Bug 1386183 - Test Meta CSP on data: URI iframe to be merged with CSP from including context. r=dveditz

dom/security/test/csp/file_data_csp_merge.html

@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP</title>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" content= "img-src https:"/>
+</head>
+<body>
+<iframe id="dataFrame" onload="doCSPMergeCheck()"
+        src="data:text/html,<html><head><meta http-equiv='Content-Security-Policy' content='script-src https:'/></head><body>merge csp</body></html>">
+</iframe>
+
+<script type="application/javascript">
+  function doCSPMergeCheck() {
+    // get the csp in JSON notation from the principal
+    var frame = document.getElementById("dataFrame");
+    var principal = SpecialPowers.wrap(frame).contentDocument.nodePrincipal;
+    var cspOBJ = JSON.parse(principal.cspJSON);
+    // make sure we got >>two<< policies
+    var policies = cspOBJ["csp-policies"];
+    window.parent.postMessage({result: policies.length}, "*");
+  }
+</script>
+
+</body>
+</html>

dom/security/test/csp/mochitest.ini

@@ -216,6 +216,7 @@ support-files =
   file_ignore_xfo.html^headers^
   file_ro_ignore_xfo.html
   file_ro_ignore_xfo.html^headers^
+  file_data_csp_merge.html
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -307,3 +308,4 @@ tags = mcb
 [test_websocket_self.html]
 skip-if = toolkit == 'android'
 [test_ignore_xfo.html]
+[test_data_csp_merge.html]

dom/security/test/csp/test_data_csp_merge.html

@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1386183 - Meta CSP on data: URI iframe should be merged with toplevel CSP</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+/* Description of the test:
+ * We load an iframe using a meta CSP which includes another iframe
+ * using a data: URI which also defines a meta CSP. We make sure the
+ * CSP from the including document gets merged with the data: URI
+ * CSP and applies to the data: URI iframe.
+ */
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  window.removeEventListener("message", receiveMessage);
+  // toplevel CSP + data: URI iframe meta CSP => 2 CSP policies
+  is(event.data.result, 2,
+     "CSP on data: URI iframe gets merged with CSP from including context");
+  SimpleTest.finish();
+}
+
+document.getElementById("testframe").src = "file_data_csp_merge.html";
+
+</script>
+</body>
+</html>