Bug 1346774: test frame-ancestors and chrome pages r?ckerschb
MozReview-Commit-ID: IeZii1C4QKH
--- a/dom/security/test/csp/browser.ini
+++ b/dom/security/test/csp/browser.ini
@@ -5,9 +5,9 @@ support-files =
!/dom/security/test/csp/file_web_manifest.json
!/dom/security/test/csp/file_web_manifest.json^headers^
!/dom/security/test/csp/file_web_manifest_https.html
!/dom/security/test/csp/file_web_manifest_https.json
!/dom/security/test/csp/file_web_manifest_mixed_content.html
!/dom/security/test/csp/file_web_manifest_remote.html
[browser_test_web_manifest.js]
[browser_test_web_manifest_mixed_content.js]
-[browser_manifest-src-override-default-src.js]
+[browser_manifest-src-override-default-src.js]
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/chrome.ini
@@ -0,0 +1,6 @@
+[DEFAULT]
+support-files =
+ file_frame_ancestors_deny.html
+ file_frame_ancestors_deny.html^headers^
+ file_frame_the_unframeable.html
+[test_frame_ancestor_chain.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frame_ancestors_deny.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset="utf-8">
+ <title>Unframeable</title>
+</head>
+<body>
+ <h1 id="message">You should only see this with chrome permissions.</h1>
+ <p>I <em>really</em> do not like to be seen in a frame!</p>
+</body>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frame_ancestors_deny.html^headers^
@@ -0,0 +1,1 @@
+Content-Security-Policy: frame-ancestors 'none'
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_frame_the_unframeable.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <meta charset="utf-8">
+</head>
+<body>
+ <h1>Putting frame_ancestors_deny.html into a frame.</h1>
+ <p>I'm ruthless like that.</p>
+ <iframe id="iframe" src="https://example.com/chrome/dom/security/test/csp/file_frame_ancestors_deny.html"></iframe>
+</body>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_frame_ancestor_chain.html
@@ -0,0 +1,108 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1346774
+-->
+
+<head>
+ <meta charset="utf-8">
+ <title>Test for Bug 1346774</title>
+ <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+ <script type="application/javascript">
+ /** Test for Bug 1346774 **/
+
+
+ SimpleTest.waitForExplicitFinish();
+ // simple test runner
+ let tests = 2;
+ function testResult() {
+ tests--;
+ if (tests == 0) {
+ examiner.remove();
+ SimpleTest.finish();
+ }
+ }
+ // test 1
+ // initialize observer
+ function examiner() {
+ SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+ }
+ examiner.prototype = {
+ observe: function (subject, topic, data) {
+ // subject should be an nsURI... though could be null since CSP
+ // prohibits cross-origin URI reporting during frame ancestors checks.
+ if (subject && !SpecialPowers.can_QI(subject))
+ return;
+ var asciiSpec = subject;
+
+ if (topic === "csp-on-violate-policy") {
+ try {
+ asciiSpec = SpecialPowers.getPrivilegedProps(
+ SpecialPowers.do_QueryInterface(subject, "nsIURI"),
+ "asciiSpec");
+ if (asciiSpec == "https://example.com/chrome/dom/security/test/csp/file_frame_the_unframeable.html") {
+ ok(true, "A content window should not be able to bypass CSP's frame-ancestors");
+ chromeWindow.close();
+ testResult();
+ }
+ } catch (ex) {
+ // was not an nsIURI, so it was probably a cross-origin report.
+ }
+ }
+ },
+
+ // must eventually call this to remove the listener,
+ // or mochitests might get borked.
+ remove: function () {
+ SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+ }
+ }
+ examiner = new examiner();
+
+ let contentWindow = window.open("https://example.com/chrome/dom/security/test/csp/file_frame_the_unframeable.html");
+ // window handled & closed in observer (above)
+
+ /*contentWindow.onload = function () {
+ // looking into the frame with chrome privileges means we see the error page,
+ // which says "Blocked By Content Security Policy".
+ // we do not want to test for that page, as it may change.
+ // Instead we test that the title is not from file_frame_ancestors_deny (i.e., 'Unframeable')
+ const frameDoc = contentWindow.document.getElementById("iframe").contentDocument;
+ isnot(frameDoc.title, "Unframeable", 'A content window can\'t bypass frame ancestors');
+ contentWindow.close()
+ testResult();
+ }*/
+
+ // test 2
+ let chromeWindow = window.open("chrome://mochitests/content/chrome/dom/security/test/csp/file_frame_the_unframeable.html", "1346774", "chrome");
+ chromeWindow.onload = function () {
+ try {
+ const expected = "You should only see this with chrome permissions.";
+ const message = chromeWindow.document.getElementById("iframe").contentDocument.getElementById("message").textContent;
+ is(message, expected, "A chrome window should be able to bypass CSP's frame-ancestors");
+ } catch (e) {
+ ok(false, "Could not see through CSP's frame ancestors.")
+ } finally {
+ chromeWindow.close();
+ testResult();
+ }
+ }
+
+
+
+
+ </script>
+</head>
+
+<body>
+ <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1346774">Mozilla Bug 1346774</a>
+ <p id="display"></p>
+ <div id="content" style="display: none">
+
+ </div>
+ <pre id="test">
+</pre>
+</body>
+
+</html>
\ No newline at end of file
--- a/dom/security/test/moz.build
+++ b/dom/security/test/moz.build
@@ -19,15 +19,16 @@ MOCHITEST_MANIFESTS += [
'cors/mochitest.ini',
'csp/mochitest.ini',
'general/mochitest.ini',
'mixedcontentblocker/mochitest.ini',
'sri/mochitest.ini',
]
MOCHITEST_CHROME_MANIFESTS += [
- 'general/chrome.ini',
+ 'csp/chrome.ini',
+ 'general/chrome.ini'
]
BROWSER_CHROME_MANIFESTS += [
'csp/browser.ini',
'hsts/browser.ini',
]