Bug 1096724 - Update csp/test_base-uri to rely on postmessage instead of observers. r=dveditz, a=test-only
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Tue, 18 Aug 2015 11:42:43 -0700
changeset 288856 646d235db57d6b8386b7c99fddb0cb2c73050c02
parent 288855 20a79fcdc75fb0911b7a2b4ec93b5b11bca6d49b
child 288857 e5032ab3cf698b44000f1ab3a83eafcc471da785
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz, test-only
bugs1096724
milestone42.0a2
Bug 1096724 - Update csp/test_base-uri to rely on postmessage instead of observers. r=dveditz, a=test-only
dom/security/test/csp/file_base-uri.html
dom/security/test/csp/test_base-uri.html
--- a/dom/security/test/csp/file_base-uri.html
+++ b/dom/security/test/csp/file_base-uri.html
@@ -1,10 +1,10 @@
 <!DOCTYPE HTML>
 <html>
   <head>
     <title>Bug 1045897 - Test CSP base-uri directive</title>
     <base href="http://mochi.test">
   </head>
-<body>
+<body onload='window.parent.postMessage({result: document.baseURI}, "*");'>
   <!-- just making use of the 'base' tag for this test -->
 </body>
 </html>
--- a/dom/security/test/csp/test_base-uri.html
+++ b/dom/security/test/csp/test_base-uri.html
@@ -18,63 +18,66 @@
  * Description of the test:
  * We load a page in an iframe (served over http://example.com) that tries to set the 'base'
  * to (http://mochi.test). We load that page using different policies and verify that
  * setting the base-uri is correctly blocked by CSP.
  */
 
 SimpleTest.waitForExplicitFinish();
 
-var testPolicies = [
- "base-uri http://example.com",
- "base-uri https:",
- "base-uri 'none'",
+var tests = [
+  {
+    policy: "base-uri http://mochi.test;",
+    result: "http://mochi.test"
+  },
+  {
+    policy: "base-uri http://example.com;",
+    result: "http://example.com"
+  },
+  {
+    policy: "base-uri https:",
+    result: "http://example.com"
+  },
+  {
+    policy: "base-uri 'none'",
+    result: "http://example.com"
+  }
 ];
 
 // initializing to -1 so we start at index 0 when we start the test
 var counter = -1;
 
-function examiner() {
-  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+function finishTest() {
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
 }
-examiner.prototype  = {
-  observe: function(subject, topic, data) {
-    if (topic === "csp-on-violate-policy") {
-      var spec = SpecialPowers.getPrivilegedProps(
-                   SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
 
-      if (spec === "http://mochi.test/") {
-        // 'data' holds the violated directive
-        is(data, testPolicies[counter], "Disallowed setting the base-uri in test " + counter + "!");
-        loadNextTest();
-      }
-    }
-  },
-  remove: function() {
-    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
-  }
-}
-window.BaseURIExaminer = new examiner();
-
-function finishTest() {
-  window.BaseURIExaminer.remove();
-  SimpleTest.finish();
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to bubble up results back to this main page.
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  var result = event.data.result;
+  // we only care about the base uri, so instead of comparing the complete uri
+  // we just make sure that the base is correct which is sufficient here.
+  ok(result.startsWith(tests[counter].result), "Restricting base-uri in test " + counter + "!");
+  loadNextTest();
 }
 
 function loadNextTest() {
   counter++;
-  if (counter == testPolicies.length) {
+  if (counter == tests.length) {
     finishTest();
     return;
   }
   var src = "http://example.com/tests/dom/security/test/csp/file_testserver.sjs";
   // append the file that should be served
   src += "?file=" + escape("tests/dom/security/test/csp/file_base-uri.html");
   // append the CSP that should be used to serve the file
-  src += "&csp=" + escape(testPolicies[counter]);
+  // please note that we have to include 'unsafe-inline' to permit sending the postMessage
+  src += "&csp=" + escape("script-src 'unsafe-inline'; " + tests[counter].policy);
   document.getElementById("testframe").src = src;
 }
 
 // start running the tests
 loadNextTest();
 
 </script>
 </body>