1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
// Bug 1625448 - HTTPS Only Mode - Exceptions for loopback and local IP addresses
// https://bugzilla.mozilla.org/show_bug.cgi?id=1631384
// This test ensures that various configurable upgrade exceptions work
"use strict";
add_task(async function() {
requestLongerTimeout(2);
await SpecialPowers.pushPrefEnv({
set: [["dom.security.https_only_mode", true]],
});
// Loopback test
await runTest(
"Loopback IP addresses should always be exempt from upgrades (127.0.0.1)",
"http://localhost",
"http://"
);
await runTest(
"Loopback IP addresses should always be exempt from upgrades (127.0.0.1)",
"http://127.0.0.1",
"http://"
);
// Default local-IP and onion tests
await runTest(
"Local IP addresses should be exempt from upgrades by default",
"http://10.0.250.250",
"http://"
);
await runTest(
"Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default",
"http://grocery.shopping.for.one.onion",
"http://"
);
await SpecialPowers.pushPrefEnv({
set: [
["dom.security.https_only_mode.upgrade_local", true],
["dom.security.https_only_mode.upgrade_onion", true],
],
});
// Local-IP and onion tests with upgrade enabled
await runTest(
"Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true",
"http://10.0.250.250",
"https://"
);
await runTest(
"Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true",
"http://grocery.shopping.for.one.onion",
"https://"
);
// Local-IP request with HTTPS_ONLY_EXEMPT flag
await runTest(
"The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs",
"http://10.0.250.250",
"http://",
true
);
});
async function runTest(desc, url, startsWith, exempt = false) {
const responseURL = await new Promise(resolve => {
let xhr = new XMLHttpRequest();
xhr.timeout = 1200;
xhr.open("GET", url);
if (exempt) {
xhr.channel.loadInfo.httpsOnlyStatus |= Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
}
xhr.onreadystatechange = () => {
// We don't care about the result and it's possible that
// the requests might even succeed in some testing environments
if (
xhr.readyState !== XMLHttpRequest.OPENED ||
xhr.readyState !== XMLHttpRequest.UNSENT
) {
// Let's make sure this function doesn't get caled anymore
xhr.onreadystatechange = undefined;
resolve(xhr.responseURL);
}
};
xhr.send();
});
ok(responseURL.startsWith(startsWith), desc);
}
|