summaryrefslogtreecommitdiffstats
path: root/dom/base/test/test_bug466080.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/base/test/test_bug466080.html')
-rw-r--r--dom/base/test/test_bug466080.html151
1 files changed, 151 insertions, 0 deletions
diff --git a/dom/base/test/test_bug466080.html b/dom/base/test/test_bug466080.html
new file mode 100644
index 0000000000..45763d592f
--- /dev/null
+++ b/dom/base/test/test_bug466080.html
@@ -0,0 +1,151 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Test bug 466080</title>
+ <script src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe id="frame1"
+ src="https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs">
+
+ This iframe should load the resource via the src-attribute from
+ a secure server which requires a client-cert. Doing this is
+ supposed to work, but further below in the test we try to load
+ the resource from the same url using a XHR, which should not work.
+
+ TODO : What if we change 'src' from JS? Would/should it load?
+
+</iframe>
+
+<script class="testbody" type="text/javascript">
+
+"use strict";
+
+onWindowLoad();
+
+let alltests = [
+
+// load resource from a relative url - this should work
+ { url:"bug466080.sjs",
+ status_check:"==200",
+ error:"XHR from relative URL"},
+
+// TODO - load the resource from a relative url via https..?
+
+// load a non-existing resource - should get "404 Not Found"
+ { url:"bug466080-does-not.exist",
+ status_check:"==404",
+ error:"XHR loading non-existing resource"},
+
+// load resource from cross-site non-secure server
+ { url:"http://test1.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR from cross-site plaintext server"},
+
+// load resource from cross-site secure server - should work since no credentials are needed
+ { url:"https://test1.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR from cross-site secure server"},
+
+// load resource from cross-site secure server - should work since the server just requests certs
+ { url:"https://requestclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR from cross-site secure server requesting certificate"},
+
+// load resource from cross-site secure server - should NOT work since the server requires cert
+// note that this is the url which is used in the iframe.src above
+ { url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"!=200",
+ error:"XHR from cross-site secure server requiring certificate"},
+
+// repeat previous, - should NOT work
+ { url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR w/ credentials from cross-site secure server requiring certificate",
+ withCredentials:"true"},
+
+// repeat previous, but with credentials - should work
+ { url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR w/ credentials from cross-site secure server requiring certificate",
+ withCredentials:"true"},
+
+// repeat previous, withCredentials but using a weird method to force preflight
+// should NOT work since our preflight is anonymous and will fail with our simple server
+ { url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"!=200",
+ error:"XHR PREFLIGHT from cross-site secure server requiring certificate",
+ withCredentials:"true",
+ method:"XMETHOD"},
+
+// repeat previous, withCredentials but using a weird method to force preflight
+// Set network.cors_preflight.allow_client_cert pref, that will allow cers on an
+// anonymous connection.
+// This should work since our preflight will work now.
+ { url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
+ status_check:"==200",
+ error:"XHR PREFLIGHT from cross-site secure server requiring certificate",
+ withCredentials:"true",
+ method:"XMETHOD",
+ enableCertOnPreflight: true},
+
+ { cleanEnableCertOnPreflight: true},
+];
+
+async function onWindowLoad() {
+ // First, check that resource was loaded into the iframe
+ // This check in fact depends on bug #444165... :)
+ await new Promise(resolve => {
+ document.getElementById("frame1").onload = () => { resolve(); };
+ });
+
+ async function runTest(test) {
+ if (test.cleanEnableCertOnPreflight) {
+ await SpecialPowers.pushPrefEnv({"set": [["network.cors_preflight.allow_client_cert", false]]});
+ if (!alltests.length) {
+ SimpleTest.finish();
+ } else {
+ runTest(alltests.shift());
+ }
+ } else {
+ if (test.enableCertOnPreflight != null) {
+ await SpecialPowers.pushPrefEnv({"set": [["network.cors_preflight.allow_client_cert", true]]});
+ }
+ var xhr = new XMLHttpRequest();
+
+ var method = "GET";
+ if (test.method != null) { method = test.method; }
+ xhr.open(method, test.url);
+
+ xhr.withCredentials = test.withCredentials;
+
+ SpecialPowers.wrap(xhr).setRequestHeader("Connection", "Keep-Alive", false);
+
+ try {
+ xhr.send();
+ } catch(e) {
+ }
+
+ xhr.onloadend = function() {
+ // eslint-disable-next-line no-eval
+ var success = eval(xhr.status + test.status_check);
+ ok(success, test.error);
+
+ if (!alltests.length) {
+ SimpleTest.finish();
+ } else {
+ runTest(alltests.shift());
+ }
+ };
+ }
+ }
+
+ runTest(alltests.shift());
+}
+
+SimpleTest.waitForExplicitFinish();
+
+</script>
+</body>
+</html>