forked from mirrors/gecko-dev
0b1a146519
ContentTask tasks have a different lifetime than SpecialPowers tasks, with the former being tied to the lifetime of a message manager and the latter tied to the lifetime of a window global. That means that existing ContentTask callers which expect to be able to register load listeners before the creation of a window global, or which expect to persist after a page has navigated, won't work as SpecialPowers tasks. Since those sorts of tasks are not really resilient in the face of Fission, they should really be written to work differently, but this patch mostly just reverts them to using ContentTask for the time being. Differential Revision: https://phabricator.services.mozilla.com/D53744 --HG-- extra : moz-landing-system : lando
82 lines
2.7 KiB
JavaScript
82 lines
2.7 KiB
JavaScript
/* Any copyright is dedicated to the Public Domain.
|
|
http://creativecommons.org/publicdomain/zero/1.0/ */
|
|
|
|
// This test tests that session restore component does restore the right
|
|
// content security policy with the document. (The policy being tested
|
|
// disallows inline scripts).
|
|
|
|
add_task(async function test() {
|
|
// allow top level data: URI navigations, otherwise clicking a data: link fails
|
|
await SpecialPowers.pushPrefEnv({
|
|
set: [["security.data_uri.block_toplevel_data_uri_navigations", false]],
|
|
});
|
|
// create a tab that has a CSP
|
|
let testURL =
|
|
"http://mochi.test:8888/browser/browser/components/sessionstore/test/browser_911547_sample.html";
|
|
let tab = (gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, testURL));
|
|
gBrowser.selectedTab = tab;
|
|
|
|
let browser = tab.linkedBrowser;
|
|
await promiseBrowserLoaded(browser);
|
|
|
|
// this is a baseline to ensure CSP is active
|
|
// attempt to inject and run a script via inline (pre-restore, allowed)
|
|
await injectInlineScript(
|
|
browser,
|
|
`document.getElementById("test_id1").value = "id1_modified";`
|
|
);
|
|
|
|
let loadedPromise = promiseBrowserLoaded(browser);
|
|
await SpecialPowers.spawn(browser, [], function() {
|
|
is(
|
|
content.document.getElementById("test_id1").value,
|
|
"id1_initial",
|
|
"CSP should block the inline script that modifies test_id"
|
|
);
|
|
content.document.getElementById("test_data_link").click();
|
|
});
|
|
|
|
await loadedPromise;
|
|
|
|
await SpecialPowers.spawn(browser, [], function() {
|
|
// eslint-disable-line
|
|
// the data: URI inherits the CSP and the inline script needs to be blocked
|
|
is(
|
|
content.document.getElementById("test_id2").value,
|
|
"id2_initial",
|
|
"CSP should block the script loaded by the clicked data URI"
|
|
);
|
|
});
|
|
|
|
// close the tab
|
|
await promiseRemoveTabAndSessionState(tab);
|
|
|
|
// open new tab and recover the state
|
|
tab = ss.undoCloseTab(window, 0);
|
|
await promiseTabRestored(tab);
|
|
browser = tab.linkedBrowser;
|
|
|
|
await SpecialPowers.spawn(browser, [], function() {
|
|
// eslint-disable-line
|
|
// the data: URI should be restored including the inherited CSP and the
|
|
// inline script should be blocked.
|
|
is(
|
|
content.document.getElementById("test_id2").value,
|
|
"id2_initial",
|
|
"CSP should block the script loaded by the clicked data URI after restore"
|
|
);
|
|
});
|
|
|
|
// clean up
|
|
gBrowser.removeTab(tab);
|
|
});
|
|
|
|
// injects an inline script element (with a text body)
|
|
function injectInlineScript(browser, scriptText) {
|
|
return SpecialPowers.spawn(browser, [scriptText], function(text) {
|
|
let scriptElt = content.document.createElement("script");
|
|
scriptElt.type = "text/javascript";
|
|
scriptElt.text = text;
|
|
content.document.body.appendChild(scriptElt);
|
|
});
|
|
}
|