96 lines
No EOL
4.7 KiB
HTML
96 lines
No EOL
4.7 KiB
HTML
<!DOCTYPE HTML>
|
|
<html>
|
|
<head>
|
|
<title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
|
|
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
|
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
<style>
|
|
iframe{
|
|
border: 1px solid orange;
|
|
}
|
|
</style>
|
|
|
|
<!-- Using Content-Type: */* -->
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=xml"></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=html"></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=css" ></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=json"></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=img"></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*&content=pdf"></iframe>
|
|
<iframe class="no-mime" src="file_nosniff_navigation.sjs?mime=*%2F*"></iframe>
|
|
<hr>
|
|
<!-- Using Content-Type: image/png -->
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=xml"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=html"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=css"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=json"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=img"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng&content=pdf"></iframe>
|
|
<iframe class="mismatch-mime" src="file_nosniff_navigation.sjs?mime=image%2Fpng"></iframe>
|
|
<hr>
|
|
<!-- Using Content-Type: garbage/garbage -->
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=xml"> </iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=html"></iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=css" ></iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=json"></iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=img"></iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage&content=pdf"></iframe>
|
|
<iframe class="garbage-mime" src="file_nosniff_navigation.sjs?mime=garbage%2Fgarbage"></iframe>
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<!-- add the two script tests -->
|
|
<script id="scriptCorrectType"></script>
|
|
<script id="scriptWrongType"></script>
|
|
|
|
<script class="testbody" type="text/javascript">
|
|
/* Description of the test:
|
|
* We're testing if IceCat respects the nosniff Header for Top-Level
|
|
* Navigations.
|
|
* If IceCat cant Display the Page, it will prompt a download
|
|
* and the URL of the Page will be about:blank.
|
|
* So we will try to open different content send with
|
|
* no-mime, mismatched-mime and garbage-mime types.
|
|
*
|
|
*/
|
|
|
|
SimpleTest.waitForExplicitFinish();
|
|
|
|
window.addEventListener("load", ()=>{
|
|
let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
|
|
noMimeFrames.forEach(frame => {
|
|
let doc = frame.contentWindow.document;
|
|
// In case of no Provided Content Type, not rendering or assuming text/plain is valid
|
|
let result = doc.URL == "about:blank" || doc.contentType == "text/plain";
|
|
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
|
|
window.opener.ok(result, `${sniffTarget} without MIME - was not sniffed`);
|
|
});
|
|
|
|
let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
|
|
mismatchedMimes.forEach(frame => {
|
|
// In case the Server mismatches the Mime Type (sends content X as image/png)
|
|
// assert that we do not sniff and correct this.
|
|
let result = frame.contentWindow.document.contentType == "image/png";
|
|
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
|
|
window.opener.ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
|
|
});
|
|
|
|
let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
|
|
badMimeFrames.forEach(frame => {
|
|
// In the case we got a bogous mime, assert that we dont sniff.
|
|
// We must not default here to text/plain
|
|
// as the Server at least provided a mime type.
|
|
let result = frame.contentWindow.document.URL == "about:blank";
|
|
let sniffTarget = (new URL(frame.src)).searchParams.get("content");
|
|
window.opener.ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
|
|
});
|
|
|
|
window.opener.SimpleTest.finish();
|
|
this.close();
|
|
});
|
|
</script>
|
|
</body>
|
|
|
|
</html> |