1 files changed, 60 insertions, 0 deletions
diff --git a/dom/security/test/https-first/browser_subdocument_downgrade.js b/dom/security/test/https-first/browser_subdocument_downgrade.js
new file mode 100644
index 0000000000..4cb5b4ed2e
--- /dev/null
+++ b/dom/security/test/https-first/browser_subdocument_downgrade.js
@@ -0,0 +1,60 @@
+/* Any copyright is dedicated to the Public Domain.
+   https://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const EMPTY_URL =
+  "http://example.com/browser/dom/security/test/https-first/file_empty.html";
+const SUBDOCUMENT_URL =
+  "https://example.com/browser/dom/security/test/https-first/file_subdocument_downgrade.sjs";
+
+add_task(async function test_subdocument_downgrade() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      // We want to test HTTPS-First
+      ["dom.security.https_first", true],
+      // Makes it easier to detect the error
+      ["security.mixed_content.block_active_content", false],
+    ],
+  });
+
+  // Open a empty document with origin http://example.com, which gets upgraded
+  // to https://example.com by HTTPS-First and thus is marked as
+  // HTTPS_ONLY_UPGRADED_HTTPS_FIRST.
+  await BrowserTestUtils.withNewTab(EMPTY_URL, async browser => {
+    await SpecialPowers.spawn(
+      browser,
+      [SUBDOCUMENT_URL],
+      async SUBDOCUMENT_URL => {
+        function isCrossOriginIframe(iframe) {
+          try {
+            return !iframe.contentDocument;
+          } catch (e) {
+            return true;
+          }
+        }
+        const subdocument = content.document.createElement("iframe");
+        // We open https://example.com/.../file_subdocument_downgrade.sjs in a
+        // iframe, which sends a invalid response if the scheme is https. Thus
+        // we should get an error. But if we accidentally copy the
+        // HTTPS_ONLY_UPGRADED_HTTPS_FIRST flag from the parent into the iframe
+        // loadinfo, HTTPS-First will try to downgrade the iframe. We test that
+        // this doesn't happen.
+        subdocument.src = SUBDOCUMENT_URL;
+        const loadPromise = new Promise(resolve => {
+          subdocument.addEventListener("load", () => {
+            ok(
+              // If the iframe got downgraded, it should now have the origin
+              // http://example.com, which we can detect as being cross-origin.
+              !isCrossOriginIframe(subdocument),
+              "Subdocument should not be downgraded"
+            );
+            resolve();
+          });
+        });
+        content.document.body.appendChild(subdocument);
+        await loadPromise;
+      }
+    );
+  });
+});