content-Security-Policy", getPolicy(), false);
|
||||
|
||||
// return the requested XML file.
|
||||
response.write(loadResponseFromFile("tests/content/base/test/csp/file_CSP_bug910139.xml"));
|
||||
}
|
28
content/base/test/csp/file_CSP_bug910139.xml
Normal file
28
content/base/test/csp/file_CSP_bug910139.xml
Normal file
@ -0,0 +1,28 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
|
||||
<catalog>
|
||||
<cd>
|
||||
<title>Empire Burlesque</title>
|
||||
<artist>Bob Dylan</artist>
|
||||
<country>USA</country>
|
||||
<company>Columbia</company>
|
||||
<price>10.90</price>
|
||||
<year>1985</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Hide your heart</title>
|
||||
<artist>Bonnie Tyler</artist>
|
||||
<country>UK</country>
|
||||
<company>CBS Records</company>
|
||||
<price>9.90</price>
|
||||
<year>1988</year>
|
||||
</cd>
|
||||
<cd>
|
||||
<title>Greatest Hits</title>
|
||||
<artist>Dolly Parton</artist>
|
||||
<country>USA</country>
|
||||
<company>RCA</company>
|
||||
<price>9.90</price>
|
||||
<year>1982</year>
|
||||
</cd>
|
||||
</catalog>
|
27
content/base/test/csp/file_CSP_bug910139.xsl
Normal file
27
content/base/test/csp/file_CSP_bug910139.xsl
Normal file
@ -0,0 +1,27 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!-- Edited by XMLSpy® -->
|
||||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
|
||||
<xsl:template match="/">
|
||||
<html>
|
||||
<body>
|
||||
<h2 id="xsltheader">this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!</h2>
|
||||
<table border="1">
|
||||
<tr bgcolor="#990099">
|
||||
<th>Title</th>
|
||||
<th>Artist</th>
|
||||
<th>Price</th>
|
||||
</tr>
|
||||
<xsl:for-each select="catalog/cd">
|
||||
<tr>
|
||||
<td><xsl:value-of select="title"/></td>
|
||||
<td><xsl:value-of select="artist"/></td>
|
||||
<td><xsl:value-of select="price"/></td>
|
||||
</tr>
|
||||
</xsl:for-each>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>
|
||||
|
@ -75,6 +75,9 @@ support-files =
|
||||
file_csp_redirects_main.html
|
||||
file_csp_redirects_page.sjs
|
||||
file_csp_redirects_resource.sjs
|
||||
file_CSP_bug910139.sjs
|
||||
file_CSP_bug910139.xml
|
||||
file_CSP_bug910139.xsl
|
||||
|
||||
[test_CSP.html]
|
||||
[test_CSP_bug663567.html]
|
||||
@ -90,3 +93,4 @@ support-files =
|
||||
[test_bothCSPheaders.html]
|
||||
[test_bug836922_npolicies.html]
|
||||
[test_csp_redirects.html]
|
||||
[test_CSP_bug910139.html]
|
||||
|
71
content/base/test/csp/test_CSP_bug910139.html
Normal file
71
content/base/test/csp/test_CSP_bug910139.html
Normal file
@ -0,0 +1,71 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>CSP should block XSLT as script, not as style</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none"></div>
|
||||
<iframe style="width:100%;" id='xsltframe'></iframe>
|
||||
<iframe style="width:100%;" id='xsltframe2'></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
// define the expected output of this test
|
||||
var header = "this xml file should be formatted using an xsl file(lower iframe should contain xml dump)!";
|
||||
|
||||
function checkAllowed () {
|
||||
/* The policy for this test is:
|
||||
* Content-Security-Policy: default-src 'self'; script-src 'self'
|
||||
*
|
||||
* we load the xsl file using:
|
||||
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
|
||||
*/
|
||||
try {
|
||||
var cspframe = document.getElementById('xsltframe');
|
||||
var xsltAllowedHeader = cspframe.contentWindow.document.getElementById('xsltheader').innerHTML;
|
||||
is(xsltAllowedHeader, header, "XSLT loaded from 'self' should be allowed!");
|
||||
}
|
||||
catch (e) {
|
||||
ok(false, "Error: could not access content in xsltframe!")
|
||||
}
|
||||
|
||||
// continue with the next test
|
||||
document.getElementById('xsltframe2').addEventListener('load', checkBlocked, false);
|
||||
document.getElementById('xsltframe2').src = 'file_CSP_bug910139.sjs';
|
||||
}
|
||||
|
||||
function checkBlocked () {
|
||||
/* The policy for this test is:
|
||||
* Content-Security-Policy: default-src 'self'; script-src *.example.com
|
||||
*
|
||||
* we load the xsl file using:
|
||||
* <?xml-stylesheet type="text/xsl" href="file_CSP_bug910139.xsl"?>
|
||||
*/
|
||||
try {
|
||||
var cspframe = document.getElementById('xsltframe2');
|
||||
var xsltBlockedHeader = cspframe.contentWindow.document.getElementById('xsltheader');
|
||||
is(xsltBlockedHeader, null, "XSLT loaded from different host should be blocked!");
|
||||
}
|
||||
catch (e) {
|
||||
ok(false, "Error: could not access content in xsltframe2!")
|
||||
}
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SpecialPowers.pushPrefEnv(
|
||||
{'set':[["security.csp.speccompliant", true]]},
|
||||
function () {
|
||||
document.getElementById('xsltframe').addEventListener('load', checkAllowed, false);
|
||||
document.getElementById('xsltframe').src = 'file_CSP_bug910139.sjs';
|
||||
}
|
||||
);
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user