test_meta_element.html

Enable keyboard shortcuts

<!DOCTYPE HTML>

<html>

<head>

  <meta charset="utf-8">

  <title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>

  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<p id="display"></p>

<iframe style="width:100%;" id="testframe" src="file_meta_element.html"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:

 * The test is twofold:

 * First, by loading a page using meta csp (into an iframe) we make sure that

 * images get correctly blocked as the csp policy includes "img-src 'none'";

 * Second, we make sure meta csp ignores the following directives:

 *   * report-uri

 *   * frame-ancestors

 *   * sandbox

 * Please note that the CSP sanbdox directive (bug 671389) has not landed yet.

 * Once bug 671389 lands this test will fail and needs to be updated.

*/

SimpleTest.waitForExplicitFinish();

const EXPECTED_DIRS = ["img-src", "script-src"];

function finishTest() {

  window.removeEventListener("message", receiveMessage);

  SimpleTest.finish();

function checkResults(result) {

  is(result, "img-blocked", "loading images should be blocked by meta csp");

  try {

    // get the csp in JSON notation from the principal

    var frame = document.getElementById("testframe");

    var contentDoc = SpecialPowers.wrap(frame.contentDocument);

    var cspJSON = contentDoc.cspJSON;

    ok(cspJSON, "CSP applied through meta element");

    // parse the cspJSON in a csp-object

    var cspOBJ = JSON.parse(cspJSON);

    ok(cspOBJ, "was able to parse the JSON");

    // make sure we only got one policy

    var policies = cspOBJ["csp-policies"];

    is(policies.length, 1, "there should be one policy applied");

    // iterate the policy and make sure to only encounter

    // expected directives.

    var policy = policies[0];

    for (var dir in policy) {

      // special case handling for report-only which is not a directive

      // but present in the JSON notation of the CSP.

      if (dir === "report-only") {

        continue;

      var index = EXPECTED_DIRS.indexOf(dir);

      isnot(index, -1, "meta csp contains directive: " + dir + "!");

      // take the element out of the array so we can make sure

      // that we have seen all the expected values in the end.

      EXPECTED_DIRS.splice(index, 1);

    is(EXPECTED_DIRS.length, 0, "have seen all the expected values");

  catch (e) {

    ok(false, "uuh, something went wrong within meta csp test");

  finishTest();

// a postMessage handler used to bubble up the onsuccess/onerror state

// from within the iframe.

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  checkResults(event.data.result);

</script>

</body>

</html>