mirror of
https://github.com/roytam1/palemoon27.git
synced 2026-05-26 05:37:11 +00:00
roytam1
ebd6e6dc19
- Bug 1174323 - Disable screenClientXYConst subtest of pointerlock test on OS X. rs=KWierso (2d0db6d1b) - Bug 992096 - Implement Sub Resource Integrity [1/2]. r=baku,r=ckerschb (c30671ac0) - Bug 992096 - Implement Sub Resource Integrity [2/2]. r=ckerschb (0afc64d88) - Bug 1091883 - Added test, this is fixed by a fix to bug 1113438. r=sstamm CLOSED TREE (fd9a64b43) - Bug 1196740 - Consider redirects when looking for SRI-eligibility. r=ckerschb (5c749cdc9) - Bug 1202015 - Better document the SRI strings for translators. r=ckerschb (a7860e0fb) - Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r=ckerschb (ea451323d) - bit of Bug 1202902 - Mass replace toplevel 'let' with 'var' (a6e8a587d) - Bug 1208629 - Properly support data: and blob: URIs with an integrity atribute. r=ckerschb (6b2018fe4) - Bug 1140129 - Don't clear tab title when location changes (r=Mossop) (ca1945ba8) - Bug 1073462: Send synthetic property with Content:LocationChange message. r=felipe (1aa418acf) - bug 1165017 - annotate content process URL on location change. r=mconley (cdca4fa75) - Bug 1157561 - Add webRequest-like API to Firefox (r=Mossop) (546a57822) - Bug 1163861 - Include windowID in all WebRequest notifications (r=Mossop) (c140af560) - Bug 1171248 - Add MatchPattern support to WebRequest module (r=Mossop) (b09a05658)
136 lines
4.8 KiB
HTML
136 lines
4.8 KiB
HTML
<!DOCTYPE HTML>
|
|
<!-- Any copyright is dedicated to the Public Domain.
|
|
http://creativecommons.org/publicdomain/zero/1.0/ -->
|
|
<html>
|
|
<head>
|
|
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
|
</head>
|
|
<body>
|
|
<p id="display"></p>
|
|
<div id="content" style="display: none">
|
|
</div>
|
|
<pre id="test">
|
|
</pre>
|
|
|
|
<script type="application/javascript">
|
|
SimpleTest.waitForExplicitFinish();
|
|
|
|
window.hasCORSLoaded = false;
|
|
window.hasNonCORSLoaded = false;
|
|
|
|
function good_nonsriLoaded() {
|
|
ok(true, "Non-eligible non-SRI resource was loaded correctly.");
|
|
}
|
|
function bad_nonsriBlocked() {
|
|
ok(false, "Non-eligible non-SRI resources should be loaded!");
|
|
}
|
|
|
|
function good_nonCORSInvalidBlocked() {
|
|
ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
|
|
}
|
|
function bad_nonCORSInvalidLoaded() {
|
|
ok(false, "Non-CORS resources with invalid metadata should be blocked!");
|
|
}
|
|
|
|
window.onerrorCalled = false;
|
|
window.onloadCalled = false;
|
|
|
|
function bad_onloadCalled() {
|
|
window.onloadCalled = true;
|
|
}
|
|
|
|
function good_onerrorCalled() {
|
|
window.onerrorCalled = true;
|
|
}
|
|
|
|
function good_incorrect301Blocked() {
|
|
ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
|
|
}
|
|
function bad_incorrect301Loaded() {
|
|
ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
|
|
}
|
|
|
|
function good_correct301Blocked() {
|
|
ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
|
|
}
|
|
function bad_correct301Loaded() {
|
|
ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
|
|
}
|
|
|
|
function good_correctDataBlocked() {
|
|
ok(true, "A data: URL was blocked correctly.");
|
|
}
|
|
function bad_correctDataLoaded() {
|
|
ok(false, "Since data: URLs are neither same-origin nor CORS, they should be blocked!");
|
|
}
|
|
function good_correctDataCORSBlocked() {
|
|
ok(true, "A data: URL was blocked correctly even though it was a CORS load.");
|
|
}
|
|
function bad_correctDataCORSLoaded() {
|
|
todo(false, "We should not load scripts in data: URIs regardless of CORS mode!");
|
|
}
|
|
|
|
window.onload = function() {
|
|
SimpleTest.finish()
|
|
}
|
|
</script>
|
|
|
|
<!-- cors-enabled. should be loaded -->
|
|
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
|
|
crossorigin=""
|
|
integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>
|
|
|
|
<!-- not cors-enabled. should be blocked -->
|
|
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"
|
|
crossorigin="anonymous"
|
|
integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="
|
|
onload="bad_onloadCalled()"
|
|
onerror="good_onerrorCalled()"></script>
|
|
|
|
<!-- non-cors but not actually using SRI. should trigger onload -->
|
|
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
|
|
integrity=" "
|
|
onload="good_nonsriLoaded()"
|
|
onerror="bad_nonsriBlocked()"></script>
|
|
|
|
<!-- non-cors with invalid metadata -->
|
|
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
|
|
integrity="sha256-bogus"
|
|
onload="bad_nonCORSInvalidLoaded()"
|
|
onerror="good_nonCORSInvalidBlocked()"></script>
|
|
|
|
<!-- non-cors that's same-origin initially but redirected to another origin -->
|
|
<script src="script_301.js"
|
|
integrity="sha384-invalid"
|
|
onerror="good_incorrect301Blocked()"
|
|
onload="bad_incorrect301Loaded()"></script>
|
|
|
|
<!-- non-cors that's same-origin initially but redirected to another origin -->
|
|
<script src="script_301.js"
|
|
integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
|
|
onerror="good_correct301Blocked()"
|
|
onload="bad_correct301Loaded()"></script>
|
|
|
|
<!-- data: URLs are not same-origin -->
|
|
<script src="data:,console.log('data:valid');"
|
|
integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
|
|
onerror="good_correctDataBlocked()"
|
|
onload="bad_correctDataLoaded()"></script>
|
|
|
|
<!-- data: URLs should always be opaque -->
|
|
<script src="data:,console.log('data:valid');"
|
|
crossorigin="anonymous"
|
|
integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
|
|
onerror="good_correctDataCORSBlocked()"
|
|
onload="bad_correctDataCORSLoaded()"></script>
|
|
|
|
<script>
|
|
ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
|
|
ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
|
|
ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
|
|
ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
|
|
</script>
|
|
</body>
|
|
</html>
|