Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- Manifest: dom/security/test/csp/mochitest.toml
<!DOCTYPE HTML>
<html>
<!--
Tests CSP sandbox attribute on top-level page.
Minimal flags: allow-same-origin allow-scripts:
Since we need to load the SimpleTest files, we have to set the
allow-same-origin flag. Additionally, we set the allow-scripts flag
since we need JS to check the flags.
Though not necessary, for this test we also set the allow-forms flag.
We may later wish to extend the testing suite with sandbox_csp_top_*
tests that set different permutations of the flags.
CSP header: Content-Security-Policy: sandbox allow-forms allow-scripts allow-same-origin
-->
<head>
<meta charset="utf-8">
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<script type="application/javascript">
SimpleTest.waitForExplicitFinish();
// Check if two sandbox flags are the same.
// getSandboxFlags returns a list of sandbox flags (if any) or
// null if the flag is not set.
// This function checks if two flags are the same, i.e., they're
// either not set or have the same flags.
function eqFlags(a, b) {
if (a === null && b === null) { return true; }
if (a === null || b === null) { return false; }
if (a.length !== b.length) { return false; }
var a_sorted = a.sort();
var b_sorted = b.sort();
for (var i in a_sorted) {
if (a_sorted[i] !== b_sorted[i]) {
return false;
}
}
return true;
}
// Get the sandbox flags of document doc.
// If the flag is not set sandboxFlagsAsString returns null,
// this function also returns null.
// If the flag is set it may have some flags; in this case
// this function returns the (potentially empty) list of flags.
function getSandboxFlags(doc) {
var flags = doc.sandboxFlagsAsString;
if (flags === null) { return null; }
return flags? flags.split(" "):[];
}
function checkFlags(expected) {
try {
var flags = getSandboxFlags(SpecialPowers.wrap(document));
ok(eqFlags(flags, expected), name + ' expected: "' + expected + '", got: "' + flags + '"');
} catch (e) {
ok(false, name + ' expected "' + expected + ', but failed with ' + e);
}
SimpleTest.finish();
}
</script>
<body onLoad='checkFlags(["allow-forms", "allow-scripts", "allow-same-origin"]);'>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=671389">Mozilla Bug 671389</a> - Implement CSP sandbox directive
<p id="display"></p>
<div id="content">
I am a top-level page sandboxed with "allow-scripts allow-forms
allow-same-origin".
</div>
</body>
</html>