Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: !debug
- Manifest: dom/security/test/mixedcontentblocker/mochitest.toml
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Tests for Mixed Content Navigation with window.open</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
let testsCompleted = 0;
const numberOfTestCases = 2;
function markTestCaseComplete() {
testsCompleted++;
if (testsCompleted == numberOfTestCases) {
SimpleTest.finish();
}
}
window.onmessage = function(event) {
if (event.data.src.includes("test1")) {
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
is(event.data.target, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
is(event.data.method, "http", "messages from test1 iframe should be http.");
markTestCaseComplete();
}
else if (event.data.src.includes("test2")) {
if (event.data.outcome != 'csp-error') {
is(event.data.target, "https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "event message received for successful iframe load should be from test2's iframe.");
is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
is(event.data.method, "https", "messages from test2 iframe should be https");
}
markTestCaseComplete();
}
};
function testURLInOpenedWindow(testURL) {
let openedWindow = window.open("javascript:''","_blank");
openedWindow.onload = function() {
openedWindow.document.body.innerHTML = '<iframe id="testframe">'
let testframe = openedWindow.document.getElementById("testframe");
testframe.onload = function(event) {
try {
let triggeringPrincipal = SpecialPowers.wrap(this.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
openedWindow.opener.postMessage({outcome: 'loaded', method: this.src.split(":")[0], src: this.src, target: event.target.src, triggeringPrincipal}, '*');
}
catch (error) {
// If we can't get the docShell due to CSP blocking access to the iframe's docShell then skip this test case
if (error.name === "SecurityError" && error.message === 'Permission denied to access property "docShell" on cross-origin object') {
openedWindow.opener.postMessage({outcome: 'csp-error', method: this.src.split(":")[0], src: this.src}, '*');
}
else throw error;
}
openedWindow.close();
}
testframe.onerror = function(error) {
openedWindow.opener.postMessage({outcome: 'blocked', method: this.src.split(":")[0], src: this.src, target: error.target.src}, '*');
openedWindow.close();
}
testframe.src = testURL;
};
};
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
</script>
</body>
</html>