Bug 1302667 - CSP: Test 'frame-src'. r=dveditz,mckinley

dom/security/test/csp/file_frame_src.js

@@ -0,0 +1,14 @@
+let testframe = document.getElementById("testframe");
+testframe.onload = function() {
+  parent.postMessage({
+    result: "frame-allowed",
+    href: document.location.href,
+  }, "*");
+}
+testframe.onerror = function() {
+  parent.postMessage({
+    result: "frame-blocked",
+    href: document.location.href,
+  }, "*");
+}
+testframe.src = "file_frame_src_inner.html"

dom/security/test/csp/file_frame_src_child_governs.html

@@ -0,0 +1,10 @@
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" content="child-src https://example.com">";
+</head>
+<body>
+<iframe id="testframe"></iframe>
+<script type="text/javascript" src="file_frame_src.js"></script>
+</body>
+</html>

dom/security/test/csp/file_frame_src_frame_governs.html

@@ -0,0 +1,10 @@
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" content="frame-src https://example.com; child-src 'none'">";
+</head>
+<body>
+<iframe id="testframe"></iframe>
+<script type="text/javascript" src="file_frame_src.js"></script>
+</body>
+</html>

dom/security/test/csp/file_frame_src_inner.html

@@ -0,0 +1,5 @@
+<html>
+<body>
+dummy iframe
+</body>
+</html>

dom/security/test/csp/mochitest.ini

@@ -340,3 +340,9 @@ support-files =
   file_spawn_worker.js
   file_spawn_shared_worker.js
   file_spawn_service_worker.js
+[test_frame_src.html]
+support-files =
+  file_frame_src_frame_governs.html
+  file_frame_src_child_governs.html
+  file_frame_src.js
+  file_frame_src_inner.html

dom/security/test/csp/test_frame_src.html

@@ -0,0 +1,84 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1302667 - Test frame-src</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+/* Description of the test:
+ * We load a page inlcuding a frame a CSP of:
+ *   >> frame-src https://example.com; child-src 'none'
+ * and make sure that frame-src governs frames correctly. In addition,
+ * we make sure that child-src is discarded in case frame-src is specified.
+ */
+
+const ORIGIN_1 = "https://example.com/tests/dom/security/test/csp/";
+const ORIGIN_2 = "https://test1.example.com/tests/dom/security/test/csp/";
+
+let TESTS = [
+  // frame-src tests
+  ORIGIN_1 + "file_frame_src_frame_governs.html",
+  ORIGIN_2 + "file_frame_src_frame_governs.html",
+  // child-src tests
+  ORIGIN_1 + "file_frame_src_child_governs.html",
+  ORIGIN_2 + "file_frame_src_child_governs.html",
+];
+
+let testIndex = 0;
+
+function checkFinish() {
+  if (testIndex >= TESTS.length) {
+    window.removeEventListener("message", receiveMessage);
+    SimpleTest.finish();
+    return;
+  }
+  runNextTest();
+}
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  let href = event.data.href;
+  let result = event.data.result;
+
+  if (href.startsWith("https://example.com")) {
+  	if (result == "frame-allowed") {
+  	  ok(true, "allowing frame from https://example.com (" + result + ")");
+  	}
+  	else {
+  	  ok(false, "blocking frame from https://example.com (" + result + ")");
+  	}
+  }
+  else if (href.startsWith("https://test1.example.com")) {
+  	if (result == "frame-blocked") {
+  	  ok(true, "blocking frame from https://test1.example.com (" + result + ")");
+  	}
+  	else {
+  	  ok(false, "allowing frame from https://test1.example.com (" + result + ")");
+  	}
+  }
+  else {
+    // sanity check, we should never enter that branch, bust just in case...
+  	ok(false, "unexpected result: " + result);
+  }
+  checkFinish();
+}
+
+function runNextTest() {
+  document.getElementById("testframe").src = TESTS[testIndex];
+  testIndex++;
+}
+
+// fire up the tests
+runNextTest();
+
+</script>
+</body>
+</html>