test_meta_header_dual.html

Enable keyboard shortcuts

<!DOCTYPE HTML>

<html>

<head>

  <meta charset="utf-8">

  <title>Bug 663570 - Implement Content Security Policy via meta tag</title>

  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<p id="display"></p>

<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:

 * We test all sorts of CSPs on documents, including documents with no

 * CSP, with meta CSP and with meta CSP in combination with a CSP header.

*/

const TESTS = [

    /* load image without any CSP */

    query: "test1",

    result: "img-loaded",

    policyLen: 0,

    desc: "no CSP should allow load",

},

    /* load image where meta denies load */

    query: "test2",

    result: "img-blocked",

    policyLen: 1,

    desc: "meta (img-src 'none') should block load"

},

    /* load image where meta allows load */

    query: "test3",

    result: "img-loaded",

    policyLen: 1,

    desc: "meta (img-src http://mochi.test) should allow load"

},

    /* load image where meta allows but header blocks */

    query: "test4", // triggers speculative load

    result: "img-blocked",

    policyLen: 2,

    desc: "meta (img-src http://mochi.test), header (img-src 'none') should block load"

},

    /* load image where meta blocks but header allows */

    query: "test5", // triggers speculative load

    result: "img-blocked",

    policyLen: 2,

    desc: "meta (img-src 'none'), header (img-src http://mochi.test) should block load"

},

    /* load image where meta allows and header allows */

    query: "test6", // triggers speculative load

    result: "img-loaded",

    policyLen: 2,

    desc: "meta (img-src http://mochi.test), header (img-src http://mochi.test) should allow load"

},

    /* load image where meta1 allows but meta2 blocks */

    query: "test7",

    result: "img-blocked",

    policyLen: 2,

    desc: "meta1 (img-src http://mochi.test), meta2 (img-src 'none') should allow blocked"

},

    /* load image where meta1 allows and meta2 allows */

    query: "test8",

    result: "img-loaded",

    policyLen: 2,

    desc: "meta1 (img-src http://mochi.test), meta2 (img-src http://mochi.test) should allow allowed"

},

];

var curTest;

var counter = -1;

function finishTest() {

  window.removeEventListener("message", receiveMessage);

  SimpleTest.finish();

function checkResults(result) {

  // make sure the image got loaded or blocked

  is(result, curTest.result, curTest.query + ": " + curTest.desc);

  if (curTest.policyLen != 0) {

    // make sure that meta policy got not parsed and appended twice

    try {

      // get the csp in JSON notation from the principal

      var frame = document.getElementById("testframe");

      var contentDoc = SpecialPowers.wrap(frame.contentDocument);

      var cspOBJ = JSON.parse(contentDoc.cspJSON);

      // make sure that the speculative policy and the actual policy

      // are not appended twice.

      var policies = cspOBJ["csp-policies"];

      is(policies.length, curTest.policyLen, curTest.query + " should have: " + curTest.policyLen + " policies");

    catch (e) {

      ok(false, "uuh, something went wrong within cspToJSON in " + curTest.query);

  // move on to the next test

  runNextTest();

// a postMessage handler used to bubble up the

// onsuccess/onerror state from within the iframe.

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  checkResults(event.data.result);

function runNextTest() {

  if (++counter == TESTS.length) {

    finishTest();

    return;

  curTest = TESTS[counter];

  // load next test

  document.getElementById("testframe").src = "file_meta_header_dual.sjs?" + curTest.query;

// start the test

SimpleTest.waitForExplicitFinish();

runNextTest();

</script>

</body>

</html>