Bug 1368897 - rewrite dom/base/test/test_x-frame-options.html. r=smaug
authorYoshi Huang <allstars.chh@mozilla.com>
Wed, 14 Jun 2017 15:41:48 +0800
changeset 364317 c9fb476f66a2cac062d990a5017d4db0513946a3
parent 364316 95158357094fdea88cd6e319ddbfe2441e45b4e3
child 364318 8408c88a471ca55dc914098ded86e9ffaacff7a3
push id32037
push userarchaeopteryx@coole-files.de
push dateFri, 16 Jun 2017 07:50:18 +0000
treeherdermozilla-central@fe809f57bf22 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1368897
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1368897 - rewrite dom/base/test/test_x-frame-options.html. r=smaug We test the expected behavior base on the pref, "security.data_uri.unique_opaque_origin". We run the legacy test when the pref is off, however if the pref is on, we run the new behavior, loading an iframe with X-FRAME-OPTIONS in a data: URI should be blocked.
dom/base/test/file_x-frame-options_page.sjs
dom/base/test/test_x-frame-options.html
--- a/dom/base/test/file_x-frame-options_page.sjs
+++ b/dom/base/test/file_x-frame-options_page.sjs
@@ -49,12 +49,16 @@ function handleRequest(request, response
   if (testHeaders.hasOwnProperty(query['xfo'])) {
     response.setHeader("X-Frame-Options", testHeaders[query['xfo']], false);
   }
 
   // from the test harness we'll be checking for the presence of this element
   // to test if the page loaded
   response.write("<h1 id=\"test\">" + query["testid"] + "</h1>");
 
+  if (query['testid'] == "postmessage") {
+    response.write("<script>parent.opener.postMessage('ok', '*');</script>");
+  }
+
   if (query['multipart'] == "1") {
     response.write("\r\n--" + BOUNDARY + "\r\n");
   }
 }
--- a/dom/base/test/test_x-frame-options.html
+++ b/dom/base/test/test_x-frame-options.html
@@ -10,16 +10,17 @@
 <div id="content" style="display: none">
 
 </div>
 
 <iframe style="width:100%;height:300px;" id="harness"></iframe>
 <script class="testbody" type="text/javascript">
 
 var path = "/tests/dom/base/test/";
+var isUnique = SpecialPowers.getBoolPref("security.data_uri.unique_opaque_origin");
 
 var testFramesLoaded = function() {
   var harness = SpecialPowers.wrap(document).getElementById("harness");
 
   // iframe from same origin, no X-F-O header - should load
   var frame = harness.contentDocument.getElementById("control1");
   var test1 = frame.contentDocument.getElementById("test").textContent;
   is(test1, "control1", "test control1");
@@ -104,50 +105,77 @@ var testFramesLoaded = function() {
     var theTestResult = frame.contentDocument.getElementById("test");
     is(theTestResult, null, "test allow-from-deny-" + i);
   }
 
   // call tests to check principal comparison, e.g. a document can open a window
   // to a data: or javascript: document which frames an
   // X-Frame-Options: SAMEORIGIN document and the frame should load
   testFrameInJSURI();
-}
+};
 
 // test that a document can be framed under a javascript: URL opened by the
 // same site as the frame
 var testFrameInJSURI = function() {
   var html = '<iframe id="sameorigin3" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin3&xfo=sameorigin"></iframe>';
   var win = window.open();
   win.onload = function() {
     var test = win.document.getElementById("sameorigin3")
               .contentDocument.getElementById("test");
     ok(test != null, "frame under javascript: URL should have loaded.");
     win.close();
 
     // run last test
-    testFrameInDataURI();
-   }
+    if (!isUnique) {
+      testFrameInDataURI();
+    } else {
+      testFrameNotLoadedInDataURI();
+    }
+  };
   win.location.href = "javascript:document.write('"+html+"');document.close();";
-}
+};
 
 // test that a document can be framed under a data: URL opened by the
 // same site as the frame
 var testFrameInDataURI = function() {
   var html = '<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>';
   var win = window.open();
   win.onload = function() {
+    ok(!isUnique, "This test should be run only when security.data_uri.unique_opaque_origin is off");
     var test = win.document.getElementById("sameorigin4")
               .contentDocument.getElementById("test");
     ok(test != null, "frame under data: URL should have loaded.");
     win.close();
 
     SimpleTest.finish();
-   }
+  };
   win.location.href = "data:text/html,"+html;
-}
+};
+
+// test an iframe with X-FRAME-OPTIONS shouldn't be loaded in a cross-origin window,
+var testFrameNotLoadedInDataURI = function() {
+  // In this case we load two iframes, one is sameorigin4, which will have X-FRAME-OPTIONS,
+  // the other is postmessage, which won't get the XFO header.
+  // And because now window is navigated to a data: URI, which is considered as cross origin,
+  // So win.onload won't be fired, so we use the iframe 'postmessage' to know the iframes
+  // have been loaded.
+  var html = `<iframe id="sameorigin4" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=sameorigin4&xfo=sameorigin"></iframe>
+              <iframe id="postmessage" src="http://mochi.test:8888/tests/dom/base/test/file_x-frame-options_page.sjs?testid=postmessage"></iframe>`;
+  var win = window.open();
+  window.onmessage = function(evt) {
+    ok(isUnique, "This test should be run only when security.data_uri.unique_opaque_origin is on");
+    var iframe = SpecialPowers.wrap(win).document.getElementById("sameorigin4");
+    var test = iframe.contentDocument.getElementById("test");
+    ok(test == null, "frame under data: URL should have blocked.");
+    win.close();
+
+    SimpleTest.finish();
+  };
+  win.location.href = "data:text/html,"+html;
+};
 
 SimpleTest.waitForExplicitFinish();
 
 // load the test harness
 document.getElementById("harness").src = "file_x-frame-options_main.html";
 
 </script>
 </pre>