OLD | NEW |
(Empty) | |
| 1 (function () { |
| 2 |
| 3 // Get values from the substitution engine. |
| 4 // We can't just pull these from the document context |
| 5 // because this script is intended to be transcluded into |
| 6 // another document, and we want the GET values used to request it, |
| 7 // not the values for the including document |
| 8 |
| 9 // XXX these are unencoded, so there's an unavoidable |
| 10 // injection vulnerability in constructing this file... |
| 11 // need to upgrade the template engine. |
| 12 var reportField = "{{GET[reportField]}}"; |
| 13 var reportValue = "{{GET[reportValue]}}"; |
| 14 var reportExists = "{{GET[reportExists]}}"; |
| 15 var noCookies = "{{GET[noCookies]}}"; |
| 16 |
| 17 var location = window.location; |
| 18 var thisTestName = location.pathname.split('/')[location.pathname.split('/').l
ength - 1].split('.')[0]; |
| 19 |
| 20 var reportID = ""; |
| 21 |
| 22 var cookies = document.cookie.split(';'); |
| 23 for (var i = 0; i < cookies.length; i++) { |
| 24 var cookieName = cookies[i].split('=')[0].trim(); |
| 25 var cookieValue = cookies[i].split('=')[1].trim(); |
| 26 |
| 27 if (cookieName == thisTestName) { |
| 28 reportID = cookieValue; |
| 29 var cookieToDelete = cookieName + "=; expires=Thu, 01 Jan 1970 00:00:00 GM
T; path=" + document.location.pathname.substring(0, document.location.pathname.l
astIndexOf('/') + 1); |
| 30 document.cookie = cookieToDelete; |
| 31 break; |
| 32 } |
| 33 } |
| 34 |
| 35 var timeout = document.querySelector("meta[name=timeout][content=long]") ? 50
: 5; |
| 36 var reportLocation = location.protocol + "//" + location.host + "/content-secu
rity-policy/support/report.py?op=take&timeout=" + timeout + "&reportID=" + repor
tID; |
| 37 |
| 38 var reportTest = async_test("Violation report status OK."); |
| 39 reportTest.step(function () { |
| 40 |
| 41 var report = new XMLHttpRequest(); |
| 42 report.onload = reportTest.step_func(function () { |
| 43 |
| 44 var data = JSON.parse(report.responseText); |
| 45 |
| 46 if (data.error) { |
| 47 assert_equals("false", reportExists, data.error); |
| 48 } else { |
| 49 if(reportExists != "" && reportExists == "false" && data["csp-report"]
) { |
| 50 assert_unreached("CSP report sent, but not expecting one: " + JSON
.stringify(data["csp-report"])); |
| 51 } |
| 52 // Firefox expands 'self' or origins in a policy to the actual origin
value |
| 53 // so "www.example.com" becomes "http://www.example.com:80". |
| 54 // Accomodate this by just testing that the correct directive name |
| 55 // is reported, not the details... |
| 56 |
| 57 if(data["csp-report"] != undefined && data["csp-report"][reportField]
!= undefined) { |
| 58 assert_true(data["csp-report"][reportField].indexOf(reportValue.spli
t(" ")[0]) != -1, |
| 59 reportField + " value of \"" + data["csp-report"][reportField]
+ "\" did not match " + |
| 60 reportValue.split(" ")[0] + "."); |
| 61 } |
| 62 } |
| 63 |
| 64 reportTest.done(); |
| 65 }); |
| 66 |
| 67 report.open("GET", reportLocation, true); |
| 68 report.send(); |
| 69 }); |
| 70 |
| 71 if (noCookies) { |
| 72 var cookieTest = async_test("No cookies sent with report."); |
| 73 var cookieReport = new XMLHttpRequest(); |
| 74 cookieReport.onload = cookieTest.step_func(function () { |
| 75 var data = JSON.parse(cookieReport.responseText); |
| 76 assert_equals(data.reportCookies, "None"); |
| 77 cookieTest.done(); |
| 78 }); |
| 79 var cReportLocation = location.protocol + "//" + location.host + "/content
-security-policy/support/report.py?op=cookies&timeout=" + timeout + "&reportID="
+ reportID; |
| 80 cookieReport.open("GET", cReportLocation, true); |
| 81 cookieReport.send(); |
| 82 }; |
| 83 |
| 84 })(); |
OLD | NEW |