Bug 1626249: Test error page for x-frame-options and CSP frame-ancestors. r=johannh

Differential Revision: https://phabricator.services.mozilla.com/D69049

--HG--
extra : moz-landing-system : lando

dom/security/test/general/browser.ini

@@ -22,3 +22,8 @@ support-files =
   file_assert_systemprincipal_documents.html
   file_assert_systemprincipal_documents_iframe.html
 [browser_test_referrer_loadInOtherProcess.js]
+[browser_test_framing_error_pages.js]
+support-files =
+  file_framing_error_pages_csp.html
+  file_framing_error_pages_xfo.html
+  file_framing_error_pages.sjs

dom/security/test/general/browser_test_framing_error_pages.js

@@ -0,0 +1,63 @@
+"use strict";
+
+const kTestPath = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "http://example.com"
+);
+const kTestXFrameOptionsURI = kTestPath + "file_framing_error_pages_xfo.html";
+const kTestXFrameOptionsURIFrame =
+  kTestPath + "file_framing_error_pages.sjs?xfo";
+
+const kTestFrameAncestorsURI = kTestPath + "file_framing_error_pages_csp.html";
+const kTestFrameAncestorsURIFrame =
+  kTestPath + "file_framing_error_pages.sjs?csp";
+
+add_task(async function open_test_xfo_error_page() {
+  await BrowserTestUtils.withNewTab("about:blank", async function(browser) {
+    let loaded = BrowserTestUtils.browserLoaded(
+      browser,
+      true,
+      kTestXFrameOptionsURIFrame,
+      true
+    );
+    BrowserTestUtils.loadURI(browser, kTestXFrameOptionsURI);
+    await loaded;
+
+    await SpecialPowers.spawn(browser, [], async function() {
+      const iframeDoc = content.document.getElementById("testframe")
+        .contentDocument;
+      let errorPage = iframeDoc.body.innerHTML;
+      ok(
+        errorPage.includes(
+          "This page has an X-Frame-Options policy that prevents it from being loaded in this context"
+        ),
+        "xfo error page correct"
+      );
+    });
+  });
+});
+
+add_task(async function open_test_csp_frame_ancestor_error_page() {
+  await BrowserTestUtils.withNewTab("about:blank", async function(browser) {
+    let loaded = BrowserTestUtils.browserLoaded(
+      browser,
+      true,
+      kTestFrameAncestorsURIFrame,
+      true
+    );
+    BrowserTestUtils.loadURI(browser, kTestFrameAncestorsURI);
+    await loaded;
+
+    await SpecialPowers.spawn(browser, [], async function() {
+      const iframeDoc = content.document.getElementById("testframe")
+        .contentDocument;
+      let errorPage = iframeDoc.body.innerHTML;
+      ok(
+        errorPage.includes(
+          "This page has a content security policy that prevents it from being loaded in this way"
+        ),
+        "csp error page correct"
+      );
+    });
+  });
+});

dom/security/test/general/file_framing_error_pages.sjs

@@ -0,0 +1,24 @@
+"use strict";
+
+function handleRequest(request, response) {
+
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  let query = request.queryString;
+  if (query === "xfo") {
+    response.setHeader("x-frame-options", "deny", false);
+    response.write("<html>xfo test loaded</html>");
+    return;
+  }
+
+  if (query === "csp") {
+    response.setHeader("content-security-policy", "frame-ancestors 'none'", false);
+    response.write("<html>csp test loaded</html>");
+    return;
+  }
+
+  // we should never get here, but just in case
+  // return something unexpected
+  response.write("do'h");
+}

dom/security/test/general/file_framing_error_pages_csp.html

@@ -0,0 +1,7 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+iframe should be blocked <br/>
+<iframe id="testframe" src="http://example.com/browser/dom/security/test/general/file_framing_error_pages.sjs?csp"></iframe>
+</body>
+</html>

dom/security/test/general/file_framing_error_pages_xfo.html

@@ -0,0 +1,7 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+iframe should be blocked <br/>
+<iframe id="testframe" src="http://example.com/browser/dom/security/test/general/file_framing_error_pages.sjs?xfo"></iframe>
+</body>
+</html>

dom/security/test/general/file_xfo_error_page.sjs

@@ -0,0 +1,8 @@
+"use strict";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+  response.setHeader("x-frame-options", "deny", false);
+  response.write("<html>xfo test loaded</html>");
+}

dom/security/test/general/mochitest.ini

@@ -54,6 +54,8 @@ skip-if = !debug
 [test_same_site_cookies_laxByDefault.html]
 skip-if =  debug
 support-files = closeWindow.sjs
+[test_xfo_error_page.html]
+support-files = file_xfo_error_page.sjs
 [test_sec_fetch_websocket.html]
 skip-if = toolkit == 'android' # no websocket support Bug 982828
 support-files = file_sec_fetch_websocket_wsh.py

dom/security/test/general/test_xfo_error_page.html

@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1626249: Ensure correct display of neterror page for XFO</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="xfo_testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+const XFO_ERROR_PAGE_MSG = "This page has an X-Frame-Options policy that prevents it from being loaded in this context";
+
+let xfo_testframe = document.getElementById("xfo_testframe");
+
+xfo_testframe.onload = function() {
+  let wrappedXFOFrame = SpecialPowers.wrap(xfo_testframe.contentWindow);
+  let frameContentXFO = wrappedXFOFrame.document.body.innerHTML;
+  ok(frameContentXFO.includes(XFO_ERROR_PAGE_MSG), "xfo error page correct");
+  SimpleTest.finish();
+}
+
+xfo_testframe.onerror = function() {
+  ok(false, "sanity: should not fire onerror for xfo_testframe");
+  SimpleTest.finish();
+}
+
+xfo_testframe.src = "file_xfo_error_page.sjs";
+
+</script>
+</body>
+</html>