|
Packit |
f0b94e |
/*
|
|
Packit |
f0b94e |
* Test for bug 593387
|
|
Packit |
f0b94e |
* Loads a chrome document in a content docshell and then inserts a
|
|
Packit |
f0b94e |
* X-Frame-Options: DENY iframe into the document and verifies that the document
|
|
Packit |
f0b94e |
* loads. The policy we are enforcing is outlined here:
|
|
Packit |
f0b94e |
* https://bugzilla.mozilla.org/show_bug.cgi?id=593387#c17
|
|
Packit |
f0b94e |
*/
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
add_task(async function test() {
|
|
Packit |
f0b94e |
await BrowserTestUtils.withNewTab({ gBrowser,
|
|
Packit |
f0b94e |
url: "chrome://global/content/mozilla.xhtml" },
|
|
Packit |
f0b94e |
async function(newBrowser) {
|
|
Packit |
f0b94e |
// NB: We load the chrome:// page in the parent process.
|
|
Packit |
f0b94e |
await testXFOFrameInChrome(newBrowser);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
// Run next test (try the same with a content top-level context)
|
|
Packit |
f0b94e |
await BrowserTestUtils.loadURI(newBrowser, "http://example.com/");
|
|
Packit |
f0b94e |
await BrowserTestUtils.browserLoaded(newBrowser);
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
await ContentTask.spawn(newBrowser, null, testXFOFrameInContent);
|
|
Packit |
f0b94e |
});
|
|
Packit |
f0b94e |
});
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
function testXFOFrameInChrome(newBrowser) {
|
|
Packit |
f0b94e |
// Insert an iframe that specifies "X-Frame-Options: DENY" and verify
|
|
Packit |
f0b94e |
// that it loads, since the top context is chrome
|
|
Packit |
f0b94e |
var deferred = {};
|
|
Packit |
f0b94e |
deferred.promise = new Promise((resolve) => {
|
|
Packit |
f0b94e |
deferred.resolve = resolve;
|
|
Packit |
f0b94e |
});
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
var frame = newBrowser.contentDocument.createElement("iframe");
|
|
Packit |
f0b94e |
frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
|
|
Packit |
f0b94e |
frame.addEventListener("load", function() {
|
|
Packit |
f0b94e |
// Test that the frame loaded
|
|
Packit |
f0b94e |
var test = this.contentDocument.getElementById("test");
|
|
Packit |
f0b94e |
is(test.tagName, "H1", "wrong element type");
|
|
Packit |
f0b94e |
is(test.textContent, "deny", "wrong textContent");
|
|
Packit |
f0b94e |
deferred.resolve();
|
|
Packit |
f0b94e |
}, {capture: true, once: true});
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
newBrowser.contentDocument.body.appendChild(frame);
|
|
Packit |
f0b94e |
return deferred.promise;
|
|
Packit |
f0b94e |
}
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
function testXFOFrameInContent(newBrowser) {
|
|
Packit |
f0b94e |
// Insert an iframe that specifies "X-Frame-Options: DENY" and verify that it
|
|
Packit |
f0b94e |
// is blocked from loading since the top browsing context is another site
|
|
Packit |
f0b94e |
var deferred = {};
|
|
Packit |
f0b94e |
deferred.promise = new Promise((resolve) => {
|
|
Packit |
f0b94e |
deferred.resolve = resolve;
|
|
Packit |
f0b94e |
});
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
var frame = content.document.createElement("iframe");
|
|
Packit |
f0b94e |
frame.src = "http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=deny&xfo=deny";
|
|
Packit |
f0b94e |
frame.addEventListener("load", function() {
|
|
Packit |
f0b94e |
// Test that the frame DID NOT load
|
|
Packit |
f0b94e |
var test = this.contentDocument.getElementById("test");
|
|
Packit |
f0b94e |
Assert.equal(test, null, "should be about:blank");
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
deferred.resolve();
|
|
Packit |
f0b94e |
}, {capture: true, once: true});
|
|
Packit |
f0b94e |
|
|
Packit |
f0b94e |
content.document.body.appendChild(frame);
|
|
Packit |
f0b94e |
return deferred.promise;
|
|
Packit |
f0b94e |
}
|