From 0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:47:29 +0200 Subject: Adding upstream version 115.8.0esr. Signed-off-by: Daniel Baumann --- dom/security/test/general/browser.ini | 55 ++++++ .../test/general/browser_file_nonscript.js | 38 ++++ .../browser_restrict_privileged_about_script.js | 70 +++++++ .../browser_same_site_cookies_bug1748693.js | 51 +++++ ...rowser_test_assert_systemprincipal_documents.js | 41 ++++ .../test/general/browser_test_data_download.js | 113 +++++++++++ .../test/general/browser_test_data_text_csv.js | 108 ++++++++++ .../general/browser_test_framing_error_pages.js | 53 +++++ .../browser_test_referrer_loadInOtherProcess.js | 156 +++++++++++++++ .../test/general/browser_test_report_blocking.js | 218 +++++++++++++++++++++ .../browser_test_toplevel_data_navigations.js | 70 +++++++ .../browser_test_view_image_data_navigation.js | 71 +++++++ .../test/general/browser_test_xfo_embed_object.js | 41 ++++ dom/security/test/general/bug1277803.html | 11 ++ dom/security/test/general/chrome.ini | 11 ++ dom/security/test/general/closeWindow.sjs | 24 +++ dom/security/test/general/favicon_bug1277803.ico | Bin 0 -> 1406 bytes dom/security/test/general/file_1767581.js | 1 + dom/security/test/general/file_about_child.html | 11 ++ .../file_assert_systemprincipal_documents.html | 11 ++ ...le_assert_systemprincipal_documents_iframe.html | 9 + .../file_block_script_wrong_mime_server.sjs | 38 ++++ .../file_block_subresource_redir_to_data.sjs | 33 ++++ .../file_block_toplevel_data_navigation.html | 16 ++ .../file_block_toplevel_data_navigation2.html | 17 ++ .../file_block_toplevel_data_navigation3.html | 16 ++ .../general/file_block_toplevel_data_redirect.sjs | 13 ++ .../test/general/file_cache_splitting_isloaded.sjs | 35 ++++ .../test/general/file_cache_splitting_server.sjs | 27 +++ .../test/general/file_cache_splitting_window.html | 17 ++ ...file_contentpolicytype_targeted_link_iframe.sjs | 45 +++++ dom/security/test/general/file_data_download.html | 14 ++ dom/security/test/general/file_data_text_csv.html | 14 ++ .../test/general/file_framing_error_pages.sjs | 27 +++ .../test/general/file_framing_error_pages_csp.html | 7 + .../test/general/file_framing_error_pages_xfo.html | 7 + .../test/general/file_framing_xfo_embed.html | 7 + .../test/general/file_framing_xfo_embed_object.sjs | 7 + .../test/general/file_framing_xfo_object.html | 7 + dom/security/test/general/file_gpc_server.sjs | 14 ++ .../test/general/file_loads_nonscript.html | 49 +++++ .../test/general/file_meta_referrer_in_head.html | 13 ++ .../general/file_meta_referrer_notin_head.html | 14 ++ dom/security/test/general/file_nonscript | 1 + dom/security/test/general/file_nonscript.html | 1 + dom/security/test/general/file_nonscript.json | 1 + dom/security/test/general/file_nonscript.txt | 1 + dom/security/test/general/file_nonscript.xyz | 1 + .../test/general/file_nosniff_navigation.sjs | 40 ++++ .../test/general/file_nosniff_testserver.sjs | 61 ++++++ .../test/general/file_same_site_cookies_about.sjs | 99 ++++++++++ ...le_same_site_cookies_blob_iframe_inclusion.html | 34 ++++ ...e_same_site_cookies_blob_iframe_navigation.html | 30 +++ .../general/file_same_site_cookies_bug1748693.sjs | 31 +++ ...file_same_site_cookies_cross_origin_context.sjs | 54 +++++ .../general/file_same_site_cookies_from_script.sjs | 48 +++++ .../test/general/file_same_site_cookies_iframe.sjs | 99 ++++++++++ .../general/file_same_site_cookies_redirect.sjs | 103 ++++++++++ .../general/file_same_site_cookies_subrequest.sjs | 82 ++++++++ .../file_same_site_cookies_toplevel_nav.sjs | 96 +++++++++ .../file_same_site_cookies_toplevel_set_cookie.sjs | 68 +++++++ dom/security/test/general/file_script.js | 1 + .../general/file_toplevel_data_meta_redirect.html | 10 + .../general/file_toplevel_data_navigations.sjs | 13 ++ .../file_view_bg_image_data_navigation.html | 16 ++ .../general/file_view_image_data_navigation.html | 12 ++ dom/security/test/general/file_xfo_error_page.sjs | 8 + dom/security/test/general/mochitest.ini | 95 +++++++++ .../test/general/test_allow_opening_data_json.html | 39 ++++ .../test/general/test_allow_opening_data_pdf.html | 41 ++++ .../general/test_assert_about_page_no_csp.html | 30 +++ .../test/general/test_block_script_wrong_mime.html | 92 +++++++++ .../test_block_subresource_redir_to_data.html | 68 +++++++ .../test_block_toplevel_data_img_navigation.html | 53 +++++ .../test_block_toplevel_data_navigation.html | 134 +++++++++++++ dom/security/test/general/test_bug1277803.xhtml | 65 ++++++ dom/security/test/general/test_bug1450853.html | 91 +++++++++ .../test/general/test_bug1660452_http.html | 39 ++++ .../test/general/test_bug1660452_https.html | 39 ++++ dom/security/test/general/test_cache_split.html | 153 +++++++++++++++ ...est_contentpolicytype_targeted_link_iframe.html | 103 ++++++++++ dom/security/test/general/test_gpc.html | 51 +++++ .../test/general/test_innerhtml_sanitizer.html | 74 +++++++ .../test/general/test_innerhtml_sanitizer.xhtml | 73 +++++++ dom/security/test/general/test_meta_referrer.html | 55 ++++++ dom/security/test/general/test_nosniff.html | 88 +++++++++ .../test/general/test_nosniff_navigation.html | 35 ++++ .../test/general/test_same_site_cookies_about.html | 116 +++++++++++ ...est_same_site_cookies_cross_origin_context.html | 93 +++++++++ .../test_same_site_cookies_from_script.html | 86 ++++++++ .../general/test_same_site_cookies_iframe.html | 168 ++++++++++++++++ .../test_same_site_cookies_laxByDefault.html | 85 ++++++++ .../general/test_same_site_cookies_redirect.html | 101 ++++++++++ .../general/test_same_site_cookies_subrequest.html | 113 +++++++++++ .../test_same_site_cookies_toplevel_nav.html | 117 +++++++++++ ...test_same_site_cookies_toplevel_set_cookie.html | 57 ++++++ dom/security/test/general/test_xfo_error_page.html | 35 ++++ .../test/general/window_nosniff_navigation.html | 96 +++++++++ 98 files changed, 4995 insertions(+) create mode 100644 dom/security/test/general/browser.ini create mode 100644 dom/security/test/general/browser_file_nonscript.js create mode 100644 dom/security/test/general/browser_restrict_privileged_about_script.js create mode 100644 dom/security/test/general/browser_same_site_cookies_bug1748693.js create mode 100644 dom/security/test/general/browser_test_assert_systemprincipal_documents.js create mode 100644 dom/security/test/general/browser_test_data_download.js create mode 100644 dom/security/test/general/browser_test_data_text_csv.js create mode 100644 dom/security/test/general/browser_test_framing_error_pages.js create mode 100644 dom/security/test/general/browser_test_referrer_loadInOtherProcess.js create mode 100644 dom/security/test/general/browser_test_report_blocking.js create mode 100644 dom/security/test/general/browser_test_toplevel_data_navigations.js create mode 100644 dom/security/test/general/browser_test_view_image_data_navigation.js create mode 100644 dom/security/test/general/browser_test_xfo_embed_object.js create mode 100644 dom/security/test/general/bug1277803.html create mode 100644 dom/security/test/general/chrome.ini create mode 100644 dom/security/test/general/closeWindow.sjs create mode 100644 dom/security/test/general/favicon_bug1277803.ico create mode 100644 dom/security/test/general/file_1767581.js create mode 100644 dom/security/test/general/file_about_child.html create mode 100644 dom/security/test/general/file_assert_systemprincipal_documents.html create mode 100644 dom/security/test/general/file_assert_systemprincipal_documents_iframe.html create mode 100644 dom/security/test/general/file_block_script_wrong_mime_server.sjs create mode 100644 dom/security/test/general/file_block_subresource_redir_to_data.sjs create mode 100644 dom/security/test/general/file_block_toplevel_data_navigation.html create mode 100644 dom/security/test/general/file_block_toplevel_data_navigation2.html create mode 100644 dom/security/test/general/file_block_toplevel_data_navigation3.html create mode 100644 dom/security/test/general/file_block_toplevel_data_redirect.sjs create mode 100644 dom/security/test/general/file_cache_splitting_isloaded.sjs create mode 100644 dom/security/test/general/file_cache_splitting_server.sjs create mode 100644 dom/security/test/general/file_cache_splitting_window.html create mode 100644 dom/security/test/general/file_contentpolicytype_targeted_link_iframe.sjs create mode 100644 dom/security/test/general/file_data_download.html create mode 100644 dom/security/test/general/file_data_text_csv.html create mode 100644 dom/security/test/general/file_framing_error_pages.sjs create mode 100644 dom/security/test/general/file_framing_error_pages_csp.html create mode 100644 dom/security/test/general/file_framing_error_pages_xfo.html create mode 100644 dom/security/test/general/file_framing_xfo_embed.html create mode 100644 dom/security/test/general/file_framing_xfo_embed_object.sjs create mode 100644 dom/security/test/general/file_framing_xfo_object.html create mode 100644 dom/security/test/general/file_gpc_server.sjs create mode 100644 dom/security/test/general/file_loads_nonscript.html create mode 100644 dom/security/test/general/file_meta_referrer_in_head.html create mode 100644 dom/security/test/general/file_meta_referrer_notin_head.html create mode 100644 dom/security/test/general/file_nonscript create mode 100644 dom/security/test/general/file_nonscript.html create mode 100644 dom/security/test/general/file_nonscript.json create mode 100644 dom/security/test/general/file_nonscript.txt create mode 100644 dom/security/test/general/file_nonscript.xyz create mode 100644 dom/security/test/general/file_nosniff_navigation.sjs create mode 100644 dom/security/test/general/file_nosniff_testserver.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_about.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_blob_iframe_inclusion.html create mode 100644 dom/security/test/general/file_same_site_cookies_blob_iframe_navigation.html create mode 100644 dom/security/test/general/file_same_site_cookies_bug1748693.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_cross_origin_context.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_from_script.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_iframe.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_redirect.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_subrequest.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_toplevel_nav.sjs create mode 100644 dom/security/test/general/file_same_site_cookies_toplevel_set_cookie.sjs create mode 100644 dom/security/test/general/file_script.js create mode 100644 dom/security/test/general/file_toplevel_data_meta_redirect.html create mode 100644 dom/security/test/general/file_toplevel_data_navigations.sjs create mode 100644 dom/security/test/general/file_view_bg_image_data_navigation.html create mode 100644 dom/security/test/general/file_view_image_data_navigation.html create mode 100644 dom/security/test/general/file_xfo_error_page.sjs create mode 100644 dom/security/test/general/mochitest.ini create mode 100644 dom/security/test/general/test_allow_opening_data_json.html create mode 100644 dom/security/test/general/test_allow_opening_data_pdf.html create mode 100644 dom/security/test/general/test_assert_about_page_no_csp.html create mode 100644 dom/security/test/general/test_block_script_wrong_mime.html create mode 100644 dom/security/test/general/test_block_subresource_redir_to_data.html create mode 100644 dom/security/test/general/test_block_toplevel_data_img_navigation.html create mode 100644 dom/security/test/general/test_block_toplevel_data_navigation.html create mode 100644 dom/security/test/general/test_bug1277803.xhtml create mode 100644 dom/security/test/general/test_bug1450853.html create mode 100644 dom/security/test/general/test_bug1660452_http.html create mode 100644 dom/security/test/general/test_bug1660452_https.html create mode 100644 dom/security/test/general/test_cache_split.html create mode 100644 dom/security/test/general/test_contentpolicytype_targeted_link_iframe.html create mode 100644 dom/security/test/general/test_gpc.html create mode 100644 dom/security/test/general/test_innerhtml_sanitizer.html create mode 100644 dom/security/test/general/test_innerhtml_sanitizer.xhtml create mode 100644 dom/security/test/general/test_meta_referrer.html create mode 100644 dom/security/test/general/test_nosniff.html create mode 100644 dom/security/test/general/test_nosniff_navigation.html create mode 100644 dom/security/test/general/test_same_site_cookies_about.html create mode 100644 dom/security/test/general/test_same_site_cookies_cross_origin_context.html create mode 100644 dom/security/test/general/test_same_site_cookies_from_script.html create mode 100644 dom/security/test/general/test_same_site_cookies_iframe.html create mode 100644 dom/security/test/general/test_same_site_cookies_laxByDefault.html create mode 100644 dom/security/test/general/test_same_site_cookies_redirect.html create mode 100644 dom/security/test/general/test_same_site_cookies_subrequest.html create mode 100644 dom/security/test/general/test_same_site_cookies_toplevel_nav.html create mode 100644 dom/security/test/general/test_same_site_cookies_toplevel_set_cookie.html create mode 100644 dom/security/test/general/test_xfo_error_page.html create mode 100644 dom/security/test/general/window_nosniff_navigation.html (limited to 'dom/security/test/general') diff --git a/dom/security/test/general/browser.ini b/dom/security/test/general/browser.ini new file mode 100644 index 0000000000..bdbaf86b03 --- /dev/null +++ b/dom/security/test/general/browser.ini @@ -0,0 +1,55 @@ +[DEFAULT] +[browser_test_toplevel_data_navigations.js] +skip-if = (verify && debug && (os == 'mac')) || (debug && (os == 'mac' || os == 'linux')) # Bug 1403815 +support-files = + file_toplevel_data_navigations.sjs + file_toplevel_data_meta_redirect.html +[browser_test_data_download.js] +support-files = + file_data_download.html +[browser_test_data_text_csv.js] +support-files = + file_data_text_csv.html +[browser_test_view_image_data_navigation.js] +support-files = + file_view_image_data_navigation.html + file_view_bg_image_data_navigation.html +[browser_test_assert_systemprincipal_documents.js] +skip-if = !nightly_build +support-files = + file_assert_systemprincipal_documents.html + file_assert_systemprincipal_documents_iframe.html +[browser_test_referrer_loadInOtherProcess.js] +[browser_test_framing_error_pages.js] +support-files = + file_framing_error_pages_csp.html + file_framing_error_pages_xfo.html + file_framing_error_pages.sjs +[browser_test_xfo_embed_object.js] +support-files = + file_framing_xfo_embed.html + file_framing_xfo_object.html + file_framing_xfo_embed_object.sjs +[browser_test_report_blocking.js] +support-files = + file_framing_error_pages_xfo.html + file_framing_error_pages_csp.html + file_framing_error_pages.sjs +[browser_same_site_cookies_bug1748693.js] +support-files = + file_same_site_cookies_bug1748693.sjs +[browser_file_nonscript.js] +support-files = + file_loads_nonscript.html + file_nonscript + file_nonscript.xyz + file_nonscript.html + file_nonscript.txt + file_nonscript.json + file_script.js +[browser_restrict_privileged_about_script.js] +# This test intentionally asserts when in debug builds. Let's rely on opt builds when in CI. +skip-if = debug +support-files = + file_about_child.html + file_1767581.js diff --git a/dom/security/test/general/browser_file_nonscript.js b/dom/security/test/general/browser_file_nonscript.js new file mode 100644 index 0000000000..95243c32a7 --- /dev/null +++ b/dom/security/test/general/browser_file_nonscript.js @@ -0,0 +1,38 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +add_task(async function test_fileurl_nonscript_load() { + await SpecialPowers.pushPrefEnv({ + set: [["security.block_fileuri_script_with_wrong_mime", true]], + }); + + let file = getChromeDir(getResolvedURI(gTestPath)); + file.append("file_loads_nonscript.html"); + let uriString = Services.io.newFileURI(file).spec; + + let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, uriString); + registerCleanupFunction(async function () { + BrowserTestUtils.removeTab(tab); + }); + + let counter = await SpecialPowers.spawn(tab.linkedBrowser, [], async () => { + Cu.exportFunction(Assert.equal.bind(Assert), content.window, { + defineAs: "equal", + }); + content.window.postMessage("run", "*"); + + await new Promise(resolve => { + content.window.addEventListener("message", event => { + if (event.data === "done") { + resolve(); + } + }); + }); + + return content.window.wrappedJSObject.counter; + }); + + is(counter, 1, "Only one script should have run"); +}); diff --git a/dom/security/test/general/browser_restrict_privileged_about_script.js b/dom/security/test/general/browser_restrict_privileged_about_script.js new file mode 100644 index 0000000000..0baa6e3d4d --- /dev/null +++ b/dom/security/test/general/browser_restrict_privileged_about_script.js @@ -0,0 +1,70 @@ +"use strict"; + +const kChildPage = getRootDirectory(gTestPath) + "file_about_child.html"; + +const kAboutPagesRegistered = BrowserTestUtils.registerAboutPage( + registerCleanupFunction, + "test-about-privileged-with-scripts", + kChildPage, + Ci.nsIAboutModule.ALLOW_SCRIPT | + Ci.nsIAboutModule.URI_MUST_LOAD_IN_CHILD | + Ci.nsIAboutModule.URI_CAN_LOAD_IN_PRIVILEGEDABOUT_PROCESS | + Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT | + Ci.nsIAboutModule.IS_SECURE_CHROME_UI +); + +add_task(async function test_principal_click() { + await kAboutPagesRegistered; + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.skip_about_page_has_csp_assert", true]], + }); + await BrowserTestUtils.withNewTab( + "about:test-about-privileged-with-scripts", + async function (browser) { + // Wait for page to fully load + info("Waiting for tab to be loaded.."); + // let's look into the fully loaded about page + await SpecialPowers.spawn( + gBrowser.selectedBrowser, + [], + async function () { + let channel = content.docShell.currentDocumentChannel; + is( + channel.originalURI.asciiSpec, + "about:test-about-privileged-with-scripts", + "sanity check - make sure we test the principal for the correct URI" + ); + + let triggeringPrincipal = channel.loadInfo.triggeringPrincipal; + ok( + triggeringPrincipal.isSystemPrincipal, + "loading about: from privileged page must have a triggering of System" + ); + + let contentPolicyType = channel.loadInfo.externalContentPolicyType; + is( + contentPolicyType, + Ci.nsIContentPolicy.TYPE_DOCUMENT, + "sanity check - loading a top level document" + ); + + let loadingPrincipal = channel.loadInfo.loadingPrincipal; + is( + loadingPrincipal, + null, + "sanity check - load of TYPE_DOCUMENT must have a null loadingPrincipal" + ); + ok( + !content.document.nodePrincipal.isSystemPrincipal, + "sanity check - loaded about page does not have the system principal" + ); + isnot( + content.testResult, + "fail-script-was-loaded", + "The script from https://example.com shouldn't work in an about: page." + ); + } + ); + } + ); +}); diff --git a/dom/security/test/general/browser_same_site_cookies_bug1748693.js b/dom/security/test/general/browser_same_site_cookies_bug1748693.js new file mode 100644 index 0000000000..da3c3d7762 --- /dev/null +++ b/dom/security/test/general/browser_same_site_cookies_bug1748693.js @@ -0,0 +1,51 @@ +"use strict"; + +const HTTPS_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); +const HTTP_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" +); + +function checkCookies(expectedCookies = {}) { + info(JSON.stringify(expectedCookies)); + return SpecialPowers.spawn( + gBrowser.selectedBrowser, + [expectedCookies], + async function (expectedCookies) { + let cookies = content.document.getElementById("msg").innerHTML; + info(cookies); + for (const [cookie, expected] of Object.entries(expectedCookies)) { + if (expected) { + ok(cookies.includes(cookie), `${cookie} should be sent`); + } else { + ok(!cookies.includes(cookie), `${cookie} should not be sent`); + } + } + } + ); +} + +add_task(async function bug1748693() { + waitForExplicitFinish(); + + let loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + BrowserTestUtils.loadURIString( + gBrowser, + `${HTTPS_PATH}file_same_site_cookies_bug1748693.sjs?setcookies` + ); + await loaded; + + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + BrowserTestUtils.loadURIString( + gBrowser, + `${HTTP_PATH}file_same_site_cookies_bug1748693.sjs` + ); + await loaded; + + await checkCookies({ auth: true, auth_secure: false }); + + finish(); +}); diff --git a/dom/security/test/general/browser_test_assert_systemprincipal_documents.js b/dom/security/test/general/browser_test_assert_systemprincipal_documents.js new file mode 100644 index 0000000000..8804e85b2c --- /dev/null +++ b/dom/security/test/general/browser_test_assert_systemprincipal_documents.js @@ -0,0 +1,41 @@ +//"use strict" + +const kTestPath = getRootDirectory(gTestPath); +const kTestURI = kTestPath + "file_assert_systemprincipal_documents.html"; + +add_setup(async function () { + // We expect the assertion in function + // CheckSystemPrincipalLoads as defined in + // file dom/security/nsContentSecurityManager.cpp + SimpleTest.expectAssertions(1); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.disallow_non_local_systemprincipal_in_tests", true], + ["security.allow_unsafe_parent_loads", true], + ], + }); +}); + +add_task(async function open_test_iframe_in_tab() { + // This looks at the iframe (load type SUBDOCUMENT) + await BrowserTestUtils.withNewTab( + { gBrowser, url: kTestURI }, + async browser => { + await SpecialPowers.spawn(browser, [], async function () { + let outerPrincipal = content.document.nodePrincipal; + ok( + outerPrincipal.isSystemPrincipal, + "Sanity: Using SystemPrincipal for test file on chrome://" + ); + const iframeDoc = + content.document.getElementById("testframe").contentDocument; + is( + iframeDoc.body.innerHTML, + "", + "iframe with systemprincipal should be empty document" + ); + }); + } + ); +}); diff --git a/dom/security/test/general/browser_test_data_download.js b/dom/security/test/general/browser_test_data_download.js new file mode 100644 index 0000000000..a74126971f --- /dev/null +++ b/dom/security/test/general/browser_test_data_download.js @@ -0,0 +1,113 @@ +"use strict"; + +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" +); +const kTestURI = kTestPath + "file_data_download.html"; + +function addWindowListener(aURL) { + return new Promise(resolve => { + Services.wm.addListener({ + onOpenWindow(aXULWindow) { + info("window opened, waiting for focus"); + Services.wm.removeListener(this); + var domwindow = aXULWindow.docShell.domWindow; + waitForFocus(function () { + is( + domwindow.document.location.href, + aURL, + "should have seen the right window open" + ); + resolve(domwindow); + }, domwindow); + }, + onCloseWindow(aXULWindow) {}, + }); + }); +} + +function waitDelay(delay) { + return new Promise((resolve, reject) => { + /* eslint-disable mozilla/no-arbitrary-setTimeout */ + window.setTimeout(resolve, delay); + }); +} + +function promisePanelOpened() { + if (DownloadsPanel.panel && DownloadsPanel.panel.state == "open") { + return Promise.resolve(); + } + return BrowserTestUtils.waitForEvent(DownloadsPanel.panel, "popupshown"); +} + +add_task(async function test_with_downloads_pref_disabled() { + waitForExplicitFinish(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.data_uri.block_toplevel_data_uri_navigations", true], + ["browser.download.always_ask_before_handling_new_types", true], + ], + }); + let windowPromise = addWindowListener( + "chrome://mozapps/content/downloads/unknownContentType.xhtml" + ); + BrowserTestUtils.loadURIString(gBrowser, kTestURI); + let win = await windowPromise; + + is( + win.document.getElementById("location").value, + "data-foo.html", + "file name of download should match" + ); + + let mainWindowActivated = BrowserTestUtils.waitForEvent(window, "activate"); + await BrowserTestUtils.closeWindow(win); + await mainWindowActivated; +}); + +add_task(async function test_with_always_ask_pref_disabled() { + waitForExplicitFinish(); + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.data_uri.block_toplevel_data_uri_navigations", true], + ["browser.download.always_ask_before_handling_new_types", false], + ], + }); + let downloadsPanelPromise = promisePanelOpened(); + let downloadsPromise = Downloads.getList(Downloads.PUBLIC); + + BrowserTestUtils.loadURIString(gBrowser, kTestURI); + // wait until downloadsPanel opens before continuing with test + await downloadsPanelPromise; + let downloadList = await downloadsPromise; + + is(DownloadsPanel.isPanelShowing, true, "DownloadsPanel should be open."); + is( + downloadList._downloads.length, + 1, + "File should be successfully downloaded." + ); + + let [download] = downloadList._downloads; + is(download.contentType, "text/html", "File contentType should be correct."); + is( + download.source.url, + "data:text/html,data download", + "File name should be correct." + ); + + info("cleaning up downloads"); + try { + if (Services.appinfo.OS === "WINNT") { + // We need to make the file writable to delete it on Windows. + await IOUtils.setPermissions(download.target.path, 0o600); + } + await IOUtils.remove(download.target.path); + } catch (error) { + info("The file " + download.target.path + " is not removed, " + error); + } + + await downloadList.remove(download); + await download.finalize(); +}); diff --git a/dom/security/test/general/browser_test_data_text_csv.js b/dom/security/test/general/browser_test_data_text_csv.js new file mode 100644 index 0000000000..2c013a0d61 --- /dev/null +++ b/dom/security/test/general/browser_test_data_text_csv.js @@ -0,0 +1,108 @@ +"use strict"; + +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" +); +const kTestURI = kTestPath + "file_data_text_csv.html"; + +function addWindowListener(aURL, aCallback) { + return new Promise(resolve => { + Services.wm.addListener({ + onOpenWindow(aXULWindow) { + info("window opened, waiting for focus"); + Services.wm.removeListener(this); + var domwindow = aXULWindow.docShell.domWindow; + waitForFocus(function () { + is( + domwindow.document.location.href, + aURL, + "should have seen the right window open" + ); + resolve(domwindow); + }, domwindow); + }, + onCloseWindow(aXULWindow) {}, + }); + }); +} + +function promisePanelOpened() { + if (DownloadsPanel.panel && DownloadsPanel.panel.state == "open") { + return Promise.resolve(); + } + return BrowserTestUtils.waitForEvent(DownloadsPanel.panel, "popupshown"); +} + +add_task(async function test_with_pref_enabled() { + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.data_uri.block_toplevel_data_uri_navigations", true], + ["browser.download.always_ask_before_handling_new_types", true], + ], + }); + + let windowPromise = addWindowListener( + "chrome://mozapps/content/downloads/unknownContentType.xhtml" + ); + BrowserTestUtils.loadURIString(gBrowser, kTestURI); + let win = await windowPromise; + + let expectedValue = "Untitled.csv"; + is( + win.document.getElementById("location").value, + expectedValue, + "file name of download should match" + ); + let mainWindowActivated = BrowserTestUtils.waitForEvent(window, "activate"); + await BrowserTestUtils.closeWindow(win); + await mainWindowActivated; +}); + +add_task(async function test_with_pref_disabled() { + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.data_uri.block_toplevel_data_uri_navigations", true], + ["browser.download.always_ask_before_handling_new_types", false], + ], + }); + let downloadsPanelPromise = promisePanelOpened(); + let downloadsPromise = Downloads.getList(Downloads.PUBLIC); + let sourceURLBit = "text/csv;foo,bar,foobar"; + + info("Loading URI for pref enabled"); + BrowserTestUtils.loadURIString(gBrowser, kTestURI); + info("Waiting for downloads panel to open"); + await downloadsPanelPromise; + info("Getting downloads info after opening downloads panel"); + let downloadList = await downloadsPromise; + + is(DownloadsPanel.isPanelShowing, true, "DownloadsPanel should be open."); + is( + downloadList._downloads.length, + 1, + "File should be successfully downloaded." + ); + + let [download] = downloadList._downloads; + is(download.contentType, "text/csv", "File contentType should be correct."); + is( + download.source.url, + `data:${sourceURLBit}`, + "File name should be correct." + ); + + info("Cleaning up downloads"); + try { + if (Services.appinfo.OS === "WINNT") { + // We need to make the file writable to delete it on Windows. + await IOUtils.setPermissions(download.target.path, 0o600); + } + await IOUtils.remove(download.target.path); + } catch (ex) { + info("The file " + download.target.path + " is not removed, " + ex); + } + + await downloadList.remove(download); + await download.finalize(); +}); diff --git a/dom/security/test/general/browser_test_framing_error_pages.js b/dom/security/test/general/browser_test_framing_error_pages.js new file mode 100644 index 0000000000..16e67eb702 --- /dev/null +++ b/dom/security/test/general/browser_test_framing_error_pages.js @@ -0,0 +1,53 @@ +"use strict"; + +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); +const kTestXFrameOptionsURI = kTestPath + "file_framing_error_pages_xfo.html"; +const kTestXFrameOptionsURIFrame = + kTestPath + "file_framing_error_pages.sjs?xfo"; + +const kTestFrameAncestorsURI = kTestPath + "file_framing_error_pages_csp.html"; +const kTestFrameAncestorsURIFrame = + kTestPath + "file_framing_error_pages.sjs?csp"; + +add_task(async function open_test_xfo_error_page() { + await BrowserTestUtils.withNewTab("about:blank", async function (browser) { + let loaded = BrowserTestUtils.browserLoaded( + browser, + true, + kTestXFrameOptionsURIFrame, + true + ); + BrowserTestUtils.loadURIString(browser, kTestXFrameOptionsURI); + await loaded; + + await SpecialPowers.spawn(browser, [], async function () { + const iframeDoc = + content.document.getElementById("testframe").contentDocument; + let errorPage = iframeDoc.body.innerHTML; + ok(errorPage.includes("csp-xfo-error-title"), "xfo error page correct"); + }); + }); +}); + +add_task(async function open_test_csp_frame_ancestor_error_page() { + await BrowserTestUtils.withNewTab("about:blank", async function (browser) { + let loaded = BrowserTestUtils.browserLoaded( + browser, + true, + kTestFrameAncestorsURIFrame, + true + ); + BrowserTestUtils.loadURIString(browser, kTestFrameAncestorsURI); + await loaded; + + await SpecialPowers.spawn(browser, [], async function () { + const iframeDoc = + content.document.getElementById("testframe").contentDocument; + let errorPage = iframeDoc.body.innerHTML; + ok(errorPage.includes("csp-xfo-error-title"), "csp error page correct"); + }); + }); +}); diff --git a/dom/security/test/general/browser_test_referrer_loadInOtherProcess.js b/dom/security/test/general/browser_test_referrer_loadInOtherProcess.js new file mode 100644 index 0000000000..7da60b727d --- /dev/null +++ b/dom/security/test/general/browser_test_referrer_loadInOtherProcess.js @@ -0,0 +1,156 @@ +const TEST_PAGE = + "https://example.org/browser/browser/base/content/test/general/dummy_page.html"; +const TEST_REFERRER = "http://mochi.test:8888/"; + +const ReferrerInfo = Components.Constructor( + "@mozilla.org/referrer-info;1", + "nsIReferrerInfo", + "init" +); + +let referrerInfo = new ReferrerInfo( + Ci.nsIReferrerInfo.ORIGIN, + true, + Services.io.newURI(TEST_REFERRER) +); +let deReferrerInfo = E10SUtils.serializeReferrerInfo(referrerInfo); + +var checkResult = async function (isRemote, browserKey, uri) { + is( + gBrowser.selectedBrowser.isRemoteBrowser, + isRemote, + "isRemoteBrowser should be correct" + ); + + is( + gBrowser.selectedBrowser.permanentKey, + browserKey, + "browser.permanentKey should be correct" + ); + + if (SpecialPowers.Services.appinfo.sessionHistoryInParent) { + let sessionHistory = + gBrowser.selectedBrowser.browsingContext.sessionHistory; + let entry = sessionHistory.getEntryAtIndex(sessionHistory.count - 1); + let args = { uri, referrerInfo: deReferrerInfo, isRemote }; + Assert.equal(entry.URI.spec, args.uri, "Uri should be correct"); + + // Main process like about:mozilla does not trigger the real network request. + // So we don't store referrerInfo in sessionHistory in that case. + // Besides, the referrerInfo stored in sessionHistory was computed, we only + // check pre-computed things. + if (args.isRemote) { + let resultReferrerInfo = entry.referrerInfo; + let expectedReferrerInfo = E10SUtils.deserializeReferrerInfo( + args.referrerInfo + ); + + Assert.equal( + resultReferrerInfo.originalReferrer.spec, + expectedReferrerInfo.originalReferrer.spec, + "originalReferrer should be correct" + ); + Assert.equal( + resultReferrerInfo.sendReferrer, + expectedReferrerInfo.sendReferrer, + "sendReferrer should be correct" + ); + Assert.equal( + resultReferrerInfo.referrerPolicy, + expectedReferrerInfo.referrerPolicy, + "referrerPolicy should be correct" + ); + } else { + Assert.equal(entry.referrerInfo, null, "ReferrerInfo should be correct"); + } + + return; + } + + await SpecialPowers.spawn( + gBrowser.selectedBrowser, + [{ uri, referrerInfo: deReferrerInfo, isRemote }], + async function (args) { + let webNav = content.docShell.QueryInterface(Ci.nsIWebNavigation); + let sessionHistory = webNav.sessionHistory; + let entry = sessionHistory.legacySHistory.getEntryAtIndex( + sessionHistory.count - 1 + ); + + var { E10SUtils } = SpecialPowers.ChromeUtils.importESModule( + "resource://gre/modules/E10SUtils.sys.mjs" + ); + + Assert.equal(entry.URI.spec, args.uri, "Uri should be correct"); + + // Main process like about:mozilla does not trigger the real network request. + // So we don't store referrerInfo in sessionHistory in that case. + // Besides, the referrerInfo stored in sessionHistory was computed, we only + // check pre-computed things. + if (args.isRemote) { + let resultReferrerInfo = entry.referrerInfo; + let expectedReferrerInfo = E10SUtils.deserializeReferrerInfo( + args.referrerInfo + ); + + Assert.equal( + resultReferrerInfo.originalReferrer.spec, + expectedReferrerInfo.originalReferrer.spec, + "originalReferrer should be correct" + ); + Assert.equal( + resultReferrerInfo.sendReferrer, + expectedReferrerInfo.sendReferrer, + "sendReferrer should be correct" + ); + Assert.equal( + resultReferrerInfo.referrerPolicy, + expectedReferrerInfo.referrerPolicy, + "referrerPolicy should be correct" + ); + } else { + Assert.equal( + entry.referrerInfo, + null, + "ReferrerInfo should be correct" + ); + } + } + ); +}; +var waitForLoad = async function (uri) { + info("waitForLoad " + uri); + let loadURIOptions = { + triggeringPrincipal: Services.scriptSecurityManager.getSystemPrincipal(), + referrerInfo, + }; + gBrowser.selectedBrowser.webNavigation.loadURI( + Services.io.newURI(uri), + loadURIOptions + ); + + await BrowserTestUtils.browserStopped(gBrowser, uri); +}; + +// Tests referrerInfo when navigating from a page in the remote process to main +// process and vice versa. +add_task(async function test_navigation() { + // Navigate from non remote to remote + gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, "about:blank"); + let testURI = TEST_PAGE; + let { permanentKey } = gBrowser.selectedBrowser; + await waitForLoad(testURI); + await checkResult(true, permanentKey, testURI); + gBrowser.removeCurrentTab(); + + // Navigate from remote to non-remote + gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser, TEST_PAGE); + // Wait for the non-blank page to finish loading + await BrowserTestUtils.browserStopped(gBrowser, TEST_PAGE); + testURI = "about:mozilla"; + permanentKey = gBrowser.selectedBrowser.permanentKey; + await waitForLoad(testURI); + await checkResult(false, permanentKey, testURI); + + gBrowser.removeCurrentTab(); +}); diff --git a/dom/security/test/general/browser_test_report_blocking.js b/dom/security/test/general/browser_test_report_blocking.js new file mode 100644 index 0000000000..4937a47c4f --- /dev/null +++ b/dom/security/test/general/browser_test_report_blocking.js @@ -0,0 +1,218 @@ +"use strict"; + +const { TelemetryArchiveTesting } = ChromeUtils.importESModule( + "resource://testing-common/TelemetryArchiveTesting.sys.mjs" +); + +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); + +const kTestXFrameOptionsURI = kTestPath + "file_framing_error_pages_xfo.html"; +const kTestCspURI = kTestPath + "file_framing_error_pages_csp.html"; +const kTestXFrameOptionsURIFrame = + kTestPath + "file_framing_error_pages.sjs?xfo"; +const kTestCspURIFrame = kTestPath + "file_framing_error_pages.sjs?csp"; + +const kTestExpectedPingXFO = [ + [["payload", "error_type"], "xfo"], + [["payload", "xfo_header"], "deny"], + [["payload", "csp_header"], ""], + [["payload", "frame_hostname"], "example.com"], + [["payload", "top_hostname"], "example.com"], + [ + ["payload", "frame_uri"], + "https://example.com/browser/dom/security/test/general/file_framing_error_pages.sjs", + ], + [ + ["payload", "top_uri"], + "https://example.com/browser/dom/security/test/general/file_framing_error_pages_xfo.html", + ], +]; + +const kTestExpectedPingCSP = [ + [["payload", "error_type"], "csp"], + [["payload", "xfo_header"], ""], + [["payload", "csp_header"], "'none'"], + [["payload", "frame_hostname"], "example.com"], + [["payload", "top_hostname"], "example.com"], + [ + ["payload", "frame_uri"], + "https://example.com/browser/dom/security/test/general/file_framing_error_pages.sjs", + ], + [ + ["payload", "top_uri"], + "https://example.com/browser/dom/security/test/general/file_framing_error_pages_csp.html", + ], +]; + +const TEST_CASES = [ + { + type: "xfo", + test_uri: kTestXFrameOptionsURI, + frame_uri: kTestXFrameOptionsURIFrame, + expected_ping: kTestExpectedPingXFO, + }, + { + type: "csp", + test_uri: kTestCspURI, + frame_uri: kTestCspURIFrame, + expected_ping: kTestExpectedPingCSP, + }, +]; + +add_setup(async function () { + Services.telemetry.setEventRecordingEnabled("security.ui.xfocsperror", true); + + await SpecialPowers.pushPrefEnv({ + set: [ + ["security.xfocsp.errorReporting.enabled", true], + ["security.xfocsp.errorReporting.automatic", false], + ], + }); +}); + +add_task(async function testReportingCases() { + for (const test of TEST_CASES) { + await testReporting(test); + } +}); + +async function testReporting(test) { + // Clear telemetry event before testing. + Services.telemetry.clearEvents(); + + let telemetryChecker = new TelemetryArchiveTesting.Checker(); + await telemetryChecker.promiseInit(); + + let tab = await BrowserTestUtils.openNewForegroundTab( + gBrowser, + "about:blank" + ); + let browser = tab.linkedBrowser; + + let loaded = BrowserTestUtils.browserLoaded( + browser, + true, + test.frame_uri, + true + ); + BrowserTestUtils.loadURIString(browser, test.test_uri); + await loaded; + + let { type } = test; + + let frameBC = await SpecialPowers.spawn(browser, [], async _ => { + const iframe = content.document.getElementById("testframe"); + return iframe.browsingContext; + }); + + await SpecialPowers.spawn(frameBC, [type], async obj => { + // Wait until the reporting UI is visible. + await ContentTaskUtils.waitForCondition(() => { + let reportUI = content.document.getElementById("blockingErrorReporting"); + return ContentTaskUtils.is_visible(reportUI); + }); + + let reportCheckBox = content.document.getElementById( + "automaticallyReportBlockingInFuture" + ); + is( + reportCheckBox.checked, + false, + "The checkbox of the reporting ui should be not checked." + ); + + // Click on the checkbox. + await EventUtils.synthesizeMouseAtCenter(reportCheckBox, {}, content); + }); + BrowserTestUtils.removeTab(tab); + + // Open the error page again + tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, "about:blank"); + browser = tab.linkedBrowser; + + loaded = BrowserTestUtils.browserLoaded(browser, true, test.frame_uri, true); + BrowserTestUtils.loadURIString(browser, test.test_uri); + await loaded; + + frameBC = await SpecialPowers.spawn(browser, [], async _ => { + const iframe = content.document.getElementById("testframe"); + return iframe.browsingContext; + }); + + await SpecialPowers.spawn(frameBC, [], async _ => { + // Wait until the reporting UI is visible. + await ContentTaskUtils.waitForCondition(() => { + let reportUI = content.document.getElementById("blockingErrorReporting"); + return ContentTaskUtils.is_visible(reportUI); + }); + + let reportCheckBox = content.document.getElementById( + "automaticallyReportBlockingInFuture" + ); + is( + reportCheckBox.checked, + true, + "The checkbox of the reporting ui should be checked." + ); + + // Click on the checkbox again to disable the reporting. + await EventUtils.synthesizeMouseAtCenter(reportCheckBox, {}, content); + + is( + reportCheckBox.checked, + false, + "The checkbox of the reporting ui should be unchecked." + ); + }); + BrowserTestUtils.removeTab(tab); + + // Open the error page again to see if the reporting is disabled. + tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, "about:blank"); + browser = tab.linkedBrowser; + + loaded = BrowserTestUtils.browserLoaded(browser, true, test.frame_uri, true); + BrowserTestUtils.loadURIString(browser, test.test_uri); + await loaded; + + frameBC = await SpecialPowers.spawn(browser, [], async _ => { + const iframe = content.document.getElementById("testframe"); + return iframe.browsingContext; + }); + + await SpecialPowers.spawn(frameBC, [], async _ => { + // Wait until the reporting UI is visible. + await ContentTaskUtils.waitForCondition(() => { + let reportUI = content.document.getElementById("blockingErrorReporting"); + return ContentTaskUtils.is_visible(reportUI); + }); + + let reportCheckBox = content.document.getElementById( + "automaticallyReportBlockingInFuture" + ); + is( + reportCheckBox.checked, + false, + "The checkbox of the reporting ui should be unchecked." + ); + }); + BrowserTestUtils.removeTab(tab); + + // Finally, check if the ping has been archived. + await new Promise(resolve => { + telemetryChecker + .promiseFindPing("xfocsp-error-report", test.expected_ping) + .then( + found => { + ok(found, "Telemetry ping submitted successfully"); + resolve(); + }, + err => { + ok(false, "Exception finding telemetry ping: " + err); + resolve(); + } + ); + }); +} diff --git a/dom/security/test/general/browser_test_toplevel_data_navigations.js b/dom/security/test/general/browser_test_toplevel_data_navigations.js new file mode 100644 index 0000000000..0e006f1fd2 --- /dev/null +++ b/dom/security/test/general/browser_test_toplevel_data_navigations.js @@ -0,0 +1,70 @@ +/* eslint-disable mozilla/no-arbitrary-setTimeout */ + +"use strict"; + +const kDataBody = "toplevel navigation to data: URI allowed"; +const kDataURI = "data:text/html," + kDataBody + ""; +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "http://example.com" +); +const kRedirectURI = kTestPath + "file_toplevel_data_navigations.sjs"; +const kMetaRedirectURI = kTestPath + "file_toplevel_data_meta_redirect.html"; + +add_task(async function test_nav_data_uri() { + await SpecialPowers.pushPrefEnv({ + set: [["security.data_uri.block_toplevel_data_uri_navigations", true]], + }); + await BrowserTestUtils.withNewTab(kDataURI, async function (browser) { + await SpecialPowers.spawn( + gBrowser.selectedBrowser, + [{ kDataBody }], + async function ({ kDataBody }) { + // eslint-disable-line + is( + content.document.body.innerHTML, + kDataBody, + "data: URI navigation from system should be allowed" + ); + } + ); + }); +}); + +add_task(async function test_nav_data_uri_redirect() { + await SpecialPowers.pushPrefEnv({ + set: [["security.data_uri.block_toplevel_data_uri_navigations", true]], + }); + let tab = BrowserTestUtils.addTab(gBrowser, kRedirectURI); + registerCleanupFunction(async function () { + BrowserTestUtils.removeTab(tab); + }); + // wait to make sure data: URI did not load before checking that it got blocked + await new Promise(resolve => setTimeout(resolve, 500)); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + is( + content.document.body.innerHTML, + "", + "data: URI navigation after server redirect should be blocked" + ); + }); +}); + +add_task(async function test_nav_data_uri_meta_redirect() { + await SpecialPowers.pushPrefEnv({ + set: [["security.data_uri.block_toplevel_data_uri_navigations", true]], + }); + let tab = BrowserTestUtils.addTab(gBrowser, kMetaRedirectURI); + registerCleanupFunction(async function () { + BrowserTestUtils.removeTab(tab); + }); + // wait to make sure data: URI did not load before checking that it got blocked + await new Promise(resolve => setTimeout(resolve, 500)); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + is( + content.document.body.innerHTML, + "", + "data: URI navigation after meta redirect should be blocked" + ); + }); +}); diff --git a/dom/security/test/general/browser_test_view_image_data_navigation.js b/dom/security/test/general/browser_test_view_image_data_navigation.js new file mode 100644 index 0000000000..90aace1e3e --- /dev/null +++ b/dom/security/test/general/browser_test_view_image_data_navigation.js @@ -0,0 +1,71 @@ +"use strict"; + +add_task(async function test_principal_right_click_open_link_in_new_tab() { + await SpecialPowers.pushPrefEnv({ + set: [["security.data_uri.block_toplevel_data_uri_navigations", true]], + }); + + const TEST_PAGE = + getRootDirectory(gTestPath) + "file_view_image_data_navigation.html"; + + await BrowserTestUtils.withNewTab(TEST_PAGE, async function (browser) { + let loadPromise = BrowserTestUtils.waitForNewTab(gBrowser, null, true); + + // simulate right-click->view-image + BrowserTestUtils.waitForEvent(document, "popupshown", false, event => { + // These are operations that must be executed synchronously with the event. + document.getElementById("context-viewimage").doCommand(); + event.target.hidePopup(); + return true; + }); + BrowserTestUtils.synthesizeMouseAtCenter( + "#testimage", + { type: "contextmenu", button: 2 }, + gBrowser.selectedBrowser + ); + let tab = await loadPromise; + + let spec = tab.linkedBrowser.currentURI.spec; + ok( + spec.startsWith("data:image/svg+xml;"), + "data:image/svg navigation allowed through right-click view-image" + ); + + gBrowser.removeTab(tab); + }); +}); + +add_task(async function test_right_click_open_bg_image() { + await SpecialPowers.pushPrefEnv({ + set: [["security.data_uri.block_toplevel_data_uri_navigations", true]], + }); + + const TEST_PAGE = + getRootDirectory(gTestPath) + "file_view_bg_image_data_navigation.html"; + + await BrowserTestUtils.withNewTab(TEST_PAGE, async function (browser) { + let loadPromise = BrowserTestUtils.waitForNewTab(gBrowser, null, true); + + // simulate right-click->view-image + BrowserTestUtils.waitForEvent(document, "popupshown", false, event => { + // These are operations that must be executed synchronously with the event. + document.getElementById("context-viewimage").doCommand(); + event.target.hidePopup(); + return true; + }); + BrowserTestUtils.synthesizeMouseAtCenter( + "#testbody", + { type: "contextmenu", button: 2 }, + gBrowser.selectedBrowser + ); + let tab = await loadPromise; + + let spec = tab.linkedBrowser.currentURI.spec; + ok( + spec.startsWith("data:image/svg+xml;"), + "data:image/svg navigation allowed through right-click view-image with background image" + ); + + gBrowser.removeTab(tab); + }); +}); diff --git a/dom/security/test/general/browser_test_xfo_embed_object.js b/dom/security/test/general/browser_test_xfo_embed_object.js new file mode 100644 index 0000000000..e9aebbe630 --- /dev/null +++ b/dom/security/test/general/browser_test_xfo_embed_object.js @@ -0,0 +1,41 @@ +"use strict"; + +const kTestPath = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); +const kTestXFOEmbedURI = kTestPath + "file_framing_xfo_embed.html"; +const kTestXFOObjectURI = kTestPath + "file_framing_xfo_object.html"; + +const errorMessage = `The loading of “https://example.com/browser/dom/security/test/general/file_framing_xfo_embed_object.sjs” in a frame is denied by “X-Frame-Options“ directive set to “deny“`; + +let xfoBlocked = false; + +function onXFOMessage(msgObj) { + const message = msgObj.message; + + if (message.includes(errorMessage)) { + ok(true, "XFO error message logged"); + xfoBlocked = true; + } +} + +add_task(async function open_test_xfo_embed_blocked() { + xfoBlocked = false; + await BrowserTestUtils.withNewTab("about:blank", async function (browser) { + Services.console.registerListener(onXFOMessage); + BrowserTestUtils.loadURIString(browser, kTestXFOEmbedURI); + await BrowserTestUtils.waitForCondition(() => xfoBlocked); + Services.console.unregisterListener(onXFOMessage); + }); +}); + +add_task(async function open_test_xfo_object_blocked() { + xfoBlocked = false; + await BrowserTestUtils.withNewTab("about:blank", async function (browser) { + Services.console.registerListener(onXFOMessage); + BrowserTestUtils.loadURIString(browser, kTestXFOObjectURI); + await BrowserTestUtils.waitForCondition(() => xfoBlocked); + Services.console.unregisterListener(onXFOMessage); + }); +}); diff --git a/dom/security/test/general/bug1277803.html b/dom/security/test/general/bug1277803.html new file mode 100644 index 0000000000..c8033551a0 --- /dev/null +++ b/dom/security/test/general/bug1277803.html @@ -0,0 +1,11 @@ + + + + + + + +Nothing to see here... + + + diff --git a/dom/security/test/general/chrome.ini b/dom/security/test/general/chrome.ini new file mode 100644 index 0000000000..35d7e44d89 --- /dev/null +++ b/dom/security/test/general/chrome.ini @@ -0,0 +1,11 @@ +[DEFAULT] +support-files = + favicon_bug1277803.ico + bug1277803.html + +[test_innerhtml_sanitizer.html] +[test_innerhtml_sanitizer.xhtml] +[test_bug1277803.xhtml] +skip-if = os == 'android' + verify + diff --git a/dom/security/test/general/closeWindow.sjs b/dom/security/test/general/closeWindow.sjs new file mode 100644 index 0000000000..996db36f6f --- /dev/null +++ b/dom/security/test/general/closeWindow.sjs @@ -0,0 +1,24 @@ +const BODY = ` + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString.includes("unset")) { + response.setHeader("Set-Cookie", "test=wow", true); + } + + if (request.queryString.includes("none")) { + response.setHeader("Set-Cookie", "test2=wow2; samesite=none", true); + } + + if (request.queryString.includes("lax")) { + response.setHeader("Set-Cookie", "test3=wow3; samesite=lax", true); + } + + response.write(BODY); +} diff --git a/dom/security/test/general/favicon_bug1277803.ico b/dom/security/test/general/favicon_bug1277803.ico new file mode 100644 index 0000000000..d44438903b Binary files /dev/null and b/dom/security/test/general/favicon_bug1277803.ico differ diff --git a/dom/security/test/general/file_1767581.js b/dom/security/test/general/file_1767581.js new file mode 100644 index 0000000000..259435b1e4 --- /dev/null +++ b/dom/security/test/general/file_1767581.js @@ -0,0 +1 @@ +window.testResult = "fail-script-was-loaded"; diff --git a/dom/security/test/general/file_about_child.html b/dom/security/test/general/file_about_child.html new file mode 100644 index 0000000000..d83e0e4d41 --- /dev/null +++ b/dom/security/test/general/file_about_child.html @@ -0,0 +1,11 @@ + + + + + Test for Bug 1767581 + + + + Just an about page that loads in the privileged about process! + + \ No newline at end of file diff --git a/dom/security/test/general/file_assert_systemprincipal_documents.html b/dom/security/test/general/file_assert_systemprincipal_documents.html new file mode 100644 index 0000000000..2d7ff4d253 --- /dev/null +++ b/dom/security/test/general/file_assert_systemprincipal_documents.html @@ -0,0 +1,11 @@ + + + + Bug 1543579: Block web documents loading into system land + + +

This page loads documents from the SystemPrincipal (which should be blocked)

+ + + + diff --git a/dom/security/test/general/file_assert_systemprincipal_documents_iframe.html b/dom/security/test/general/file_assert_systemprincipal_documents_iframe.html new file mode 100644 index 0000000000..704625a1da --- /dev/null +++ b/dom/security/test/general/file_assert_systemprincipal_documents_iframe.html @@ -0,0 +1,9 @@ + + + + Bug 1543579: Block web documents loading into system land + + +

This is the iframe that should not load.

+ + diff --git a/dom/security/test/general/file_block_script_wrong_mime_server.sjs b/dom/security/test/general/file_block_script_wrong_mime_server.sjs new file mode 100644 index 0000000000..0025bbfbe8 --- /dev/null +++ b/dom/security/test/general/file_block_script_wrong_mime_server.sjs @@ -0,0 +1,38 @@ +// Custom *.sjs specifically for the needs of: +// Bug 1288361 - Block scripts with wrong MIME type + +"use strict"; +Cu.importGlobalProperties(["URLSearchParams"]); + +const WORKER = ` + onmessage = function(event) { + postMessage("worker-loaded"); + };`; + +function handleRequest(request, response) { + const query = new URLSearchParams(request.queryString); + + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + // Set MIME type + response.setHeader("Content-Type", query.get("mime"), false); + + // Deliver response + switch (query.get("type")) { + case "script": + response.write(""); + break; + case "worker": + response.write(WORKER); + break; + case "worker-import": + response.write( + `importScripts("file_block_script_wrong_mime_server.sjs?type=script&mime=${query.get( + "mime" + )}");` + ); + response.write(WORKER); + break; + } +} diff --git a/dom/security/test/general/file_block_subresource_redir_to_data.sjs b/dom/security/test/general/file_block_subresource_redir_to_data.sjs new file mode 100644 index 0000000000..1e312bc810 --- /dev/null +++ b/dom/security/test/general/file_block_subresource_redir_to_data.sjs @@ -0,0 +1,33 @@ +"use strict"; + +let SCRIPT_DATA = "alert('this alert should be blocked');"; +let WORKER_DATA = + "onmessage = function(event) { postMessage('worker-loaded'); }"; + +function handleRequest(request, response) { + const query = request.queryString; + + response.setHeader("Cache-Control", "no-cache", false); + response.setStatusLine("1.1", 302, "Found"); + + if (query === "script" || query === "modulescript") { + response.setHeader( + "Location", + "data:text/javascript," + escape(SCRIPT_DATA), + false + ); + return; + } + + if (query === "worker") { + response.setHeader( + "Location", + "data:text/javascript," + escape(WORKER_DATA), + false + ); + return; + } + + // we should never get here; just in case return something unexpected + response.write("do'h"); +} diff --git a/dom/security/test/general/file_block_toplevel_data_navigation.html b/dom/security/test/general/file_block_toplevel_data_navigation.html new file mode 100644 index 0000000000..d6e083a247 --- /dev/null +++ b/dom/security/test/general/file_block_toplevel_data_navigation.html @@ -0,0 +1,16 @@ + + + + + Toplevel data navigation + + +test1: clicking data: URI tries to navigate window
+ +click me + + + diff --git a/dom/security/test/general/file_block_toplevel_data_navigation2.html b/dom/security/test/general/file_block_toplevel_data_navigation2.html new file mode 100644 index 0000000000..957189ce07 --- /dev/null +++ b/dom/security/test/general/file_block_toplevel_data_navigation2.html @@ -0,0 +1,17 @@ + + + + + Toplevel data navigation + + +test2: data: URI in iframe tries to window.open(data:, _blank);
+ + + + diff --git a/dom/security/test/general/file_block_toplevel_data_navigation3.html b/dom/security/test/general/file_block_toplevel_data_navigation3.html new file mode 100644 index 0000000000..3743a72034 --- /dev/null +++ b/dom/security/test/general/file_block_toplevel_data_navigation3.html @@ -0,0 +1,16 @@ + + + + + Toplevel data navigation + + +test3: performing data: URI navigation through win.loc.href
+ + + diff --git a/dom/security/test/general/file_block_toplevel_data_redirect.sjs b/dom/security/test/general/file_block_toplevel_data_redirect.sjs new file mode 100644 index 0000000000..c03ace5f23 --- /dev/null +++ b/dom/security/test/general/file_block_toplevel_data_redirect.sjs @@ -0,0 +1,13 @@ +// Custom *.sjs file specifically for the needs of Bug: +// Bug 1394554 - Block toplevel data: URI navigations after redirect + +var DATA_URI = + "toplevel data: URI navigations after redirect should be blocked"; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", "data:text/html," + escape(DATA_URI), false); +} diff --git a/dom/security/test/general/file_cache_splitting_isloaded.sjs b/dom/security/test/general/file_cache_splitting_isloaded.sjs new file mode 100644 index 0000000000..a40b9674e5 --- /dev/null +++ b/dom/security/test/general/file_cache_splitting_isloaded.sjs @@ -0,0 +1,35 @@ +/* + Helper Server - + Send a Request with ?queryResult - response will be the + queryString of the next request. + +*/ +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + // save the object state of the initial request, which returns + // async once the server has processed the img request. + if (request.queryString.includes("wait")) { + response.processAsync(); + setObjectState("wait", response); + return; + } + + response.write(IMG_BYTES); + + // return the result + getObjectState("wait", function (queryResponse) { + if (!queryResponse) { + return; + } + queryResponse.write("1"); + queryResponse.finish(); + }); +} diff --git a/dom/security/test/general/file_cache_splitting_server.sjs b/dom/security/test/general/file_cache_splitting_server.sjs new file mode 100644 index 0000000000..da75986f74 --- /dev/null +++ b/dom/security/test/general/file_cache_splitting_server.sjs @@ -0,0 +1,27 @@ +function handleRequest(request, response) { + var receivedRequests = parseInt(getState("requests")); + if (isNaN(receivedRequests)) { + receivedRequests = 0; + } + if (request.queryString.includes("state")) { + response.write(receivedRequests); + return; + } + if (request.queryString.includes("flush")) { + setState("requests", "0"); + response.write("OK"); + return; + } + response.setHeader("Cache-Control", "max-age=999999"); // Force caching + response.setHeader("Content-Type", "text/css"); + receivedRequests = receivedRequests + 1; + setState("requests", "" + receivedRequests); + response.write(` + .test{ + color:red; + } + .test h1{ + font-size:200px; + } + `); +} diff --git a/dom/security/test/general/file_cache_splitting_window.html b/dom/security/test/general/file_cache_splitting_window.html new file mode 100644 index 0000000000..59a2ff2ca9 --- /dev/null +++ b/dom/security/test/general/file_cache_splitting_window.html @@ -0,0 +1,17 @@ + + + + + Document + + + +

HELLO WORLD!

+ + + + diff --git a/dom/security/test/general/file_contentpolicytype_targeted_link_iframe.sjs b/dom/security/test/general/file_contentpolicytype_targeted_link_iframe.sjs new file mode 100644 index 0000000000..9ee73ae3c4 --- /dev/null +++ b/dom/security/test/general/file_contentpolicytype_targeted_link_iframe.sjs @@ -0,0 +1,45 @@ +// custom *.sjs for Bug 1255240 + +const TEST_FRAME = ` + + + + + click me + + + + `; + +const INNER_FRAME = ` + + + + hello world! + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + + var queryString = request.queryString; + + if (queryString === "testframe") { + response.write(TEST_FRAME); + return; + } + + if (queryString === "innerframe") { + response.write(INNER_FRAME); + return; + } + + // we should never get here, but just in case + // return something unexpected + response.write("do'h"); +} diff --git a/dom/security/test/general/file_data_download.html b/dom/security/test/general/file_data_download.html new file mode 100644 index 0000000000..4cc92fe8f5 --- /dev/null +++ b/dom/security/test/general/file_data_download.html @@ -0,0 +1,14 @@ + + + + Test download attribute for data: URI + + + download data + + + diff --git a/dom/security/test/general/file_data_text_csv.html b/dom/security/test/general/file_data_text_csv.html new file mode 100644 index 0000000000..a9ac369d16 --- /dev/null +++ b/dom/security/test/general/file_data_text_csv.html @@ -0,0 +1,14 @@ + + + + Test open data:text/csv + + + test text/csv + + + diff --git a/dom/security/test/general/file_framing_error_pages.sjs b/dom/security/test/general/file_framing_error_pages.sjs new file mode 100644 index 0000000000..fb62a34bdb --- /dev/null +++ b/dom/security/test/general/file_framing_error_pages.sjs @@ -0,0 +1,27 @@ +"use strict"; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + + let query = request.queryString; + if (query === "xfo") { + response.setHeader("x-frame-options", "deny", false); + response.write("xfo test loaded"); + return; + } + + if (query === "csp") { + response.setHeader( + "content-security-policy", + "frame-ancestors 'none'", + false + ); + response.write("csp test loaded"); + return; + } + + // we should never get here, but just in case + // return something unexpected + response.write("do'h"); +} diff --git a/dom/security/test/general/file_framing_error_pages_csp.html b/dom/security/test/general/file_framing_error_pages_csp.html new file mode 100644 index 0000000000..2764ed4aa6 --- /dev/null +++ b/dom/security/test/general/file_framing_error_pages_csp.html @@ -0,0 +1,7 @@ + + + +iframe should be blocked
+ + + diff --git a/dom/security/test/general/file_framing_error_pages_xfo.html b/dom/security/test/general/file_framing_error_pages_xfo.html new file mode 100644 index 0000000000..82dd1ee459 --- /dev/null +++ b/dom/security/test/general/file_framing_error_pages_xfo.html @@ -0,0 +1,7 @@ + + + +iframe should be blocked
+ + + diff --git a/dom/security/test/general/file_framing_xfo_embed.html b/dom/security/test/general/file_framing_xfo_embed.html new file mode 100644 index 0000000000..f5cc761b5b --- /dev/null +++ b/dom/security/test/general/file_framing_xfo_embed.html @@ -0,0 +1,7 @@ + + + + embed should be blocked
+ + + diff --git a/dom/security/test/general/file_framing_xfo_embed_object.sjs b/dom/security/test/general/file_framing_xfo_embed_object.sjs new file mode 100644 index 0000000000..56616b7930 --- /dev/null +++ b/dom/security/test/general/file_framing_xfo_embed_object.sjs @@ -0,0 +1,7 @@ +"use strict"; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("x-frame-options", "deny", false); + response.write("doc with x-frame-options: deny"); +} diff --git a/dom/security/test/general/file_framing_xfo_object.html b/dom/security/test/general/file_framing_xfo_object.html new file mode 100644 index 0000000000..c8480a2c42 --- /dev/null +++ b/dom/security/test/general/file_framing_xfo_object.html @@ -0,0 +1,7 @@ + + + + object should be blocked
+ + + diff --git a/dom/security/test/general/file_gpc_server.sjs b/dom/security/test/general/file_gpc_server.sjs new file mode 100644 index 0000000000..d0b14215b4 --- /dev/null +++ b/dom/security/test/general/file_gpc_server.sjs @@ -0,0 +1,14 @@ +"use strict"; + +function handleRequest(request, response) { + response.setHeader("Content-Type", "text/html", false); + response.setHeader("Cache-Control", "no-cache", false); + + var gpc = request.hasHeader("Sec-GPC") ? request.getHeader("Sec-GPC") : ""; + + if (gpc === "1") { + response.write("true"); + } else { + response.write("false"); + } +} diff --git a/dom/security/test/general/file_loads_nonscript.html b/dom/security/test/general/file_loads_nonscript.html new file mode 100644 index 0000000000..f7692b8066 --- /dev/null +++ b/dom/security/test/general/file_loads_nonscript.html @@ -0,0 +1,49 @@ + + + + File that loads a non-script file-extension as script + + + + diff --git a/dom/security/test/general/file_meta_referrer_in_head.html b/dom/security/test/general/file_meta_referrer_in_head.html new file mode 100644 index 0000000000..9c4c4cd695 --- /dev/null +++ b/dom/security/test/general/file_meta_referrer_in_head.html @@ -0,0 +1,13 @@ + + + + + +Bug 1704473 - Remove head requirement for meta name=referrer + + + + + diff --git a/dom/security/test/general/file_meta_referrer_notin_head.html b/dom/security/test/general/file_meta_referrer_notin_head.html new file mode 100644 index 0000000000..55bd38e4c5 --- /dev/null +++ b/dom/security/test/general/file_meta_referrer_notin_head.html @@ -0,0 +1,14 @@ + + + + +Bug 1704473 - Remove head requirement for meta name=referrer + + + + + + + diff --git a/dom/security/test/general/file_nonscript b/dom/security/test/general/file_nonscript new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_nonscript @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_nonscript.html b/dom/security/test/general/file_nonscript.html new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_nonscript.html @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_nonscript.json b/dom/security/test/general/file_nonscript.json new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_nonscript.json @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_nonscript.txt b/dom/security/test/general/file_nonscript.txt new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_nonscript.txt @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_nonscript.xyz b/dom/security/test/general/file_nonscript.xyz new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_nonscript.xyz @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_nosniff_navigation.sjs b/dom/security/test/general/file_nosniff_navigation.sjs new file mode 100644 index 0000000000..20363ceb76 --- /dev/null +++ b/dom/security/test/general/file_nosniff_navigation.sjs @@ -0,0 +1,40 @@ +// Custom *.sjs file specifically for the needs of Bug 1286861 + +// small red image +const IMG = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +// https://stackoverflow.com/questions/17279712/what-is-the-smallest-possible-valid-pdf +const PDF = `%PDF-1.0 +1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj +trailer<>`; + +function getSniffableContent(type) { + switch (type) { + case "xml": + return ``; + case "html": + return ` Test test `; + case "css": + return `*{ color: pink !important; }`; + case "json": + return `{ 'test':'yes' }`; + case "img": + return IMG; + case "pdf": + return PDF; + } + return "Basic UTF-8 Text"; +} + +function handleRequest(request, response) { + Cu.importGlobalProperties(["URLSearchParams"]); + let query = new URLSearchParams(request.queryString); + + // avoid confusing cache behaviors (XXXX no sure what this means?) + response.setHeader("X-Content-Type-Options", "nosniff"); // Disable Sniffing + response.setHeader("Content-Type", query.get("mime")); + response.write(getSniffableContent(query.get("content"))); +} diff --git a/dom/security/test/general/file_nosniff_testserver.sjs b/dom/security/test/general/file_nosniff_testserver.sjs new file mode 100644 index 0000000000..fd35d8ad4f --- /dev/null +++ b/dom/security/test/general/file_nosniff_testserver.sjs @@ -0,0 +1,61 @@ +"use strict"; +Cu.importGlobalProperties(["URLSearchParams"]); + +const SCRIPT = "var foo = 24;"; +const CSS = "body { background-color: green; }"; + +// small red image +const IMG = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +function handleRequest(request, response) { + const query = new URLSearchParams(request.queryString); + + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + // set the nosniff header + response.setHeader("X-Content-Type-Options", " NoSniFF , foo ", false); + + if (query.has("cssCorrectType")) { + response.setHeader("Content-Type", "teXt/cSs", false); + response.write(CSS); + return; + } + + if (query.has("cssWrongType")) { + response.setHeader("Content-Type", "text/html", false); + response.write(CSS); + return; + } + + if (query.has("scriptCorrectType")) { + response.setHeader("Content-Type", "appLIcation/jAvaScriPt;blah", false); + response.write(SCRIPT); + return; + } + + if (query.has("scriptWrongType")) { + response.setHeader("Content-Type", "text/html", false); + response.write(SCRIPT); + return; + } + + if (query.has("imgCorrectType")) { + response.setHeader("Content-Type", "iMaGe/pnG;blah", false); + response.write(IMG); + return; + } + + if (query.has("imgWrongType")) { + response.setHeader("Content-Type", "text/html", false); + response.write(IMG); + return; + } + + // we should never get here, but just in case + response.setHeader("Content-Type", "text/html", false); + response.write("do'h"); +} diff --git a/dom/security/test/general/file_same_site_cookies_about.sjs b/dom/security/test/general/file_same_site_cookies_about.sjs new file mode 100644 index 0000000000..421eb999be --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_about.sjs @@ -0,0 +1,99 @@ +// Custom *.sjs file specifically for the needs of Bug 1454721 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const IFRAME_INC = ``; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + // using startsWith and discard the math random + if (request.queryString.startsWith("setSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=mySameSiteAboutCookie; samesite=strict", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + // navigation tests + if (request.queryString.includes("loadsrcdocframeNav")) { + let FRAME = ` + `; + response.write(FRAME); + return; + } + + if (request.queryString.includes("loadblankframeNav")) { + let FRAME = ` + `; + response.write(FRAME); + return; + } + + // inclusion tets + if (request.queryString.includes("loadsrcdocframeInc")) { + response.write(''); + return; + } + + if (request.queryString.includes("loadblankframeInc")) { + let FRAME = + ` + + + + + `); + } + + if (request.queryString.includes("inclusion")) { + const cookies = request.hasHeader("Cookie") + ? request.getHeader("Cookie") + : ""; + response.write(` + + + + + + + `); + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_blob_iframe_inclusion.html b/dom/security/test/general/file_same_site_cookies_blob_iframe_inclusion.html new file mode 100644 index 0000000000..b3456f0b90 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_blob_iframe_inclusion.html @@ -0,0 +1,34 @@ + + + + + + diff --git a/dom/security/test/general/file_same_site_cookies_blob_iframe_navigation.html b/dom/security/test/general/file_same_site_cookies_blob_iframe_navigation.html new file mode 100644 index 0000000000..815c6a6bfc --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_blob_iframe_navigation.html @@ -0,0 +1,30 @@ + + + + + + diff --git a/dom/security/test/general/file_same_site_cookies_bug1748693.sjs b/dom/security/test/general/file_same_site_cookies_bug1748693.sjs new file mode 100644 index 0000000000..6890bafa17 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_bug1748693.sjs @@ -0,0 +1,31 @@ +const MESSAGE_PAGE = function (msg) { + return ` + + + +

${msg}

+ + +`; +}; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-store"); + response.setHeader("Content-Type", "text/html"); + + if (request.queryString.includes("setcookies")) { + response.setHeader( + "Set-Cookie", + "auth_secure=foo; SameSite=None; HttpOnly; Secure", + true + ); + response.setHeader("Set-Cookie", "auth=foo; HttpOnly;", true); + response.write(MESSAGE_PAGE(request.queryString)); + return; + } + + const cookies = request.hasHeader("Cookie") + ? request.getHeader("Cookie") + : ""; + response.write(MESSAGE_PAGE(cookies)); +} diff --git a/dom/security/test/general/file_same_site_cookies_cross_origin_context.sjs b/dom/security/test/general/file_same_site_cookies_cross_origin_context.sjs new file mode 100644 index 0000000000..9103941653 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_cross_origin_context.sjs @@ -0,0 +1,54 @@ +// Custom *.sjs file specifically for the needs of Bug 1452496 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const FRAME = ` + + + + Bug 1452496 - Do not allow same-site cookies in cross site context + + + + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString.includes("setSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=strictSameSiteCookie; samesite=strict", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + if (request.queryString.includes("setRegularCookie")) { + response.setHeader("Set-Cookie", "myKey=regularCookie;", true); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + if (request.queryString.includes("loadFrame")) { + response.write(FRAME); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_from_script.sjs b/dom/security/test/general/file_same_site_cookies_from_script.sjs new file mode 100644 index 0000000000..0df217cf45 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_from_script.sjs @@ -0,0 +1,48 @@ +// Custom *.sjs file specifically for the needs of Bug 1452496 + +const SET_COOKIE_FRAME = ` + + + + Bug 1452496 - Do not allow same-site cookies in cross site context + + + + + `; + +const GET_COOKIE_FRAME = ` + + + + Bug 1452496 - Do not allow same-site cookies in cross site context + + + + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString.includes("setSameSiteCookieUsingInlineScript")) { + response.write(SET_COOKIE_FRAME); + return; + } + + if (request.queryString.includes("getCookieFrame")) { + response.write(GET_COOKIE_FRAME); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_iframe.sjs b/dom/security/test/general/file_same_site_cookies_iframe.sjs new file mode 100644 index 0000000000..7b511257c3 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_iframe.sjs @@ -0,0 +1,99 @@ +// Custom *.sjs file specifically for the needs of Bug 1454027 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const NESTED_IFRAME_NAVIGATION = ` + + + + + + + `); +} diff --git a/dom/security/test/general/file_same_site_cookies_redirect.sjs b/dom/security/test/general/file_same_site_cookies_redirect.sjs new file mode 100644 index 0000000000..f7451fb504 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_redirect.sjs @@ -0,0 +1,103 @@ +// Custom *.sjs file specifically for the needs of Bug 1453814 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const FRAME = ` + + + + Bug 1453814 - Do not allow same-site cookies for cross origin redirect + + + + + `; + +const SAME_ORIGIN = "http://mochi.test:8888/"; +const CROSS_ORIGIN = "http://example.com/"; +const PATH = + "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs"; + +const FRAME_META_REFRESH_SAME = + ` + + + `; + +const FRAME_META_REFRESH_CROSS = + ` + + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString === "setSameSiteCookie") { + response.setHeader( + "Set-Cookie", + "myKey=strictSameSiteCookie; samesite=strict", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + if (request.queryString === "sameToSameRedirect") { + let URL = SAME_ORIGIN + PATH + "?loadFrame"; + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", URL, false); + return; + } + + if (request.queryString === "sameToCrossRedirect") { + let URL = CROSS_ORIGIN + PATH + "?loadFrame"; + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", URL, false); + return; + } + + if (request.queryString === "crossToSameRedirect") { + let URL = SAME_ORIGIN + PATH + "?loadFrame"; + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", URL, false); + return; + } + + if (request.queryString === "sameToCrossRedirectMeta") { + response.write(FRAME_META_REFRESH_CROSS); + return; + } + + if (request.queryString === "crossToSameRedirectMeta") { + response.write(FRAME_META_REFRESH_SAME); + return; + } + + if (request.queryString === "loadFrame") { + response.write(FRAME); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_subrequest.sjs b/dom/security/test/general/file_same_site_cookies_subrequest.sjs new file mode 100644 index 0000000000..fdc81344ef --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_subrequest.sjs @@ -0,0 +1,82 @@ +// Custom *.sjs file specifically for the needs of Bug 1286861 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const FRAME = ` + + + + Bug 1286861 - Add support for same site cookies + + + + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString.includes("setStrictSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=strictSameSiteCookie; samesite=strict", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + if (request.queryString.includes("setLaxSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=laxSameSiteCookie; samesite=lax", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + // save the object state of the initial request, which returns + // async once the server has processed the img request. + if (request.queryString.includes("queryresult")) { + response.processAsync(); + setObjectState("queryResult", response); + return; + } + + if (request.queryString.includes("loadFrame")) { + response.write(FRAME); + return; + } + + if (request.queryString.includes("checkCookie")) { + var cookie = "unitialized"; + if (request.hasHeader("Cookie")) { + cookie = request.getHeader("Cookie"); + } else { + cookie = "myKey=noCookie"; + } + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + + // return the result + getObjectState("queryResult", function (queryResponse) { + if (!queryResponse) { + return; + } + queryResponse.write(cookie); + queryResponse.finish(); + }); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_toplevel_nav.sjs b/dom/security/test/general/file_same_site_cookies_toplevel_nav.sjs new file mode 100644 index 0000000000..45b515a28b --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_toplevel_nav.sjs @@ -0,0 +1,96 @@ +// Custom *.sjs file specifically for the needs of Bug 1286861 + +// small red image +const IMG_BYTES = atob( + "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" + + "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==" +); + +const FRAME = ` + + + + Bug 1286861 - Add support for same site cookies + + + + + `; + +const WIN = ` + + + + just a dummy window + + + `; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString.includes("setStrictSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=strictSameSiteCookie; samesite=strict", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + if (request.queryString.includes("setLaxSameSiteCookie")) { + response.setHeader( + "Set-Cookie", + "myKey=laxSameSiteCookie; samesite=lax", + true + ); + response.setHeader("Content-Type", "image/png"); + response.write(IMG_BYTES); + return; + } + + // save the object state of the initial request, which returns + // async once the server has processed the img request. + if (request.queryString.includes("queryresult")) { + response.processAsync(); + setObjectState("queryResult", response); + return; + } + + if (request.queryString.includes("loadFrame")) { + response.write(FRAME); + return; + } + + if (request.queryString.includes("loadWin")) { + var cookie = "unitialized"; + if (request.hasHeader("Cookie")) { + cookie = request.getHeader("Cookie"); + } else { + cookie = "myKey=noCookie"; + } + response.write(WIN); + + // return the result + getObjectState("queryResult", function (queryResponse) { + if (!queryResponse) { + return; + } + queryResponse.write(cookie); + queryResponse.finish(); + }); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_same_site_cookies_toplevel_set_cookie.sjs b/dom/security/test/general/file_same_site_cookies_toplevel_set_cookie.sjs new file mode 100644 index 0000000000..34dfe40e23 --- /dev/null +++ b/dom/security/test/general/file_same_site_cookies_toplevel_set_cookie.sjs @@ -0,0 +1,68 @@ +// Custom *.sjs file specifically for the needs of Bug 1454242 + +const WIN = ` + + + + + `; + +const DUMMY_WIN = ` + + + just a dummy window that sets a same-site=lax cookie + + + `; + +const FRAME = ` + + + + + `; + +const SAME_ORIGIN = "http://mochi.test:8888/"; +const CROSS_ORIGIN = "http://example.com/"; +const PATH = + "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs"; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + if (request.queryString === "loadWin") { + response.write(WIN); + return; + } + + if (request.queryString === "loadWinAndSetCookie") { + response.setHeader( + "Set-Cookie", + "myKey=laxSameSiteCookie; samesite=lax", + true + ); + response.write(DUMMY_WIN); + return; + } + + if (request.queryString === "checkCookie") { + response.write(FRAME); + return; + } + + // we should never get here, but just in case return something unexpected + response.write("D'oh"); +} diff --git a/dom/security/test/general/file_script.js b/dom/security/test/general/file_script.js new file mode 100644 index 0000000000..c339e45d5d --- /dev/null +++ b/dom/security/test/general/file_script.js @@ -0,0 +1 @@ +window.counter++; diff --git a/dom/security/test/general/file_toplevel_data_meta_redirect.html b/dom/security/test/general/file_toplevel_data_meta_redirect.html new file mode 100644 index 0000000000..e94a61ed48 --- /dev/null +++ b/dom/security/test/general/file_toplevel_data_meta_redirect.html @@ -0,0 +1,10 @@ + + + + + + +Meta Redirect to data: URI + + diff --git a/dom/security/test/general/file_toplevel_data_navigations.sjs b/dom/security/test/general/file_toplevel_data_navigations.sjs new file mode 100644 index 0000000000..57c4b527dd --- /dev/null +++ b/dom/security/test/general/file_toplevel_data_navigations.sjs @@ -0,0 +1,13 @@ +// Custom *.sjs file specifically for the needs of Bug: +// Bug 1394554 - Block toplevel data: URI navigations after redirect + +var DATA_URI = + "data:text/html,toplevel data: URI navigations after redirect should be blocked"; + +function handleRequest(request, response) { + // avoid confusing cache behaviors + response.setHeader("Cache-Control", "no-cache", false); + + response.setStatusLine("1.1", 302, "Found"); + response.setHeader("Location", DATA_URI, false); +} diff --git a/dom/security/test/general/file_view_bg_image_data_navigation.html b/dom/security/test/general/file_view_bg_image_data_navigation.html new file mode 100644 index 0000000000..d9aa6ca8b6 --- /dev/null +++ b/dom/security/test/general/file_view_bg_image_data_navigation.html @@ -0,0 +1,16 @@ + + + + + Bug 1658244: Test navigation for right-click view-bg-image on data:image/svg + + + + This page has an inline SVG image as a background. + + diff --git a/dom/security/test/general/file_view_image_data_navigation.html b/dom/security/test/general/file_view_image_data_navigation.html new file mode 100644 index 0000000000..a3f9acfb4d --- /dev/null +++ b/dom/security/test/general/file_view_image_data_navigation.html @@ -0,0 +1,12 @@ + + + + + Bug 1407891: Test navigation for right-click view-image on data:image/svg + + + + + + + diff --git a/dom/security/test/general/file_xfo_error_page.sjs b/dom/security/test/general/file_xfo_error_page.sjs new file mode 100644 index 0000000000..b1fa33cbd4 --- /dev/null +++ b/dom/security/test/general/file_xfo_error_page.sjs @@ -0,0 +1,8 @@ +"use strict"; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-cache", false); + response.setHeader("Content-Type", "text/html", false); + response.setHeader("x-frame-options", "deny", false); + response.write("xfo test loaded"); +} diff --git a/dom/security/test/general/mochitest.ini b/dom/security/test/general/mochitest.ini new file mode 100644 index 0000000000..ba67830706 --- /dev/null +++ b/dom/security/test/general/mochitest.ini @@ -0,0 +1,95 @@ +[DEFAULT] +support-files = + file_contentpolicytype_targeted_link_iframe.sjs + file_nosniff_testserver.sjs + file_nosniff_navigation.sjs + file_block_script_wrong_mime_server.sjs + file_block_toplevel_data_navigation.html + file_block_toplevel_data_navigation2.html + file_block_toplevel_data_navigation3.html + file_block_toplevel_data_redirect.sjs + file_block_subresource_redir_to_data.sjs + file_same_site_cookies_subrequest.sjs + file_same_site_cookies_toplevel_nav.sjs + file_same_site_cookies_cross_origin_context.sjs + file_same_site_cookies_from_script.sjs + file_same_site_cookies_redirect.sjs + file_same_site_cookies_toplevel_set_cookie.sjs + file_same_site_cookies_blob_iframe_navigation.html + file_same_site_cookies_blob_iframe_inclusion.html + file_same_site_cookies_iframe.sjs + file_same_site_cookies_about.sjs + file_cache_splitting_server.sjs + file_cache_splitting_isloaded.sjs + file_cache_splitting_window.html + window_nosniff_navigation.html + +[test_contentpolicytype_targeted_link_iframe.html] +skip-if = + http3 +[test_nosniff.html] +[test_cache_split.html] +skip-if = + http3 +[test_nosniff_navigation.html] +[test_block_script_wrong_mime.html] +[test_block_toplevel_data_navigation.html] +[test_block_toplevel_data_img_navigation.html] +[test_allow_opening_data_pdf.html] +skip-if = toolkit == 'android' # no pdf reader on Android +[test_allow_opening_data_json.html] +[test_block_subresource_redir_to_data.html] +[test_same_site_cookies_subrequest.html] +fail-if = xorigin # Cookies set incorrectly +skip-if = + http3 +[test_same_site_cookies_toplevel_nav.html] +fail-if = xorigin +skip-if = + http3 +[test_same_site_cookies_cross_origin_context.html] +skip-if = + http3 +[test_same_site_cookies_from_script.html] +fail-if = xorigin +skip-if = + http3 +[test_same_site_cookies_redirect.html] +fail-if = xorigin +skip-if = + http3 +[test_same_site_cookies_toplevel_set_cookie.html] +fail-if = xorigin # Cookies not set +skip-if = + http3 +[test_same_site_cookies_iframe.html] +fail-if = xorigin +skip-if = + http3 +[test_same_site_cookies_about.html] +fail-if = xorigin +skip-if = + http3 +[test_assert_about_page_no_csp.html] +skip-if = !debug +[test_same_site_cookies_laxByDefault.html] +skip-if = debug +support-files = closeWindow.sjs +[test_xfo_error_page.html] +support-files = file_xfo_error_page.sjs +skip-if = + http3 +[test_bug1450853.html] +skip-if = + http3 +[test_meta_referrer.html] +support-files = + file_meta_referrer_in_head.html + file_meta_referrer_notin_head.html +[test_bug1660452_http.html] +skip-if = + http3 +[test_bug1660452_https.html] +scheme = https +[test_gpc.html] +support-files = file_gpc_server.sjs diff --git a/dom/security/test/general/test_allow_opening_data_json.html b/dom/security/test/general/test_allow_opening_data_json.html new file mode 100644 index 0000000000..4b37931e1f --- /dev/null +++ b/dom/security/test/general/test_allow_opening_data_json.html @@ -0,0 +1,39 @@ + + + + + Bug 1403814: Allow toplevel data URI navigation data:application/json + + + + + + + diff --git a/dom/security/test/general/test_allow_opening_data_pdf.html b/dom/security/test/general/test_allow_opening_data_pdf.html new file mode 100644 index 0000000000..007b3e8801 --- /dev/null +++ b/dom/security/test/general/test_allow_opening_data_pdf.html @@ -0,0 +1,41 @@ + + + + + Bug 1398692: Allow toplevel navigation to a data:application/pdf + + + + + + + diff --git a/dom/security/test/general/test_assert_about_page_no_csp.html b/dom/security/test/general/test_assert_about_page_no_csp.html new file mode 100644 index 0000000000..06be4ce460 --- /dev/null +++ b/dom/security/test/general/test_assert_about_page_no_csp.html @@ -0,0 +1,30 @@ + + + + Bug 1490977: Test Assertion if content privileged about: page has no CSP + + + + + + + + + diff --git a/dom/security/test/general/test_block_script_wrong_mime.html b/dom/security/test/general/test_block_script_wrong_mime.html new file mode 100644 index 0000000000..93a4b9d220 --- /dev/null +++ b/dom/security/test/general/test_block_script_wrong_mime.html @@ -0,0 +1,92 @@ + + + + Bug 1288361 - Block scripts with incorrect MIME type + + + + + + + + + diff --git a/dom/security/test/general/test_block_subresource_redir_to_data.html b/dom/security/test/general/test_block_subresource_redir_to_data.html new file mode 100644 index 0000000000..eafb6b5d83 --- /dev/null +++ b/dom/security/test/general/test_block_subresource_redir_to_data.html @@ -0,0 +1,68 @@ + + + + Bug 1428793: Block insecure redirects to data: URIs + + + + + + + + + + + diff --git a/dom/security/test/general/test_block_toplevel_data_img_navigation.html b/dom/security/test/general/test_block_toplevel_data_img_navigation.html new file mode 100644 index 0000000000..07e46b1f2f --- /dev/null +++ b/dom/security/test/general/test_block_toplevel_data_img_navigation.html @@ -0,0 +1,53 @@ + + + + + Bug 1396798: Do not block toplevel data: navigation to image (except svgs) + + + + + + + diff --git a/dom/security/test/general/test_block_toplevel_data_navigation.html b/dom/security/test/general/test_block_toplevel_data_navigation.html new file mode 100644 index 0000000000..bbadacb218 --- /dev/null +++ b/dom/security/test/general/test_block_toplevel_data_navigation.html @@ -0,0 +1,134 @@ + + + + + Bug 1331351 - Block top level window data: URI navigations + + + + + + + + diff --git a/dom/security/test/general/test_bug1277803.xhtml b/dom/security/test/general/test_bug1277803.xhtml new file mode 100644 index 0000000000..30cc82310b --- /dev/null +++ b/dom/security/test/general/test_bug1277803.xhtml @@ -0,0 +1,65 @@ + + + + + + + + + + diff --git a/dom/security/test/general/test_bug1450853.html b/dom/security/test/general/test_bug1450853.html new file mode 100644 index 0000000000..e6b61ecce0 --- /dev/null +++ b/dom/security/test/general/test_bug1450853.html @@ -0,0 +1,91 @@ + + + + + +Test for Cross-origin resouce status leak via MediaError + + + + + + + + + + + Mozilla Bug 1450853 + + + diff --git a/dom/security/test/general/test_bug1660452_http.html b/dom/security/test/general/test_bug1660452_http.html new file mode 100644 index 0000000000..3a6512da21 --- /dev/null +++ b/dom/security/test/general/test_bug1660452_http.html @@ -0,0 +1,39 @@ + + + +Bug 1660452: NullPrincipals need to know whether they were spun off of a Secure Context + + + + + + + + diff --git a/dom/security/test/general/test_bug1660452_https.html b/dom/security/test/general/test_bug1660452_https.html new file mode 100644 index 0000000000..1aed356a21 --- /dev/null +++ b/dom/security/test/general/test_bug1660452_https.html @@ -0,0 +1,39 @@ + + + +Bug 1660452: NullPrincipals need to know whether they were spun off of a Secure Context + + + + + + + + diff --git a/dom/security/test/general/test_cache_split.html b/dom/security/test/general/test_cache_split.html new file mode 100644 index 0000000000..f0fc056bce --- /dev/null +++ b/dom/security/test/general/test_cache_split.html @@ -0,0 +1,153 @@ + + + + + + Bug 1454721 - Add same-site cookie test for about:blank and about:srcdoc + + + + + + + + + + + diff --git a/dom/security/test/general/test_contentpolicytype_targeted_link_iframe.html b/dom/security/test/general/test_contentpolicytype_targeted_link_iframe.html new file mode 100644 index 0000000000..99620d06f9 --- /dev/null +++ b/dom/security/test/general/test_contentpolicytype_targeted_link_iframe.html @@ -0,0 +1,103 @@ + + + + + Bug 1255240 - Test content policy types within content policies for targeted links in iframes + + + + + + + + + + diff --git a/dom/security/test/general/test_gpc.html b/dom/security/test/general/test_gpc.html new file mode 100644 index 0000000000..506629554d --- /dev/null +++ b/dom/security/test/general/test_gpc.html @@ -0,0 +1,51 @@ + + + + Test for Global Privacy Control headers + + + + + + + diff --git a/dom/security/test/general/test_innerhtml_sanitizer.html b/dom/security/test/general/test_innerhtml_sanitizer.html new file mode 100644 index 0000000000..4a4e4efed1 --- /dev/null +++ b/dom/security/test/general/test_innerhtml_sanitizer.html @@ -0,0 +1,74 @@ + + + + + Test for Bug 1667113 + + + + +Mozilla Bug 1667113 +
+ + + diff --git a/dom/security/test/general/test_innerhtml_sanitizer.xhtml b/dom/security/test/general/test_innerhtml_sanitizer.xhtml new file mode 100644 index 0000000000..4d938bc23b --- /dev/null +++ b/dom/security/test/general/test_innerhtml_sanitizer.xhtml @@ -0,0 +1,73 @@ + + + + Test for Bug 1667113 + + + + +Mozilla Bug 1667113 +
+ + + diff --git a/dom/security/test/general/test_meta_referrer.html b/dom/security/test/general/test_meta_referrer.html new file mode 100644 index 0000000000..f5e8b649f4 --- /dev/null +++ b/dom/security/test/general/test_meta_referrer.html @@ -0,0 +1,55 @@ + + + + Bug 1704473 - Remove head requirement for meta name=referrer + + + + + + + + + + + diff --git a/dom/security/test/general/test_nosniff.html b/dom/security/test/general/test_nosniff.html new file mode 100644 index 0000000000..a22386aea0 --- /dev/null +++ b/dom/security/test/general/test_nosniff.html @@ -0,0 +1,88 @@ + + + + Bug 471020 - Add X-Content-Type-Options: nosniff support to Firefox + + + + + + + + + + + + + + + + + diff --git a/dom/security/test/general/test_nosniff_navigation.html b/dom/security/test/general/test_nosniff_navigation.html new file mode 100644 index 0000000000..6710f4f5b9 --- /dev/null +++ b/dom/security/test/general/test_nosniff_navigation.html @@ -0,0 +1,35 @@ + + + + + Bug 1428473 Support X-Content-Type-Options: nosniff when navigating + + + + + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_about.html b/dom/security/test/general/test_same_site_cookies_about.html new file mode 100644 index 0000000000..faf2caab9a --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_about.html @@ -0,0 +1,116 @@ + + + + Bug 1454721 - Add same-site cookie test for about:blank and about:srcdoc + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_cross_origin_context.html b/dom/security/test/general/test_same_site_cookies_cross_origin_context.html new file mode 100644 index 0000000000..9294a3d030 --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_cross_origin_context.html @@ -0,0 +1,93 @@ + + + + Bug 1452496 - Do not allow same-site cookies in cross site context + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_from_script.html b/dom/security/test/general/test_same_site_cookies_from_script.html new file mode 100644 index 0000000000..74c38b6249 --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_from_script.html @@ -0,0 +1,86 @@ + + + + Bug 1452496 - Do not allow same-site cookies in cross site context + + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_iframe.html b/dom/security/test/general/test_same_site_cookies_iframe.html new file mode 100644 index 0000000000..45d5d5830a --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_iframe.html @@ -0,0 +1,168 @@ + + + + Bug 1454027 - Update SameSite cookie handling inside iframes + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_laxByDefault.html b/dom/security/test/general/test_same_site_cookies_laxByDefault.html new file mode 100644 index 0000000000..9fd0d0b704 --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_laxByDefault.html @@ -0,0 +1,85 @@ + + + + Bug 1551798 - SameSite=lax by default + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_redirect.html b/dom/security/test/general/test_same_site_cookies_redirect.html new file mode 100644 index 0000000000..59f98b2263 --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_redirect.html @@ -0,0 +1,101 @@ + + + + Bug 1453814 - Do not allow same-site cookies for cross origin redirect + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_subrequest.html b/dom/security/test/general/test_same_site_cookies_subrequest.html new file mode 100644 index 0000000000..304dbafa9a --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_subrequest.html @@ -0,0 +1,113 @@ + + + + Bug 1286861 - Test same site cookies on subrequests + + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_toplevel_nav.html b/dom/security/test/general/test_same_site_cookies_toplevel_nav.html new file mode 100644 index 0000000000..aba825916b --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_toplevel_nav.html @@ -0,0 +1,117 @@ + + + + Bug 1286861 - Test same site cookies on top-level navigations + + + + + + + + + diff --git a/dom/security/test/general/test_same_site_cookies_toplevel_set_cookie.html b/dom/security/test/general/test_same_site_cookies_toplevel_set_cookie.html new file mode 100644 index 0000000000..cae2a6174e --- /dev/null +++ b/dom/security/test/general/test_same_site_cookies_toplevel_set_cookie.html @@ -0,0 +1,57 @@ + + + + Bug 1454242: Setting samesite cookie should not rely on CookieCommons::IsSameSiteForeign + + + + + + + + + + diff --git a/dom/security/test/general/test_xfo_error_page.html b/dom/security/test/general/test_xfo_error_page.html new file mode 100644 index 0000000000..218413b4f9 --- /dev/null +++ b/dom/security/test/general/test_xfo_error_page.html @@ -0,0 +1,35 @@ + + + + Bug 1626249: Ensure correct display of neterror page for XFO + + + + + + + + + diff --git a/dom/security/test/general/window_nosniff_navigation.html b/dom/security/test/general/window_nosniff_navigation.html new file mode 100644 index 0000000000..1287e451b1 --- /dev/null +++ b/dom/security/test/general/window_nosniff_navigation.html @@ -0,0 +1,96 @@ + + + + Bug 1428473 Support X-Content-Type-Options: nosniff when navigating + + + + + + + + + + + + + +
+ + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + \ No newline at end of file -- cgit v1.2.3