test_frameancestors_userpass.html

Enable keyboard shortcuts

<!DOCTYPE HTML>

<html>

<head>

  <title>Test for Userpass in Frame Ancestors directive</title>

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<p id="display"></p>

<div id="content" style="display: none">

</div>

<iframe style="width:100%;height:300px;" id='cspframe'></iframe>

<script class="testbody" type="text/javascript">

// These are test results: -1 means it hasn't run,

// true/false is the pass/fail result.

var framesThatShouldLoad = {

  frame_a: -1,    /* frame a allowed */

  frame_b: -1,    /* frame b allowed */

};

// Number of tests that pass for this file should be 1

var expectedViolationsLeft = 1;

// CSP frame-ancestor checks happen in the parent, hence we have to

// proxy the csp violation notifications.

SpecialPowers.registerObservers("csp-on-violate-policy");

// This is used to watch the blocked data bounce off CSP and allowed data

// get sent out to the wire.

function examiner() {

  SpecialPowers.addObserver(this, "specialpowers-csp-on-violate-policy");

examiner.prototype  = {

  observe(subject, topic, data) {

    // subject should be an nsURI... though could be null since CSP

    // prohibits cross-origin URI reporting during frame ancestors checks.

    if (subject && !SpecialPowers.can_QI(subject))

      return;

    var asciiSpec = subject;

    try {

      asciiSpec = SpecialPowers.getPrivilegedProps(

                    SpecialPowers.do_QueryInterface(subject, "nsIURI"),

                    "asciiSpec");

      // skip checks on the test harness -- can't do this skipping for

      // cross-origin blocking since the observer doesn't get the URI.  This

      // can cause this test to over-succeed (but only in specific cases).

      if (asciiSpec.includes("test_frameancestors_userpass.html")) {

        return;

    } catch (ex) {

      // was not an nsIURI, so it was probably a cross-origin report.

    if (topic === "specialpowers-csp-on-violate-policy") {

      //these were blocked... record that they were blocked

      window.frameBlocked(asciiSpec, data);

},

  // must eventually call this to remove the listener,

  // or mochitests might get borked.

  remove() {

    SpecialPowers.removeObserver(this, "specialpowers-csp-on-violate-policy");

// called when a frame is loaded

// -- if it's not enumerated above, it should not load!

var frameLoaded = function(testname, uri) {

  //test already complete.... forget it... remember the first result.

  if (window.framesThatShouldLoad[testname] != -1)

    return;

  if (typeof window.framesThatShouldLoad[testname] === 'undefined') {

    // uh-oh, we're not expecting this frame to load!

    ok(false, testname + ' framed site should not have loaded: ' + uri);

  } else {

    //Check if @ symbol is there in URI.

    if (uri.includes('@')) {

      ok(false, ' URI contains userpass. Fetched URI is ' + uri);

    } else {

      framesThatShouldLoad[testname] = true;

      ok(true, ' URI doesn\'t contain userpass. Fetched URI is ' + uri);

  checkTestResults();

// called when a frame is blocked

// -- we can't determine *which* frame was blocked, but at least we can count them

var frameBlocked = function(uri, policy) {

  //Check if @ symbol is there in URI or in csp policy.

  // Bug 1557712: Intermittent failure -> not sure why the 'uri' might ever

  // be non existing at this point, however if there is no uri, there can

  // also be no userpass!

  if (policy.includes('@') ||

      (typeof uri === 'string' && uri.includes('@'))) {

    ok(false, ' a CSP policy blocked frame from being loaded. But contains' +

      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );

  } else {

    ok(true, ' a CSP policy blocked frame from being loaded. Doesn\'t contain'+

      ' userpass. Policy is: ' + policy + ';URI is: ' + uri );

  expectedViolationsLeft--;

  checkTestResults();

// Check to see if all the tests have run

var checkTestResults = function() {

  // if any test is incomplete, keep waiting

  for (var v in framesThatShouldLoad)

    if(window.framesThatShouldLoad[v] == -1)

      return;

  if (window.expectedViolationsLeft > 0)

    return;

  // ... otherwise, finish

  window.examiner.remove();

  SimpleTest.finish();

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  if (event.data.call && event.data.call == 'frameLoaded')

    frameLoaded(event.data.testname, event.data.uri);

//////////////////////////////////////////////////////////////////////

// set up and go

window.examiner = new examiner();

SimpleTest.waitForExplicitFinish();

// save this for last so that our listeners are registered.

// ... this loads the testbed of good and bad requests.

document.getElementById('cspframe').src = 'file_frameancestors_userpass.html';

</script>

</pre>

</body>

</html>