diff options
Diffstat (limited to 'dom/security/test')
23 files changed, 263 insertions, 31 deletions
diff --git a/dom/security/test/general/file_block_script_wrong_mime_sw.js b/dom/security/test/general/file_block_script_wrong_mime_sw.js new file mode 100644 index 0000000000..4d8d667af4 --- /dev/null +++ b/dom/security/test/general/file_block_script_wrong_mime_sw.js @@ -0,0 +1,51 @@ +/** + * Service Worker that runs in 2 modes: 1) direct pass-through via + * fetch(event.request) and 2) indirect pass-through via + * fetch(event.request.url). + * + * Because this is updating a pre-existing mochitest that didn't use a SW and + * used a single test document, we use a SW idiom where the SW claims the + * existing window client. And because we operate in two modes and we + * parameterize via URL, we also ensure that we skipWaiting. + **/ + +/* eslint-env serviceworker */ + +// We are parameterized by "mode". +const params = new URLSearchParams(location.search); +const fetchMode = params.get("fetchMode"); + +// When activating on initial install, claim the existing window client. +// For synchronziation, also message the controlled document to report our mode. +self.addEventListener("activate", event => { + event.waitUntil( + (async () => { + await clients.claim(); + const allClients = await clients.matchAll(); + for (const client of allClients) { + client.postMessage({ + fetchMode, + }); + } + })() + ); +}); + +// When updating the SW to change our mode of operation, skipWaiting so we +// advance directly to activating without waiting for the test window client +// to stop being controlled by our previous configuration. +self.addEventListener("install", () => { + self.skipWaiting(); +}); + +self.addEventListener("fetch", event => { + switch (fetchMode) { + case "direct": + event.respondWith(fetch(event.request)); + break; + + case "indirect": + event.respondWith(fetch(event.request.url)); + break; + } +}); diff --git a/dom/security/test/general/mochitest.toml b/dom/security/test/general/mochitest.toml index c46b5ecf57..22024fcc67 100644 --- a/dom/security/test/general/mochitest.toml +++ b/dom/security/test/general/mochitest.toml @@ -8,6 +8,7 @@ support-files = [ "file_block_toplevel_data_navigation2.html", "file_block_toplevel_data_navigation3.html", "file_block_toplevel_data_redirect.sjs", + "file_block_script_wrong_mime_sw.js", "file_block_subresource_redir_to_data.sjs", "file_same_site_cookies_subrequest.sjs", "file_same_site_cookies_toplevel_nav.sjs", diff --git a/dom/security/test/general/test_block_script_wrong_mime.html b/dom/security/test/general/test_block_script_wrong_mime.html index 7122363dfc..896823a417 100644 --- a/dom/security/test/general/test_block_script_wrong_mime.html +++ b/dom/security/test/general/test_block_script_wrong_mime.html @@ -29,7 +29,7 @@ function testScript([mime, shouldLoad]) { let script = document.createElement("script"); script.onload = () => { document.body.removeChild(script); - ok(shouldLoad, `script with mime '${mime}' should load`); + ok(shouldLoad, `script with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); resolve(); }; script.onerror = () => { @@ -47,7 +47,7 @@ function testWorker([mime, shouldLoad]) { return new Promise((resolve) => { let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker&mime="+mime); worker.onmessage = (event) => { - ok(shouldLoad, `worker with mime '${mime}' should load`) + ok(shouldLoad, `worker with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); is(event.data, "worker-loaded", "worker should send correct message"); resolve(); }; @@ -65,7 +65,7 @@ function testWorkerImportScripts([mime, shouldLoad]) { return new Promise((resolve) => { let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker-import&mime="+mime); worker.onmessage = (event) => { - ok(shouldLoad, `worker/importScripts with mime '${mime}' should load`) + ok(shouldLoad, `worker/importScripts with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); is(event.data, "worker-loaded", "worker should send correct message"); resolve(); }; @@ -73,20 +73,103 @@ function testWorkerImportScripts([mime, shouldLoad]) { ok(!shouldLoad, `worker/importScripts with wrong mime '${mime}' should be blocked`); error.preventDefault(); resolve(); + // The worker doesn't self-terminate via close, so let's do it. + worker.terminate(); } worker.postMessage("dummy"); }); } -SimpleTest.waitForExplicitFinish(); -Promise.all(MIMETypes.map(testScript)).then(() => { - return Promise.all(MIMETypes.map(testWorker)); -}).then(() => { - return Promise.all(MIMETypes.map(testWorkerImportScripts)); -}).then(() => { - return SpecialPowers.popPrefEnv(); -}).then(SimpleTest.finish); +async function runMimeTypePermutations() { + info("### Running document script MIME checks."); + for (const mimeType of MIMETypes) { + await testScript(mimeType); + } + info("### Running worker top-level script MIME checks."); + for (const mimeType of MIMETypes) { + await testWorker(mimeType); + } + + info("### Running worker importScripts MIME checks."); + for (const mimeType of MIMETypes) { + await testWorkerImportScripts(mimeType); + } +} + +let gRegistration; + +/** + * Register and wait for the helper ServiceWorker to be active in the given + * mode. + */ +async function useServiceWorker({ fetchMode }) { + info(`### Registering ServiceWorker with mode '${fetchMode}'`); + const activePromise = new Promise((resolve, reject) => { + navigator.serviceWorker.addEventListener( + "message", + event => { + if (event.data.fetchMode === fetchMode) { + resolve(); + } else { + reject(`wrong fetchMode: ${fetchMode}`); + } + is(fetchMode, event.data.fetchMode, "right fetch mode"); + }, + { once: true }); + }); + + const reg = gRegistration = await navigator.serviceWorker.register( + `file_block_script_wrong_mime_sw.js?fetchMode=${fetchMode}`); + info("register resolved. " + + `installing: ${!!reg.installing} ` + + `waiting: ${!!reg.waiting} ` + + `active: ${!!reg.active}`); + + await activePromise; +} + +/** + * Unregister the ServiceWorker, with the caveat that the ServiceWorker will + * still be controlling us until this window goes away. + */ +async function cleanupServiceWorkerWithCaveat() { + await gRegistration.unregister(); +} + +/** + * Top-level test that runs the MIME type checks in different ServiceWorker/ + * network configurations. + * + * We use the ServiceWorker mechanism that allows ServiceWorkers to claim + * existing scope-matching clients in order to make this window controlled and + * then run the tests. When changing the SW behavior the SW also needs to + * skipWaiting in order to advance to active. + */ +async function runNetworkPermutations() { + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + }); + + info("## Run tests without a ServiceWorker involved."); + await runMimeTypePermutations(); + + info("## Run tests with a pass-through fetch(event.request) handler."); + await useServiceWorker({ fetchMode: "direct" }); + await runMimeTypePermutations(); + + info("## Run tests with a naive URL propagating fetch(event.request.url) handler."); + await useServiceWorker({ fetchMode: "indirect" }); + await runMimeTypePermutations(); + + await cleanupServiceWorkerWithCaveat(); +} + +add_task(runNetworkPermutations); </script> </body> </html> diff --git a/dom/security/test/gtest/TestCSPParser.cpp b/dom/security/test/gtest/TestCSPParser.cpp index b8a4e986b6..19ba0548de 100644 --- a/dom/security/test/gtest/TestCSPParser.cpp +++ b/dom/security/test/gtest/TestCSPParser.cpp @@ -93,8 +93,7 @@ nsresult runTest( // for testing the parser we only need to set a principal which is needed // to translate the keyword 'self' into an actual URI. - rv = - csp->SetRequestContextWithPrincipal(selfURIPrincipal, selfURI, u""_ns, 0); + rv = csp->SetRequestContextWithPrincipal(selfURIPrincipal, selfURI, ""_ns, 0); NS_ENSURE_SUCCESS(rv, rv); // append a policy diff --git a/dom/security/test/https-first/browser.toml b/dom/security/test/https-first/browser.toml index 0c63b8317d..49e2d522f4 100644 --- a/dom/security/test/https-first/browser.toml +++ b/dom/security/test/https-first/browser.toml @@ -7,7 +7,7 @@ support-files = ["file_beforeunload_permit_http.html"] support-files = [ "file_mixed_content_auto_upgrade.html", "pass.png", - "test.ogv", + "test.webm", "test.wav", ] @@ -40,6 +40,12 @@ support-files = [ ["browser_navigation.js"] support-files = ["file_navigation.html"] +["browser_subdocument_downgrade.js"] +support-files = [ + "file_empty.html", + "file_subdocument_downgrade.sjs", +] + ["browser_schemeless.js"] ["browser_slow_download.js"] diff --git a/dom/security/test/https-first/browser_beforeunload_permit_http.js b/dom/security/test/https-first/browser_beforeunload_permit_http.js index 660c1a352d..281def37e9 100644 --- a/dom/security/test/https-first/browser_beforeunload_permit_http.js +++ b/dom/security/test/https-first/browser_beforeunload_permit_http.js @@ -162,7 +162,7 @@ async function loadPageAndReload(testCase) { } ); is(true, hasInteractedWith, "Simulated successfully user interaction"); - BrowserReloadWithFlags(testCase.reloadFlag); + BrowserCommands.reloadWithFlags(testCase.reloadFlag); await BrowserTestUtils.browserLoaded(browser); is(true, true, `reload with flag ${testCase.name} was successful`); } diff --git a/dom/security/test/https-first/browser_subdocument_downgrade.js b/dom/security/test/https-first/browser_subdocument_downgrade.js new file mode 100644 index 0000000000..4cb5b4ed2e --- /dev/null +++ b/dom/security/test/https-first/browser_subdocument_downgrade.js @@ -0,0 +1,60 @@ +/* Any copyright is dedicated to the Public Domain. + https://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const EMPTY_URL = + "http://example.com/browser/dom/security/test/https-first/file_empty.html"; +const SUBDOCUMENT_URL = + "https://example.com/browser/dom/security/test/https-first/file_subdocument_downgrade.sjs"; + +add_task(async function test_subdocument_downgrade() { + await SpecialPowers.pushPrefEnv({ + set: [ + // We want to test HTTPS-First + ["dom.security.https_first", true], + // Makes it easier to detect the error + ["security.mixed_content.block_active_content", false], + ], + }); + + // Open a empty document with origin http://example.com, which gets upgraded + // to https://example.com by HTTPS-First and thus is marked as + // HTTPS_ONLY_UPGRADED_HTTPS_FIRST. + await BrowserTestUtils.withNewTab(EMPTY_URL, async browser => { + await SpecialPowers.spawn( + browser, + [SUBDOCUMENT_URL], + async SUBDOCUMENT_URL => { + function isCrossOriginIframe(iframe) { + try { + return !iframe.contentDocument; + } catch (e) { + return true; + } + } + const subdocument = content.document.createElement("iframe"); + // We open https://example.com/.../file_subdocument_downgrade.sjs in a + // iframe, which sends a invalid response if the scheme is https. Thus + // we should get an error. But if we accidentally copy the + // HTTPS_ONLY_UPGRADED_HTTPS_FIRST flag from the parent into the iframe + // loadinfo, HTTPS-First will try to downgrade the iframe. We test that + // this doesn't happen. + subdocument.src = SUBDOCUMENT_URL; + const loadPromise = new Promise(resolve => { + subdocument.addEventListener("load", () => { + ok( + // If the iframe got downgraded, it should now have the origin + // http://example.com, which we can detect as being cross-origin. + !isCrossOriginIframe(subdocument), + "Subdocument should not be downgraded" + ); + resolve(); + }); + }); + content.document.body.appendChild(subdocument); + await loadPromise; + } + ); + }); +}); diff --git a/dom/security/test/https-first/file_empty.html b/dom/security/test/https-first/file_empty.html new file mode 100644 index 0000000000..39d495653e --- /dev/null +++ b/dom/security/test/https-first/file_empty.html @@ -0,0 +1 @@ +<!doctype html><html><body></body></html> diff --git a/dom/security/test/https-first/file_mixed_content_auto_upgrade.html b/dom/security/test/https-first/file_mixed_content_auto_upgrade.html index 7dda8909a5..5a8bef6bb0 100644 --- a/dom/security/test/https-first/file_mixed_content_auto_upgrade.html +++ b/dom/security/test/https-first/file_mixed_content_auto_upgrade.html @@ -6,7 +6,7 @@ <body> <!--upgradeable resources---> <img src="http://example.com/browser/dom/security/test/https-first/pass.png"> - <video src="http://example.com/browser/dom/security/test/https-first/test.ogv"> + <video src="http://example.com/browser/dom/security/test/https-first/test.webm"> <audio src="http://example.com/browser/dom/security/test/https-first/test.wav"> </body> </html> diff --git a/dom/security/test/https-first/file_multiple_redirection.sjs b/dom/security/test/https-first/file_multiple_redirection.sjs index 49098ccdb7..e34a360fa6 100644 --- a/dom/security/test/https-first/file_multiple_redirection.sjs +++ b/dom/security/test/https-first/file_multiple_redirection.sjs @@ -5,6 +5,8 @@ const REDIRECT_URI = "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?redirect"; const REDIRECT_URI_HTTP = "http://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; +const OTHERHOST_REDIRECT_URI_HTTP = + "http://example.org/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; const REDIRECT_URI_HTTPS = "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; @@ -44,6 +46,11 @@ function sendRedirection(query, response) { if (query.includes("test3")) { response.setHeader("Strict-Transport-Security", "max-age=60"); response.setHeader("Location", REDIRECT_URI_HTTP, false); + return; + } + // send a redirection to a different http uri + if (query.includes("test4")) { + response.setHeader("Location", OTHERHOST_REDIRECT_URI_HTTP, false); } } @@ -53,6 +60,11 @@ function handleRequest(request, response) { // if the query contains a test query start first test if (query.startsWith("test")) { + // all of these should be upgraded + if (request.scheme !== "https") { + response.setStatusLine(request.httpVersion, 500, "OK"); + response.write("Request should have been HTTPS."); + } // send a 302 redirection response.setStatusLine(request.httpVersion, 302, "Found"); response.setHeader("Location", REDIRECT_URI + query, false); @@ -60,6 +72,10 @@ function handleRequest(request, response) { } // Send a redirection if (query.includes("redirect")) { + if (request.scheme !== "https") { + response.setStatusLine(request.httpVersion, 500, "OK"); + response.write("Request should have been HTTPS."); + } response.setStatusLine(request.httpVersion, 302, "Found"); sendRedirection(query, response); return; @@ -83,5 +99,5 @@ function handleRequest(request, response) { // We should never get here, but just in case ... response.setStatusLine(request.httpVersion, 500, "OK"); - response.write("unexepcted query"); + response.write("unexpected query"); } diff --git a/dom/security/test/https-first/file_subdocument_downgrade.sjs b/dom/security/test/https-first/file_subdocument_downgrade.sjs new file mode 100644 index 0000000000..53ced94ba8 --- /dev/null +++ b/dom/security/test/https-first/file_subdocument_downgrade.sjs @@ -0,0 +1,8 @@ +function handleRequest(request, response) { + if (request.scheme === "https") { + response.setStatusLine("1.1", 429, "Too Many Requests"); + } else { + response.setHeader("Content-Type", "text/html", false); + response.write("<!doctype html><html><body></body></html>"); + } +} diff --git a/dom/security/test/https-first/test.ogv b/dom/security/test/https-first/test.ogv Binary files differdeleted file mode 100644 index 0f83996e5d..0000000000 --- a/dom/security/test/https-first/test.ogv +++ /dev/null diff --git a/dom/security/test/https-first/test.webm b/dom/security/test/https-first/test.webm Binary files differnew file mode 100644 index 0000000000..221877e303 --- /dev/null +++ b/dom/security/test/https-first/test.webm diff --git a/dom/security/test/https-first/test_multiple_redirection.html b/dom/security/test/https-first/test_multiple_redirection.html index d631f140e6..678a8133a8 100644 --- a/dom/security/test/https-first/test_multiple_redirection.html +++ b/dom/security/test/https-first/test_multiple_redirection.html @@ -37,6 +37,12 @@ Test multiple redirects using https-first and ensure the entire redirect chain i {name: "test last redirect HSTS", result: "scheme-https", query: "test3"}, // reset: reset hsts header for example.com {name: "reset HSTS header", result: "scheme-https", query: "reset"}, + // test 4: http://example.com/...test4 -upgrade-> httpS://example.com/...test4 + // https://example.com/...test4 -redir-> https://example.com/.../REDIRECT + // https://example.com/.../redirect -redir-> http://example.ORG/.../verify + // http://example.org/.../verify -upgrade-> httpS://example.ORG/.../verify + // Everything should be upgraded and accessed only via HTTPS! + {name: "test last redirect other HTTP origin gets upgraded", result: "scheme-https", query: "test4" }, ] let currentTest = 0; let testWin; @@ -48,7 +54,7 @@ Test multiple redirects using https-first and ensure the entire redirect chain i let test = testCase[currentTest]; is(event.data.result, test.result, - "same-origin redirect results in " + test.name + "redirect results in " + test.name ); testWin.close(); if (++currentTest < testCase.length) { diff --git a/dom/security/test/mixedcontentblocker/browser.toml b/dom/security/test/mixedcontentblocker/browser.toml index 5b0b85cb0b..402e8b91b1 100644 --- a/dom/security/test/mixedcontentblocker/browser.toml +++ b/dom/security/test/mixedcontentblocker/browser.toml @@ -15,7 +15,7 @@ support-files = [ support-files = [ "file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html", "pass.png", - "test.ogv", + "test.webm", "test.wav", ] diff --git a/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js index 25fee8de3c..57842eb623 100644 --- a/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js +++ b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js @@ -12,10 +12,6 @@ const { PromptTestUtils } = ChromeUtils.importESModule( "resource://testing-common/PromptTestUtils.sys.mjs" ); -let authPromptModalType = Services.prefs.getIntPref( - "prompts.modalType.httpAuth" -); - const downloadMonitoringView = { _listeners: [], onDownloadAdded(download) { @@ -107,7 +103,7 @@ async function runTest(url, link, checkFunction, description) { // Wait for the auth prompt, enter the login details and close the prompt await PromptTestUtils.handleNextPrompt( gBrowser.selectedBrowser, - { modalType: authPromptModalType, promptType: "promptUserAndPass" }, + { modalType: Ci.nsIPrompt.MODAL_TYPE_TAB, promptType: "promptUserAndPass" }, { buttonNumClick: 0, loginInput: "user", passwordInput: "pass" } ); await checkPromise; diff --git a/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html index 80e97443ed..62e705227f 100644 --- a/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html +++ b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html @@ -8,7 +8,7 @@ <body> <!--upgradeable resources---> <img id="some-img" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/pass.png" width="100px"> - <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.ogv" width="100px"> + <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.webm" width="100px"> <audio id="some-audio" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.wav" width="100px"> </body> </html> diff --git a/dom/security/test/mixedcontentblocker/file_server.sjs b/dom/security/test/mixedcontentblocker/file_server.sjs index 4f86c282ee..90034dad3f 100644 --- a/dom/security/test/mixedcontentblocker/file_server.sjs +++ b/dom/security/test/mixedcontentblocker/file_server.sjs @@ -96,8 +96,8 @@ function handleRequest(request, response) { break; case "media": - response.setHeader("Content-Type", "video/ogg", false); - response.write(loadContentFromFile("tests/dom/media/test/320x240.ogv")); + response.setHeader("Content-Type", "video/webm", false); + response.write(loadContentFromFile("tests/dom/media/test/vp9.webm")); break; case "iframe": diff --git a/dom/security/test/mixedcontentblocker/mochitest.toml b/dom/security/test/mixedcontentblocker/mochitest.toml index 17d8cb4608..cf1d4827a0 100644 --- a/dom/security/test/mixedcontentblocker/mochitest.toml +++ b/dom/security/test/mixedcontentblocker/mochitest.toml @@ -16,7 +16,9 @@ support-files = [ "file_main_bug803225.html", "file_main_bug803225_websocket_wsh.py", "file_server.sjs", - "!/dom/media/test/320x240.ogv", + "!/dom/media/test/vp9.webm", + "test.webm", + "test.wav", "!/image/test/mochitest/blue.png", "file_redirect.html", "file_redirect_handler.sjs", diff --git a/dom/security/test/mixedcontentblocker/test.ogv b/dom/security/test/mixedcontentblocker/test.ogv Binary files differdeleted file mode 100644 index 0f83996e5d..0000000000 --- a/dom/security/test/mixedcontentblocker/test.ogv +++ /dev/null diff --git a/dom/security/test/mixedcontentblocker/test.webm b/dom/security/test/mixedcontentblocker/test.webm Binary files differnew file mode 100644 index 0000000000..221877e303 --- /dev/null +++ b/dom/security/test/mixedcontentblocker/test.webm diff --git a/dom/security/test/referrer-policy/browser.toml b/dom/security/test/referrer-policy/browser.toml index a77046c85b..ba571fec81 100644 --- a/dom/security/test/referrer-policy/browser.toml +++ b/dom/security/test/referrer-policy/browser.toml @@ -1,9 +1,10 @@ [DEFAULT] support-files = ["referrer_page.sjs"] -["browser_session_history.js"] -support-files = ["file_session_history.sjs"] - ["browser_referrer_disallow_cross_site_relaxing.js"] +skip-if = ["asan"] # too slow ["browser_referrer_telemetry.js"] + +["browser_session_history.js"] +support-files = ["file_session_history.sjs"] diff --git a/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js b/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js index 7f8df7b34b..84e79af3ef 100644 --- a/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js +++ b/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js @@ -191,6 +191,8 @@ add_setup(async function () { set: [ // Disable mixed content blocking to be able to test downgrade scenario. ["security.mixed_content.block_active_content", false], + // Disable https-first since we are testing http and https referrers + ["dom.security.https_first", false], ], }); }); |