test_iframe_srcdoc.html

mozilla-central/dom/security/test/csp/test_iframe_srcdoc.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

Test Info:

Manifest: dom/security/test/csp/mochitest.toml

<!DOCTYPE HTML>

<html>

<head>

  <title>Bug 1073952 - Test CSP enforcement within iframe srcdoc</title>

  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/*

 * Description of the test:

 * (1) We serve a site which makes use of script-allowed sandboxed iframe srcdoc

 *     and make sure that CSP applies to the nested browsing context

 *     within the iframe.

 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [SCRIPT]]]

 * (2) We serve a site which nests script within an script-allowed sandboxed

 *     iframe srcdoc within another script-allowed sandboxed iframe srcdoc and

 *     make sure that CSP applies to the nested browsing context

 *     within the iframe*s*.

 *     [PAGE WITH CSP [IFRAME SANDBOX SRCDOC [IFRAME SANDBOX SRCDOC [SCRIPT]]]]

 * Please note that the test relies on the "csp-on-violate-policy" observer.

 * Whenever the script within the iframe is blocked observers are notified.

 * In turn, this renders the 'result' within tests[] unused. In case the script

 * would execute however, the postMessageHandler would bubble up 'allowed' and

 * the test would fail.

*/

SimpleTest.waitForExplicitFinish();

var tests = [

  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [SCRIPT]]]

  { csp: "",

    result: "allowed",

    query: "simple_iframe_srcdoc",

    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc"

},

  { csp: "script-src https://test1.com",

    result: "blocked",

    query: "simple_iframe_srcdoc",

    desc: "CSP should block script within script-allowed sandboxediframe srcdoc"

},

  // [PAGE *WITHOUT* CSP [IFRAME SRCDOC [IFRAME SRCDOC [SCRIPT]]]]

  { csp: "",

    result: "allowed",

    query: "nested_iframe_srcdoc",

    desc: "No CSP should run script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"

},

  // [PAGE WITH CSP [IFRAME SRCDOC ]]

  { csp: "script-src https://test2.com",

    result: "blocked",

    query: "nested_iframe_srcdoc",

    desc: "CSP should block script within script-allowed sandboxed iframe srcdoc nested within another script-allowed sandboxed iframe srcdoc"

},

  { csp: "",

    result: "allowed",

    query: "nested_iframe_srcdoc_datauri",

    desc: "No CSP, should run script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"

},

  { csp: "script-src https://test3.com",

    result: "blocked",

    query: "nested_iframe_srcdoc_datauri",

    desc: "CSP should block script within script-allowed sandboxed iframe src with data URL nested within another script-allowed sandboxed iframe srcdoc"

},

];

// initializing to -1 so we start at index 0 when we start the test

var counter = -1;

function finishTest() {

  window.removeEventListener("message", receiveMessage);

  window.examiner.remove();

  SimpleTest.finish();

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  var result = event.data.result;

  testComplete(result, tests[counter].result, tests[counter].desc);

function examiner() {

  SpecialPowers.addObserver(this, "csp-on-violate-policy");

examiner.prototype  = {

  observe(subject, topic, data) {

    if (topic === "csp-on-violate-policy") {

      var violationString = SpecialPowers.getPrivilegedProps(SpecialPowers.

                             do_QueryInterface(subject, "nsISupportsCString"), "data");

      // the violation subject for inline script violations is unfortunately vague,

      // all we can do is match the string.

      if (!violationString.includes("Inline Script")) {

        return

      testComplete("blocked", tests[counter].result, tests[counter].desc);

},

  remove() {

    SpecialPowers.removeObserver(this, "csp-on-violate-policy");

function testComplete(result, expected, desc) {

  is(result, expected, desc);

  // ignore cases when we get csp violations and postMessage from  the same frame.

  var frameURL = new URL(document.getElementById("testframe").src);

  var params = new URLSearchParams(frameURL.search);

  var counterInFrame = params.get("counter");

  if (counterInFrame == counter) {

    loadNextTest();

function loadNextTest() {

  counter++;

  if (counter == tests.length) {

    finishTest();

    return;

  var src = "file_iframe_srcdoc.sjs";

  src += "?csp=" + escape(tests[counter].csp);

  src += "&action=" + escape(tests[counter].query);

  src += "&counter=" + counter;

  document.getElementById("testframe").src = src;

// start running the tests

window.examiner = new examiner();

loadNextTest();

</script>

</body>

</html>