Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: http3 OR http2
- Manifest: dom/base/test/mochitest.toml
<!DOCTYPE HTML>
<html>
<!--
-->
<head>
<meta charset="utf-8">
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
<!-- Load a cross-origin webfont without CORS (common pain point) and some
other styles that require anonymous CORS -->
<style>
@font-face {
font-family: "bad_cross_origin_webfont";
src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
}
div#bad_webfont { font-family: "bad_cross_origin_webfont"; }
div#bad_shape_outside { shape-outside: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_shape_outside&type=image/png'); }
div#bad_mask_image { mask-image: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=bad_mask_image&type=image/svg+xml'); }
</style>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">
SimpleTest.waitForExplicitFinish();
var tests = {
},
font : {
uri_test : "font_bad",
result : null,
category: "CORSMissingAllowOrigin2",
},
shape_outside : {
uri_test : "bad_shape_outside",
result : null,
category: "CORSMissingAllowOrigin2",
ignore_windowID: true,
},
mask_image : {
uri_test : "bad_mask_image",
result : null,
category: "CORSMissingAllowOrigin2",
ignore_windowID: true,
},
}
function testsComplete() {
for (var testName in tests) {
var test = tests[testName];
if (test.result == null) {
info("Still waiting on (at least) " + testName + ".");
return false;
}
}
return true;
}
SpecialPowers.registerConsoleListener(function CORSMsgListener(aMsg) {
if (!/Cross-Origin Request Blocked/.test(aMsg.message))
return;
for (var testName in tests) {
var test = tests[testName];
var category = test.category;
if (test.result != null)
continue;
var testRegexp = new RegExp(test.uri_test);
if (testRegexp.test(aMsg.message)) {
test.result = true;
ok(true, "Got \"Cross-site request blocked\" warning message for " + testName);
ok(aMsg.category == category,
"Got warning message with category \"" + aMsg.category + "\", expected \"" + category + "\"");
// Got the message we wanted - make sure it is destined for a valid inner window
if(!test.ignore_windowID) {
ok(aMsg.windowID != 0, "Valid (non-zero) windowID for the cross-site request blocked message.");
}
break;
}
}
if (testsComplete()) {
SimpleTest.executeSoon(cleanup);
}
});
function cleanup() {
SpecialPowers.postConsoleSentinel();
SimpleTest.finish();
}
// Send a cross-origin XHR request without CORS
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://example.org/tests/dom/security/test/cors/file_CrossSiteXHR_server.sjs?allowOrigin=http://invalid", true);
xhr.send(null);
let badDiv;
// Create a div that triggers a cross-origin webfont request
// We do this in Javascript in order to guarantee the console listener has
// already been registered; otherwise, there could be a race.
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_webfont');
document.body.appendChild(badDiv);
// Create a div that triggers a cross-origin request for a shape-outside image
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_shape_outside');
document.body.appendChild(badDiv);
// Create a div that triggers a cross-origin request for a mask-image
badDiv = document.createElement('div');
badDiv.setAttribute('id', 'bad_mask_image');
document.body.appendChild(badDiv);
</script>
</pre>
</body>
</html>