Bug 1729517 - Set up document correctly - test. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D127982

dom/xslt/tests/mochitest/bug1729517_2.sjs

@@ -0,0 +1,3 @@
+function handleRequest(request, response) {
+  response.write(request.hasHeader("Referer") ? "FAIL" : "PASS");
+}

dom/xslt/tests/mochitest/file_bug1729517.js

@@ -0,0 +1,3 @@
+fail(
+  "documents sandboxed without allow-scripts should NOT be able to run <script src=...>"
+);

dom/xslt/tests/mochitest/file_bug1729517.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="#stylesheet"?>
+<!DOCTYPE root [
+  <!ATTLIST xsl:stylesheet id ID #IMPLIED>
+]>
+<root>
+  <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+  <xsl:template match="/">
+    <html>
+      <head>
+        <title>[]</title>
+        <script type="text/javascript">
+          let failed = [];
+          function fail(desc) {
+            failed.push(desc);
+            document.title = JSON.stringify(failed);
+          }
+
+          function doStuff() {
+            fail("documents sandboxed without allow-scripts should NOT be able to run inline scripts");
+          }
+        </script>
+        <script src="file_bug1729517.js" />
+      </head>
+      <body onload="fail('documents sandboxed without allow-scripts should NOT be able to run script from event handlers'); doStuff();">
+        <img src="about:blank" onerror="fail('documents sandboxed without allow-scripts should NOT be able to run script from event handlers');" />
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
+</root>

dom/xslt/tests/mochitest/file_bug1729517_2.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="#stylesheet"?>
+<!DOCTYPE root [
+  <!ATTLIST xsl:stylesheet id ID #IMPLIED>
+]>
+<root>
+  <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+  <xsl:template match="/">
+    <html>
+      <head>
+        <title>[]</title>
+        <script type="text/javascript">
+          async function checkCOEPAndReferrer() {
+            let results = new Map();
+
+            let win = window.open();
+            result = win.fetch("https://example.org/tests/dom/xslt/tests/mochitest/bug1729517_2.sjs", { mode: "no-cors" }).then(() => {
+              return "FAIL";
+            }, () => {
+              return "PASS";
+            });
+            results.set("Cross-Origin-Embedder-Policy", await result);
+            win.close();
+
+            result = fetch("bug1729517_2.sjs").then((response) => {
+              return response.text();
+            });
+            results.set("Referrer-Policy", await result || "FAIL");
+
+            window.opener.postMessage(results, "*");
+          }
+        </script>
+      </head>
+      <body onload="checkCOEPAndReferrer()" />
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
+</root>

dom/xslt/tests/mochitest/file_bug1729517_2.xml^headers^

@@ -0,0 +1,2 @@
+Referrer-Policy: no-referrer
+Cross-Origin-Embedder-Policy: require-corp

dom/xslt/tests/mochitest/mochitest.ini

@@ -18,6 +18,13 @@
 support-files = file_bug1135764.xml file_bug1135764.xsl
 [test_bug1436040.html]
 [test_bug1527308.html]
+[test_bug1729517.html]
+support-files =
+  bug1729517_2.sjs
+  file_bug1729517.xml
+  file_bug1729517.js
+  file_bug1729517_2.xml
+  file_bug1729517_2.xml^headers^
 [test_exslt.html]
 [test_parameter.html]
 [test_sorting_invalid_lang.html]

dom/xslt/tests/mochitest/test_bug1729517.html

@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title><!-- TODO: insert title here --></title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
+  <script>
+    SimpleTest.waitForExplicitFinish();
+    async function runTest() {
+      let frame = document.getElementById("frame");
+      let loaded = new Promise((resolve) => {
+        frame.addEventListener("load", () => {
+          let failed = JSON.parse(frame.contentDocument.title);
+          ok(failed instanceof Array, "Frame's title is expected to be a JSON representation of the array of failed conditions.");
+          is(failed.length, 0, "No scripts should run in sandboxed iframe document created by XSLT.");
+          for (desc of failed) {
+            info(desc);
+          }
+          resolve();
+        }, { once: true });
+      });
+      frame.src = "file_bug1729517.xml";
+      await loaded;
+
+      let results = new Promise((resolve) => {
+        addEventListener("message", ({ data }) => {
+          resolve(data);
+        }, { once: true });
+      });
+
+      let win = window.open(`https://example.com/tests/dom/xslt/tests/mochitest/file_bug1729517_2.xml`);
+      for (const [header, result] of await results) {
+        is(result, "PASS", `${header} of the source document should apply to document created by XSLT.`);
+      }
+      win.close();
+
+      SimpleTest.finish();
+    }
+  </script>
+</head>
+<body onload="runTest();">
+<p id="display"></p>
+<iframe sandbox="allow-same-origin" id="frame"></iframe>
+<div id="content" style="display: none"></div>
+<pre id="test"></pre>
+</body>
+</html>