diff options
Diffstat (limited to '')
-rw-r--r-- | dom/security/test/csp/test_upgrade_insecure_report_only.html | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_upgrade_insecure_report_only.html b/dom/security/test/csp/test_upgrade_insecure_report_only.html new file mode 100644 index 0000000000..230d6a3e60 --- /dev/null +++ b/dom/security/test/csp/test_upgrade_insecure_report_only.html @@ -0,0 +1,98 @@ +<!DOCTYPE HTML> +<html> +<head> + <meta charset="utf-8"> + <title>Bug 1832249 - Consider report-only flag when upgrading insecure requests</title> + <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> +<iframe id="reportonlyframe"></iframe> +<iframe id="enforceframe"></iframe> + +<script class="testbody" type="text/javascript"> + +/* Description of the test: + * When we load an http page with the `content-security-policy-report-only: upgrade-insecure-requests` + * header the `upgrade-insecure-requests` directive must be ignored according to the spec. + * https://w3c.github.io/webappsec-upgrade-insecure-requests/#delivery + */ + +var expectedResults = 4; + +function finishTest() { + // need to wait until all of the tests have resolved before exiting + if (--expectedResults > 0) { + return; + } + window.removeEventListener("message", receiveMessage); + SimpleTest.finish(); +} + +window.addEventListener("message", receiveMessage); +function receiveMessage(event) { + // make sure the image was correctly loaded. this is the primary purpose of + // this test. if image isn't loaded correctly then that means we attempted to + // upgrade the request when we shouldn't have and vice-versa. + let result = event.data.result; + if (result === "reportonly-img-ok") { + ok(true, "successfully loaded insecure image from http without upgrade"); + finishTest(); + } + if (result === "enforce-img-ok") { + ok(true, "successfully loaded insecure image from http with upgrade"); + finishTest(); + } + if (result === "reportonly-img-error") { + ok (false, "failed to load reportonly image correctly"); + finishTest(); + } + if (result === "enforce-img-error") { + ok (false, "failed to load enforce image correctly"); + finishTest(); + } +} + +function runTest(route) { + // Send off an XHR request which will return once the server receives the + // violation report from the report only policy. + var myXHR = new XMLHttpRequest(); + myXHR.open("GET", `file_upgrade_insecure_report_only_server.sjs?queryresult-${route}`); + myXHR.onload = function(e) { + // make sure that the csp violation report we get is the one we expected + let report = JSON.parse(myXHR.responseText)["csp-report"]; + ok( + report["original-policy"].includes("upgrade-insecure-requests"), + "report should be given by malformed report-only policy" + ); + ok( + report["blocked-uri"].startsWith("http:") && report["blocked-uri"].endsWith(`.sjs?img-${route}`), + "request should be for an img load" + ); + + finishTest(); + } + myXHR.onerror = function(e) { + ok(false, "could not query result for csp-report from server (" + e.message + ")"); + SimpleTest.finish(); + } + myXHR.send(); + + // We load a page that is served using a report only CSP which loads an image. + SimpleTest.executeSoon(function() { + // we need to test http functionality here, so we need to load an http url + /* eslint-disable @microsoft/sdl/no-insecure-url */ + document.getElementById(`${route}frame`).src = + `http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_report_only_server.sjs?${route}=true`; + /* eslint-enable @microsoft/sdl/no-insecure-url */ + }); +} + +SimpleTest.waitForExplicitFinish(); +runTest("reportonly"); +runTest("enforce"); + +</script> +</body> +</html> |