summaryrefslogtreecommitdiffstats
path: root/dom/security/test/https-only/browser_triggering_principal_exemption.js
blob: d2d4038ac8afe7e582c9b9974ec5a9b765dcfe59 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

// Bug 1662359 - Don't upgrade subresources whose triggering principal is exempt from HTTPS-Only mode.
// https://bugzilla.mozilla.org/bug/1662359
"use strict";

const TRIGGERING_PAGE = "http://example.org";
const LOADED_RESOURCE = "http://example.com";

add_task(async function() {
  // Enable HTTPS-Only Mode
  await SpecialPowers.pushPrefEnv({
    set: [["dom.security.https_only_mode", true]],
  });

  await runTest(
    "Request with not exempt triggering principal should get upgraded.",
    "https://"
  );

  // Now exempt the triggering page
  await SpecialPowers.pushPermissions([
    {
      type: "https-only-load-insecure",
      allow: true,
      context: TRIGGERING_PAGE,
    },
  ]);

  await runTest(
    "Request with exempt triggering principal should not get upgraded.",
    "http://"
  );

  await SpecialPowers.popPermissions();
});

async function runTest(desc, startsWith) {
  const responseURL = await new Promise(resolve => {
    let xhr = new XMLHttpRequest();
    xhr.open("GET", LOADED_RESOURCE);

    // Replace loadinfo with one whose triggeringPrincipal is a content
    // principal for TRIGGERING_PAGE.
    const triggeringPrincipal = Services.scriptSecurityManager.createContentPrincipalFromOrigin(
      TRIGGERING_PAGE
    );
    let dummyURI = Services.io.newURI(LOADED_RESOURCE);
    let dummyChannel = NetUtil.newChannel({
      uri: dummyURI,
      triggeringPrincipal,
      loadingPrincipal: xhr.channel.loadInfo.loadingPrincipal,
      securityFlags: xhr.channel.loadInfo.securityFlags,
      contentPolicyType: xhr.channel.loadInfo.externalContentPolicyType,
    });
    xhr.channel.loadInfo = dummyChannel.loadInfo;

    xhr.onreadystatechange = () => {
      // We don't care about the result, just if Firefox upgraded the URL
      // internally.
      if (
        xhr.readyState !== XMLHttpRequest.OPENED ||
        xhr.readyState !== XMLHttpRequest.UNSENT
      ) {
        // Let's make sure this function doesn't get called anymore
        xhr.onreadystatechange = undefined;
        resolve(xhr.responseURL);
      }
    };
    xhr.send();
  });
  ok(responseURL.startsWith(startsWith), desc);
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 14:27:14 +0000