blob: 96896dd512398062503085b387445ef233e5eb4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; default-src https: wss: 'unsafe-inline'; form-action https:;">
<meta charset="utf-8">
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
<!-- style -->
<link rel='stylesheet' type='text/css' href='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?style' media='screen' />
<!-- font -->
<style>
@font-face {
font-family: "foofont";
src: url('http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?font');
}
.div_foo { font-family: "foofont"; }
</style>
</head>
<body>
<!-- images: -->
<img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?img"></img>
<!-- redirects: upgrade http:// to https:// redirect to http:// and then upgrade to https:// again -->
<img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?redirect-image"></img>
<!-- script: -->
<script src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?script"></script>
<!-- media: -->
<audio src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?media"></audio>
<!-- objects: -->
<object width="10" height="10" data="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?object"></object>
<!-- font: (apply font loaded in header to div) -->
<div class="div_foo">foo</div>
<!-- iframe: (same origin) -->
<iframe src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?iframe">
<!-- within that iframe we load an image over http and make sure the requested gets upgraded to https -->
</iframe>
<!-- xhr: -->
<script type="application/javascript">
var myXHR = new XMLHttpRequest();
myXHR.open("GET", "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?xhr");
myXHR.send(null);
</script>
<!-- websockets: upgrade ws:// to wss://-->
<script type="application/javascript">
// WebSocket tests are not supported on Android Yet. Bug 1566168.
const {AppConstants} = SpecialPowers.Cu.import("resource://gre/modules/AppConstants.jsm", {});
if (AppConstants.platform !== "android") {
var mySocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_upgrade_insecure");
mySocket.onopen = function(e) {
if (mySocket.url.includes("wss://")) {
window.parent.postMessage({result: "websocket-ok"}, "*");
}
else {
window.parent.postMessage({result: "websocket-error"}, "*");
}
mySocket.close();
};
mySocket.onerror = function(e) {
window.parent.postMessage({result: "websocket-unexpected-error"}, "*");
};
}
</script>
<!-- form action: (upgrade POST from http:// to https://) -->
<iframe name='formFrame' id='formFrame'></iframe>
<form target="formFrame" action="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?form" method="POST">
<input name="foo" value="foo">
<input type="submit" id="submitButton" formenctype='multipart/form-data' value="Submit form">
</form>
<script type="text/javascript">
var submitButton = document.getElementById('submitButton');
submitButton.click();
</script>
</body>
</html>
|