From 5ba20a64235342c34a5f89b5a16b7f524a955b4a Mon Sep 17 00:00:00 2001
From: Garrett Robinson <grobinson@mozilla.com>
Date: Fri, 11 Oct 2013 17:01:37 -0700
Subject: [PATCH] Bug 925186 - Update test_bothCSPHeaders.html to catch the
 case where an invalid prefixed header fails closed. r=sstamm

---
 .../base/test/csp/file_bothCSPheaders.html    |  3 +-
 .../csp/file_bothCSPheaders.html^headers^     |  2 +-
 .../base/test/csp/test_bothCSPheaders.html    | 49 ++++++++++---------
 3 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/content/base/test/csp/file_bothCSPheaders.html b/content/base/test/csp/file_bothCSPheaders.html
index 2208e749bd8e..9949c6e27985 100644
--- a/content/base/test/csp/file_bothCSPheaders.html
+++ b/content/base/test/csp/file_bothCSPheaders.html
@@ -1,5 +1,6 @@
 <html>
 <body>
-<img src="http://example.org/nonexistent.jpg"></img>
+<img src="http://example.org/prefixed.jpg"></img>
+<img src="/unprefixed.jpg"></img>
 </body>
 </html>
diff --git a/content/base/test/csp/file_bothCSPheaders.html^headers^ b/content/base/test/csp/file_bothCSPheaders.html^headers^
index d4c95f5dbb72..945256cba454 100644
--- a/content/base/test/csp/file_bothCSPheaders.html^headers^
+++ b/content/base/test/csp/file_bothCSPheaders.html^headers^
@@ -1,2 +1,2 @@
-X-Content-Security-Policy: default-src 'self' ; img-src 'self' http://example.org
+X-Content-Security-Policy: default-src 'none' ; img-src http://example.org
 Content-Security-Policy: default-src 'self'
diff --git a/content/base/test/csp/test_bothCSPheaders.html b/content/base/test/csp/test_bothCSPheaders.html
index b3461d95d542..d4ee23f6090b 100644
--- a/content/base/test/csp/test_bothCSPheaders.html
+++ b/content/base/test/csp/test_bothCSPheaders.html
@@ -2,6 +2,8 @@
 <html>
 <head>
   <title>Test for Correctly Handling Both Pre-1.0 and 1.0 Content Security Policy Headers</title>
+  <!-- When both headers are present, we should ignore the pre-1.0 header and
+       only recognize the 1.0 spec-compliant header. -->
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
@@ -13,9 +15,12 @@
 <iframe style="width:200px;height:200px;" id='cspframe'></iframe>
 <script class="testbody" type="text/javascript">
 
-var loadedImgURL = "http://example.org/nonexistent.jpg";
+var prefixedHeaderImgURL = "http://example.org/prefixed.jpg";
+var unprefixedHeaderImgURL = "http://mochi.test:8888/unprefixed.jpg";
+var testsRun = 0;
+var totalTests = 2;
 
-// This is used to watch the blocked data bounce off CSP and allowed data 
+// This is used to watch the blocked data bounce off CSP and allowed data
 // get sent out to the wire.
 function examiner() {
   SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
@@ -28,25 +33,21 @@ examiner.prototype  = {
       return;
 
     if (topic === "http-on-modify-request") {
-      // the load was allowed, this is a fail, the Content-Security Policy
-      // should not allow the load
       var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
-      if (asciiSpec != loadedImgURL) return;
-
-      ok(false, "the Content-Security Policy header does not allow the load, the X-Content-Security header should be ignored");
-      window.examiner.remove();
-      SimpleTest.finish();
+      if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
+        is(asciiSpec, unprefixedHeaderImgURL, "Load was allowed - should be allowed by unprefixed header (blocked by prefixed)");
+        testRan();
+      }
     }
 
     if (topic === "csp-on-violate-policy") {
       // the load was blocked, this is a pass, the Content-Security-Policy
       // header doesn't allow the load, but the X-Content-Security-Header does
       var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
-      if (asciiSpec != loadedImgURL) return;
-
-      ok(true, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
-      window.examiner.remove();
-      SimpleTest.finish();
+      if (asciiSpec == prefixedHeaderImgURL || asciiSpec == unprefixedHeaderImgURL) {
+        is(asciiSpec, prefixedHeaderImgURL, "Load was blocked - the Content-Security-Policy header doesn't allow the load, the X-Content-Security-Header does but should have been ignored");
+        testRan();
+      }
     }
   },
 
@@ -59,17 +60,21 @@ examiner.prototype  = {
 }
 
 window.examiner = new examiner();
-
 SimpleTest.waitForExplicitFinish();
 
-// save this for last so that our listeners are registered.
-// ... this loads the testbed of good and bad requests.
+function testRan() {
+  testsRun++;
+  if (testsRun == totalTests) {
+    window.examiner.remove();
+    SimpleTest.finish();
+  }
+}
+
 SpecialPowers.pushPrefEnv(
-{'set':[["security.csp.speccompliant", true]]},
-  function() {
-    // save this for last so that our listeners are registered.
-    // ... this loads the testbed of good and bad requests.
-    document.getElementById('cspframe').src = 'file_bothCSPheaders.html';
+  {'set':[["security.csp.speccompliant", true]]},
+  function loadTestRequests() {
+    var cspframe = document.getElementById('cspframe');
+    cspframe.src = 'file_bothCSPheaders.html';
   }
 );
 </script>