From 5f0d929d02b5fa42d1dda4721c945df59cc8ac32 Mon Sep 17 00:00:00 2001 From: Bob Owen Date: Tue, 30 Sep 2014 08:51:47 +0100 Subject: [PATCH] Bug 1054646 - Part 2: test loading of blob and data URLs in unique origin iframe sandbox. r=bz --- .../test/file_iframe_sandbox_b_if3.html | 55 ++++++++++++++----- .../test/test_iframe_sandbox_same_origin.html | 4 +- 2 files changed, 43 insertions(+), 16 deletions(-) diff --git a/content/html/content/test/file_iframe_sandbox_b_if3.html b/content/html/content/test/file_iframe_sandbox_b_if3.html index a1e7a95217ca..350e2ac4726d 100644 --- a/content/html/content/test/file_iframe_sandbox_b_if3.html +++ b/content/html/content/test/file_iframe_sandbox_b_if3.html @@ -11,23 +11,50 @@ } function testXHR() { - var xhr = new XMLHttpRequest(); - - xhr.open("GET", "file_iframe_sandbox_b_if1.html"); - - xhr.onreadystatechange = function (oEvent) { - var result = false; - if (xhr.readyState == 4) { - if (xhr.status == 0) { - result = true; + // Standard URL should be blocked as we have a unique origin. + var xhr = new XMLHttpRequest(); + xhr.open("GET", "file_iframe_sandbox_b_if1.html"); + xhr.onreadystatechange = function (oEvent) { + var result = false; + if (xhr.readyState == 4) { + if (xhr.status == 0) { + result = true; + } + ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'"); } - ok(result, "XHR should be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'"); + } + xhr.send(null); + + // Blob URL should work as it will have our unique origin. + var blobXhr = new XMLHttpRequest(); + var blobUrl = URL.createObjectURL(new Blob(["wibble"], {type: "text/plain"})); + blobXhr.open("GET", blobUrl); + blobXhr.onreadystatechange = function () { + if (this.readyState == 4) { + ok(this.status == 200 && this.response == "wibble", "XHR for a blob URL created in this document should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'"); + } + } + try { + blobXhr.send(); + } catch(e) { + ok(false, "failed to send XHR for blob URL: error: " + e); + } + + // Data URL should work as it inherits the loader's origin. + var dataXhr = new XMLHttpRequest(); + dataXhr.open("GET", "data:text/html,wibble"); + dataXhr.onreadystatechange = function () { + if (this.readyState == 4) { + ok(this.status == 200 && this.response == "wibble", "XHR for a data URL should NOT be blocked in an iframe sandboxed WITHOUT 'allow-same-origin'"); + } + } + try { + dataXhr.send(); + } catch(e) { + ok(false, "failed to send XHR for data URL: error: " + e); } } - xhr.send(null); -} - function doStuff() { try { window.parent.ok(false, "documents sandboxed without 'allow-same-origin' should NOT be able to access their parent"); @@ -56,7 +83,7 @@ ok(true, "a document sandboxed without allow-same-origin should NOT be able to access sessionStorage"); } - testXHR(); + testXHR(); } diff --git a/content/html/content/test/test_iframe_sandbox_same_origin.html b/content/html/content/test/test_iframe_sandbox_same_origin.html index d752601f6c66..b924b9f20853 100644 --- a/content/html/content/test/test_iframe_sandbox_same_origin.html +++ b/content/html/content/test/test_iframe_sandbox_same_origin.html @@ -28,8 +28,8 @@ function ok_wrapper(result, desc) { passedTests++; } - if (completedTests == 12) { - is(passedTests, 12, "There are 12 same-origin tests that should pass"); + if (completedTests == 14) { + is(passedTests, completedTests, "There are " + completedTests + " same-origin tests that should pass"); SimpleTest.finish(); }