mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-21 01:05:45 +00:00
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D47635 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
d6b35f20ab
commit
cb72b07f82
@ -26,6 +26,7 @@ support-files =
|
||||
file_same_site_cookies_about.sjs
|
||||
file_cache_splitting_server.sjs
|
||||
file_cache_splitting_window.html
|
||||
window_nosniff_navigation.html
|
||||
|
||||
|
||||
[test_contentpolicytype_targeted_link_iframe.html]
|
||||
|
@ -1,92 +1,41 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
<style>
|
||||
iframe{
|
||||
border: 1px solid orange;
|
||||
}
|
||||
</style>
|
||||
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
|
||||
|
||||
<hr>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
|
||||
<hr>
|
||||
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
|
||||
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<!-- add the two script tests -->
|
||||
<script id="scriptCorrectType"></script>
|
||||
<script id="scriptWrongType"></script>
|
||||
<!-- add the two script tests -->
|
||||
<script id="scriptCorrectType"></script>
|
||||
<script id="scriptWrongType"></script>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
/* Description of the test:
|
||||
* We're testing if Firefox respects the nosniff Header for Top-Level
|
||||
* Navigations.
|
||||
* If Firefox cant Display the Page, it will prompt a download
|
||||
* and the URL of the Page will be about:blank.
|
||||
* So we will try to open different content send with
|
||||
* no-mime, mismatched-mime and garbage-mime types.
|
||||
*
|
||||
*/
|
||||
<script class="testbody" type="text/javascript">
|
||||
/* Description of the test:
|
||||
* We're testing if Firefox respects the nosniff Header for Top-Level
|
||||
* Navigations.
|
||||
* If Firefox cant Display the Page, it will prompt a download
|
||||
* and the URL of the Page will be about:blank.
|
||||
* So we will try to open different content send with
|
||||
* no-mime, mismatched-mime and garbage-mime types.
|
||||
*
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
window.addEventListener("load", ()=>{
|
||||
let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
|
||||
|
||||
noMimeFrames.forEach( frame => {
|
||||
// In case of no Provided Content Type, not rendering or assuming text/plain is valid
|
||||
let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} without MIME - was not Sniffed`);
|
||||
});
|
||||
|
||||
let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
|
||||
mismatchedMimes.forEach(frame => {
|
||||
// In case the Server mismatches the Mime Type (sends content X as image/png)
|
||||
// assert that we do not sniff and correct this.
|
||||
let result = frame.contentWindow.document.contentType == "image/png";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
|
||||
});
|
||||
|
||||
let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
|
||||
|
||||
badMimeFrames.forEach( frame => {
|
||||
// In the case we got a bogous mime, assert that we dont sniff.
|
||||
// We must not default here to text/plain
|
||||
// as the Server at least provided a mime type.
|
||||
let result = frame.contentWindow.document.URL == "about:blank";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
|
||||
});
|
||||
|
||||
SimpleTest.finish();
|
||||
window.addEventListener("load", async () => {
|
||||
await SpecialPowers.pushPrefEnv(
|
||||
{
|
||||
set: [["dom.security.respect_document_nosniff", true]],
|
||||
}
|
||||
);
|
||||
window.open("window_nosniff_navigation.html");
|
||||
});
|
||||
</script>
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
</html>
|
94
dom/security/test/general/window_nosniff_navigation.html
Normal file
94
dom/security/test/general/window_nosniff_navigation.html
Normal file
@ -0,0 +1,94 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
<style>
|
||||
iframe{
|
||||
border: 1px solid orange;
|
||||
}
|
||||
</style>
|
||||
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
|
||||
<iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
|
||||
|
||||
<hr>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
|
||||
<iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
|
||||
<hr>
|
||||
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
|
||||
<iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
|
||||
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<!-- add the two script tests -->
|
||||
<script id="scriptCorrectType"></script>
|
||||
<script id="scriptWrongType"></script>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
/* Description of the test:
|
||||
* We're testing if Firefox respects the nosniff Header for Top-Level
|
||||
* Navigations.
|
||||
* If Firefox cant Display the Page, it will prompt a download
|
||||
* and the URL of the Page will be about:blank.
|
||||
* So we will try to open different content send with
|
||||
* no-mime, mismatched-mime and garbage-mime types.
|
||||
*
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
window.addEventListener("load", ()=>{
|
||||
let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
|
||||
|
||||
noMimeFrames.forEach( frame => {
|
||||
// In case of no Provided Content Type, not rendering or assuming text/plain is valid
|
||||
let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} without MIME - was not Sniffed`);
|
||||
});
|
||||
|
||||
let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
|
||||
mismatchedMimes.forEach(frame => {
|
||||
// In case the Server mismatches the Mime Type (sends content X as image/png)
|
||||
// assert that we do not sniff and correct this.
|
||||
let result = frame.contentWindow.document.contentType == "image/png";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
|
||||
});
|
||||
|
||||
let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
|
||||
|
||||
badMimeFrames.forEach( frame => {
|
||||
// In the case we got a bogous mime, assert that we dont sniff.
|
||||
// We must not default here to text/plain
|
||||
// as the Server at least provided a mime type.
|
||||
let result = frame.contentWindow.document.URL == "about:blank";
|
||||
let sniffTarget = (new URL(frame.src)).search;
|
||||
ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
|
||||
});
|
||||
|
||||
SimpleTest.finish();
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
</html>
|
@ -2082,7 +2082,7 @@
|
||||
|
||||
- name: dom.security.respect_document_nosniff
|
||||
type: RelaxedAtomicBool
|
||||
value: true
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# Expose the 'policy' attribute in document and HTMLIFrameElement
|
||||
|
Loading…
Reference in New Issue
Block a user