summaryrefslogtreecommitdiffstats
path: root/dom/svg/test/test_use_with_hsts.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/svg/test/test_use_with_hsts.html')
-rw-r--r--dom/svg/test/test_use_with_hsts.html129
1 files changed, 129 insertions, 0 deletions
diff --git a/dom/svg/test/test_use_with_hsts.html b/dom/svg/test/test_use_with_hsts.html
new file mode 100644
index 0000000000..07c7a5a109
--- /dev/null
+++ b/dom/svg/test/test_use_with_hsts.html
@@ -0,0 +1,129 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1247733
+-->
+<head>
+ <meta charset="utf-8">
+ <title>Test for Bug 1247733</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script src="/tests/SimpleTest/WindowSnapshot.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>
+<p id="display">
+ <iframe id="myIframe"></iframe>
+</p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test"></pre>
+<script type="application/javascript">
+ /** Test for Bug 1247733 **/
+
+ /**
+ * This test ensures that we render the SVG 'use' element correctly, in
+ * pages that have been upgraded from HTTP to HTTPS using strict transport
+ * security (HSTS)
+ *
+ * Specifically:
+ * (1) We load a file using HTTPS, in an iframe. The file gets sent
+ * with a Strict-Transport-Security flag.
+ * (2) We load the same file again, but now over HTTP (which should get
+ * upgraded to HTTPS, since we received the Strict-Transport-Security
+ * flag during the first load).
+ * (3) After each of the above loads, we take a snapshot of the iframe
+ * and ensure that it renders as fully lime (which the 'use' element
+ * is responsible for). If the 'use' element fails to render, the iframe
+ * will be fully red, and we'll fail an "assertSnapshots" check.
+ */
+ SimpleTest.waitForExplicitFinish();
+
+ const iframe = document.getElementById("myIframe");
+ const iframeWin = iframe.contentWindow;
+
+ // URI for our testcase with 'use' element, via HTTP and HTTPS:
+ const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
+ const secureURI = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
+
+ // Bookkeeping to be sure receiveMessage is called as many times as we expect:
+ var numPostMessageCalls = 0;
+ const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)
+
+ // Helper function, called via postMessage, to check iframe's actual location:
+ function receiveMessage(event) {
+ is(event.data, secureURI, "iframe should end up viewing secure URI");
+ numPostMessageCalls++;
+ }
+
+ // Convenience helper which makes |iframe| load the given |uri|. Returns
+ // a promise that resolves when the load completes. This makes it handy to
+ // use with 'await', to avoid onload callback hell.
+ async function LoadIframeAsync(uri) {
+ return new Promise(resolve => {
+ iframe.addEventListener("load", resolve, {once: true});
+ // Kick off the requested load:
+ iframe.src = uri;
+ });
+ }
+
+ // MAIN TEST CODE BEGINS HERE.
+ async function runTest() {
+ // Capture a snapshot with nothing in the iframe, so we can do a
+ // sanity-check not-equal comparison against our reference case, to be
+ // sure we're rendering anything at all:
+ let blankSnapshot = await snapshotWindow(iframeWin);
+
+ // Load & snapshot a reference case (fully lime):
+ await LoadIframeAsync("data:text/html,<body style='background:lime'>");
+ let refSnapshot = await snapshotWindow(iframeWin);
+
+ // Ensure reference snapshot looks different from blank snapshot:
+ assertSnapshots(refSnapshot, blankSnapshot,
+ false /* not equal*/, null /* no fuzz*/,
+ "refSnapshot", "blankSnapshot");
+
+ // OK, assuming we've got a valid refSnapshot, we can now proceed to
+ // capture test screenshots.
+
+ // Register a postMessage handler, so that iframe can report its location:
+ window.addEventListener("message", receiveMessage);
+
+ // Load & snapshot secure (HTTPS) version of testcase, & check against ref:
+ await LoadIframeAsync(secureURI);
+ let secureSnapshot = await snapshotWindow(iframeWin);
+ assertSnapshots(secureSnapshot, refSnapshot,
+ true /* equal*/, null /* no fuzz*/,
+ "secureSnapshot", "refSnapshot");
+
+ // Load insecure (HTTP) version of testcase (which should get
+ // automatically upgraded to secure (HTTPS) under the hood):
+ await LoadIframeAsync(insecureURI);
+
+ // Double-check that iframe is really pointed at insecure URI, to be sure
+ // we're actually exercising HSTS. (Note that receiveMessage() will make
+ // sure it's been upgraded to a secure HTTPS URI under the hood.)
+ is(iframe.src, insecureURI,
+ "test should've attempted to load insecure HTTP URI, to exercise HSTS");
+
+ // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:
+ let upgradedSnapshot = await snapshotWindow(iframeWin);
+ assertSnapshots(upgradedSnapshot, refSnapshot,
+ true /* equal*/, null /* no fuzz*/,
+ "upgradedSnapshot", "refSnapshot");
+
+ // Check that the iframe did actually invoke our postMessage handler (which
+ // is where we verify that the HSTS upgrade actually happened):
+ is(numPostMessageCalls, expectedNumPostMessageCalls,
+ "didn't receive as many messages from child iframe as expected");
+
+ // We're done! Clear the STS headers that we set, and finish.
+ SpecialPowers.cleanUpSTSData("http://example.com");
+ SimpleTest.finish();
+ }
+
+ runTest();
+</script>
+</body>
+</html>