diff options
Diffstat (limited to 'dom/security/test')
29 files changed, 267 insertions, 367 deletions
diff --git a/dom/security/test/general/browser.toml b/dom/security/test/general/browser.toml index c6d6b4bf79..0f4ec5b224 100644 --- a/dom/security/test/general/browser.toml +++ b/dom/security/test/general/browser.toml @@ -48,16 +48,6 @@ support-files = [ "file_gpc_server.sjs", ] -["browser_test_http_download.js"] -skip-if = [ - "win11_2009", # Bug 1784764 - "os == 'linux' && !debug", -] -support-files = [ - "http_download_page.html", - "http_download_server.sjs" -] - ["browser_test_referrer_loadInOtherProcess.js"] ["browser_test_report_blocking.js"] diff --git a/dom/security/test/general/browser_test_http_download.js b/dom/security/test/general/browser_test_http_download.js deleted file mode 100644 index 35e3fdfc4b..0000000000 --- a/dom/security/test/general/browser_test_http_download.js +++ /dev/null @@ -1,275 +0,0 @@ -/* Any copyright is dedicated to the Public Domain. - * https://creativecommons.org/publicdomain/zero/1.0/ */ - -ChromeUtils.defineESModuleGetters(this, { - Downloads: "resource://gre/modules/Downloads.sys.mjs", - DownloadsCommon: "resource:///modules/DownloadsCommon.sys.mjs", -}); - -const HandlerService = Cc[ - "@mozilla.org/uriloader/handler-service;1" -].getService(Ci.nsIHandlerService); - -const MIMEService = Cc["@mozilla.org/mime;1"].getService(Ci.nsIMIMEService); - -// Using insecure HTTP URL for a test cases around HTTP downloads -let INSECURE_BASE_URL = - getRootDirectory(gTestPath).replace( - "chrome://mochitests/content/", - // eslint-disable-next-line @microsoft/sdl/no-insecure-url - "http://example.com/" - ) + "http_download_page.html"; - -function promiseFocus() { - return new Promise(resolve => { - waitForFocus(resolve); - }); -} - -async function task_openPanel() { - await promiseFocus(); - - let promise = BrowserTestUtils.waitForPopupEvent( - DownloadsPanel.panel, - "shown" - ); - DownloadsPanel.showPanel(); - await promise; -} - -const downloadMonitoringView = { - _listeners: [], - onDownloadAdded(download) { - for (let listener of this._listeners) { - listener(download); - } - this._listeners = []; - }, - waitForDownload(listener) { - this._listeners.push(listener); - }, -}; - -/** - * Waits until a download is triggered. - * Unless the always_ask_before_handling_new_types pref is true, the download - * will simply be saved, so resolve when the view is notified of the new - * download. Otherwise, it waits until a prompt is shown, selects the choosen - * <action>, then accepts the dialog - * @param [action] Which action to select, either: - * "handleInternally", "save" or "open". - * @returns {Promise} Resolved once done. - */ - -function shouldTriggerDownload(action = "save") { - if ( - Services.prefs.getBoolPref( - "browser.download.always_ask_before_handling_new_types" - ) - ) { - return new Promise((resolve, reject) => { - Services.wm.addListener({ - onOpenWindow(xulWin) { - Services.wm.removeListener(this); - let win = xulWin.docShell.domWindow; - waitForFocus(() => { - if ( - win.location == - "chrome://mozapps/content/downloads/unknownContentType.xhtml" - ) { - let dialog = win.document.getElementById("unknownContentType"); - let button = dialog.getButton("accept"); - let actionRadio = win.document.getElementById(action); - actionRadio.click(); - button.disabled = false; - dialog.acceptDialog(); - resolve(); - } else { - reject(); - } - }, win); - }, - }); - }); - } - return new Promise(res => { - downloadMonitoringView.waitForDownload(res); - }); -} - -const CONSOLE_ERROR_MESSAGE = "We blocked a download that’s not secure"; - -function shouldConsoleError() { - // Waits until CONSOLE_ERROR_MESSAGE was logged - return new Promise((resolve, reject) => { - function listener(msgObj) { - let text = msgObj.message; - if (text.includes(CONSOLE_ERROR_MESSAGE)) { - Services.console.unregisterListener(listener); - resolve(); - } - } - Services.console.registerListener(listener); - }); -} - -async function resetDownloads() { - // Removes all downloads from the download List - const types = new Set(); - let publicList = await Downloads.getList(Downloads.PUBLIC); - let downloads = await publicList.getAll(); - for (let download of downloads) { - if (download.contentType) { - types.add(download.contentType); - } - publicList.remove(download); - await download.finalize(true); - } - - if (types.size) { - // reset handlers for the contentTypes of any files previously downloaded - for (let type of types) { - const mimeInfo = MIMEService.getFromTypeAndExtension(type, ""); - info("resetting handler for type: " + type); - HandlerService.remove(mimeInfo); - } - } -} - -function shouldNotifyDownloadUI() { - return new Promise(res => { - downloadMonitoringView.waitForDownload(async aDownload => { - let { error } = aDownload; - if ( - error.becauseBlockedByReputationCheck && - error.reputationCheckVerdict == Downloads.Error.BLOCK_VERDICT_INSECURE - ) { - // It's an insecure Download, now Check that it has been cleaned up properly - if ((await IOUtils.stat(aDownload.target.path)).size != 0) { - throw new Error(`Download target is not empty!`); - } - if ((await IOUtils.stat(aDownload.target.path)).size != 0) { - throw new Error(`Download partFile was not cleaned up properly`); - } - // Assert that the Referrer is presnt - if (!aDownload.source.referrerInfo) { - throw new Error("The Blocked download is missing the ReferrerInfo"); - } - - res(aDownload); - } else { - ok(false, "No error for download that was expected to error!"); - } - }); - }); -} - -async function runTest(url, link, checkFunction, description) { - await SpecialPowers.pushPrefEnv({ - set: [["dom.block_download_insecure", true]], - }); - await resetDownloads(); - - let tab = BrowserTestUtils.addTab(gBrowser, url); - gBrowser.selectedTab = tab; - - let browser = gBrowser.getBrowserForTab(tab); - await BrowserTestUtils.browserLoaded(browser); - - info("Checking: " + description); - - let checkPromise = checkFunction(); - // Click the Link to trigger the download - SpecialPowers.spawn(gBrowser.selectedBrowser, [link], contentLink => { - content.document.getElementById(contentLink).click(); - }); - - await checkPromise; - - ok(true, description); - BrowserTestUtils.removeTab(tab); - - await SpecialPowers.popPrefEnv(); -} - -add_setup(async () => { - let list = await Downloads.getList(Downloads.ALL); - list.addView(downloadMonitoringView); - registerCleanupFunction(() => list.removeView(downloadMonitoringView)); -}); - -// Test Blocking -add_task(async function test_blocking() { - for (let prefVal of [true, false]) { - await SpecialPowers.pushPrefEnv({ - set: [["browser.download.always_ask_before_handling_new_types", prefVal]], - }); - await runTest( - INSECURE_BASE_URL, - "http-link", - () => - Promise.all([ - shouldTriggerDownload(), - shouldNotifyDownloadUI(), - shouldConsoleError(), - ]), - "Insecure (HTTP) toplevel -> Insecure (HTTP) download should Error" - ); - await SpecialPowers.popPrefEnv(); - } -}); - -// Test Manual Unblocking -add_task(async function test_manual_unblocking() { - for (let prefVal of [true, false]) { - await SpecialPowers.pushPrefEnv({ - set: [["browser.download.always_ask_before_handling_new_types", prefVal]], - }); - await runTest( - INSECURE_BASE_URL, - "http-link", - async () => { - let [, download] = await Promise.all([ - shouldTriggerDownload(), - shouldNotifyDownloadUI(), - ]); - await download.unblock(); - Assert.equal( - download.error, - null, - "There should be no error after unblocking" - ); - }, - "A blocked download should succeed to download after a manual unblock" - ); - await SpecialPowers.popPrefEnv(); - } -}); - -// Test Unblock Download Visible -add_task(async function test_unblock_download_visible() { - for (let prefVal of [true, false]) { - await SpecialPowers.pushPrefEnv({ - set: [["browser.download.always_ask_before_handling_new_types", prefVal]], - }); - await promiseFocus(); - await runTest( - INSECURE_BASE_URL, - "http-link", - async () => { - let panelHasOpened = BrowserTestUtils.waitForPopupEvent( - DownloadsPanel.panel, - "shown" - ); - info("awaiting that the download is triggered and added to the list"); - await Promise.all([shouldTriggerDownload(), shouldNotifyDownloadUI()]); - info("awaiting that the Download list shows itself"); - await panelHasOpened; - DownloadsPanel.hidePanel(); - ok(true, "The Download Panel should have opened on blocked download"); - }, - "A blocked download should open the download panel" - ); - await SpecialPowers.popPrefEnv(); - } -}); diff --git a/dom/security/test/general/file_block_script_wrong_mime_sw.js b/dom/security/test/general/file_block_script_wrong_mime_sw.js new file mode 100644 index 0000000000..4d8d667af4 --- /dev/null +++ b/dom/security/test/general/file_block_script_wrong_mime_sw.js @@ -0,0 +1,51 @@ +/** + * Service Worker that runs in 2 modes: 1) direct pass-through via + * fetch(event.request) and 2) indirect pass-through via + * fetch(event.request.url). + * + * Because this is updating a pre-existing mochitest that didn't use a SW and + * used a single test document, we use a SW idiom where the SW claims the + * existing window client. And because we operate in two modes and we + * parameterize via URL, we also ensure that we skipWaiting. + **/ + +/* eslint-env serviceworker */ + +// We are parameterized by "mode". +const params = new URLSearchParams(location.search); +const fetchMode = params.get("fetchMode"); + +// When activating on initial install, claim the existing window client. +// For synchronziation, also message the controlled document to report our mode. +self.addEventListener("activate", event => { + event.waitUntil( + (async () => { + await clients.claim(); + const allClients = await clients.matchAll(); + for (const client of allClients) { + client.postMessage({ + fetchMode, + }); + } + })() + ); +}); + +// When updating the SW to change our mode of operation, skipWaiting so we +// advance directly to activating without waiting for the test window client +// to stop being controlled by our previous configuration. +self.addEventListener("install", () => { + self.skipWaiting(); +}); + +self.addEventListener("fetch", event => { + switch (fetchMode) { + case "direct": + event.respondWith(fetch(event.request)); + break; + + case "indirect": + event.respondWith(fetch(event.request.url)); + break; + } +}); diff --git a/dom/security/test/general/http_download_page.html b/dom/security/test/general/http_download_page.html deleted file mode 100644 index c5461eaed3..0000000000 --- a/dom/security/test/general/http_download_page.html +++ /dev/null @@ -1,23 +0,0 @@ -<!DOCTYPE HTML> -<html> - <head> - <title>Test for the download attribute</title> - </head> - <body> - hi - - <script> - const host = window.location.host; - const path = location.pathname.replace("http_download_page.html","http_download_server.sjs"); - - const insecureLink = document.createElement("a"); - // eslint-disable-next-line @microsoft/sdl/no-insecure-url - insecureLink.href=`http://${host}/${path}`; - insecureLink.download="true"; - insecureLink.id="http-link"; - insecureLink.textContent="Not secure Link"; - - document.body.append(insecureLink); - </script> - </body> -</html> diff --git a/dom/security/test/general/http_download_server.sjs b/dom/security/test/general/http_download_server.sjs deleted file mode 100644 index e659df2f40..0000000000 --- a/dom/security/test/general/http_download_server.sjs +++ /dev/null @@ -1,20 +0,0 @@ -// force the Browser to Show a Download Prompt - -function handleRequest(request, response) { - let type = "image/png"; - let filename = "hello.png"; - request.queryString.split("&").forEach(val => { - var [key, value] = val.split("="); - if (key == "type") { - type = value; - } - if (key == "name") { - filename = value; - } - }); - - response.setHeader("Cache-Control", "no-cache", false); - response.setHeader("Content-Disposition", `attachment; filename=${filename}`); - response.setHeader("Content-Type", type); - response.write("🙈🙊🐵🙊"); -} diff --git a/dom/security/test/general/mochitest.toml b/dom/security/test/general/mochitest.toml index c46b5ecf57..22024fcc67 100644 --- a/dom/security/test/general/mochitest.toml +++ b/dom/security/test/general/mochitest.toml @@ -8,6 +8,7 @@ support-files = [ "file_block_toplevel_data_navigation2.html", "file_block_toplevel_data_navigation3.html", "file_block_toplevel_data_redirect.sjs", + "file_block_script_wrong_mime_sw.js", "file_block_subresource_redir_to_data.sjs", "file_same_site_cookies_subrequest.sjs", "file_same_site_cookies_toplevel_nav.sjs", diff --git a/dom/security/test/general/test_block_script_wrong_mime.html b/dom/security/test/general/test_block_script_wrong_mime.html index 7122363dfc..896823a417 100644 --- a/dom/security/test/general/test_block_script_wrong_mime.html +++ b/dom/security/test/general/test_block_script_wrong_mime.html @@ -29,7 +29,7 @@ function testScript([mime, shouldLoad]) { let script = document.createElement("script"); script.onload = () => { document.body.removeChild(script); - ok(shouldLoad, `script with mime '${mime}' should load`); + ok(shouldLoad, `script with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); resolve(); }; script.onerror = () => { @@ -47,7 +47,7 @@ function testWorker([mime, shouldLoad]) { return new Promise((resolve) => { let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker&mime="+mime); worker.onmessage = (event) => { - ok(shouldLoad, `worker with mime '${mime}' should load`) + ok(shouldLoad, `worker with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); is(event.data, "worker-loaded", "worker should send correct message"); resolve(); }; @@ -65,7 +65,7 @@ function testWorkerImportScripts([mime, shouldLoad]) { return new Promise((resolve) => { let worker = new Worker("file_block_script_wrong_mime_server.sjs?type=worker-import&mime="+mime); worker.onmessage = (event) => { - ok(shouldLoad, `worker/importScripts with mime '${mime}' should load`) + ok(shouldLoad, `worker/importScripts with mime '${mime}' should ${shouldLoad ? "" : "NOT "}load`); is(event.data, "worker-loaded", "worker should send correct message"); resolve(); }; @@ -73,20 +73,103 @@ function testWorkerImportScripts([mime, shouldLoad]) { ok(!shouldLoad, `worker/importScripts with wrong mime '${mime}' should be blocked`); error.preventDefault(); resolve(); + // The worker doesn't self-terminate via close, so let's do it. + worker.terminate(); } worker.postMessage("dummy"); }); } -SimpleTest.waitForExplicitFinish(); -Promise.all(MIMETypes.map(testScript)).then(() => { - return Promise.all(MIMETypes.map(testWorker)); -}).then(() => { - return Promise.all(MIMETypes.map(testWorkerImportScripts)); -}).then(() => { - return SpecialPowers.popPrefEnv(); -}).then(SimpleTest.finish); +async function runMimeTypePermutations() { + info("### Running document script MIME checks."); + for (const mimeType of MIMETypes) { + await testScript(mimeType); + } + info("### Running worker top-level script MIME checks."); + for (const mimeType of MIMETypes) { + await testWorker(mimeType); + } + + info("### Running worker importScripts MIME checks."); + for (const mimeType of MIMETypes) { + await testWorkerImportScripts(mimeType); + } +} + +let gRegistration; + +/** + * Register and wait for the helper ServiceWorker to be active in the given + * mode. + */ +async function useServiceWorker({ fetchMode }) { + info(`### Registering ServiceWorker with mode '${fetchMode}'`); + const activePromise = new Promise((resolve, reject) => { + navigator.serviceWorker.addEventListener( + "message", + event => { + if (event.data.fetchMode === fetchMode) { + resolve(); + } else { + reject(`wrong fetchMode: ${fetchMode}`); + } + is(fetchMode, event.data.fetchMode, "right fetch mode"); + }, + { once: true }); + }); + + const reg = gRegistration = await navigator.serviceWorker.register( + `file_block_script_wrong_mime_sw.js?fetchMode=${fetchMode}`); + info("register resolved. " + + `installing: ${!!reg.installing} ` + + `waiting: ${!!reg.waiting} ` + + `active: ${!!reg.active}`); + + await activePromise; +} + +/** + * Unregister the ServiceWorker, with the caveat that the ServiceWorker will + * still be controlling us until this window goes away. + */ +async function cleanupServiceWorkerWithCaveat() { + await gRegistration.unregister(); +} + +/** + * Top-level test that runs the MIME type checks in different ServiceWorker/ + * network configurations. + * + * We use the ServiceWorker mechanism that allows ServiceWorkers to claim + * existing scope-matching clients in order to make this window controlled and + * then run the tests. When changing the SW behavior the SW also needs to + * skipWaiting in order to advance to active. + */ +async function runNetworkPermutations() { + await SpecialPowers.pushPrefEnv({ + set: [ + ["dom.serviceWorkers.enabled", true], + ["dom.serviceWorkers.exemptFromPerDomainMax", true], + ["dom.serviceWorkers.testing.enabled", true], + ], + }); + + info("## Run tests without a ServiceWorker involved."); + await runMimeTypePermutations(); + + info("## Run tests with a pass-through fetch(event.request) handler."); + await useServiceWorker({ fetchMode: "direct" }); + await runMimeTypePermutations(); + + info("## Run tests with a naive URL propagating fetch(event.request.url) handler."); + await useServiceWorker({ fetchMode: "indirect" }); + await runMimeTypePermutations(); + + await cleanupServiceWorkerWithCaveat(); +} + +add_task(runNetworkPermutations); </script> </body> </html> diff --git a/dom/security/test/gtest/TestCSPParser.cpp b/dom/security/test/gtest/TestCSPParser.cpp index b8a4e986b6..19ba0548de 100644 --- a/dom/security/test/gtest/TestCSPParser.cpp +++ b/dom/security/test/gtest/TestCSPParser.cpp @@ -93,8 +93,7 @@ nsresult runTest( // for testing the parser we only need to set a principal which is needed // to translate the keyword 'self' into an actual URI. - rv = - csp->SetRequestContextWithPrincipal(selfURIPrincipal, selfURI, u""_ns, 0); + rv = csp->SetRequestContextWithPrincipal(selfURIPrincipal, selfURI, ""_ns, 0); NS_ENSURE_SUCCESS(rv, rv); // append a policy diff --git a/dom/security/test/https-first/browser.toml b/dom/security/test/https-first/browser.toml index 0c63b8317d..49e2d522f4 100644 --- a/dom/security/test/https-first/browser.toml +++ b/dom/security/test/https-first/browser.toml @@ -7,7 +7,7 @@ support-files = ["file_beforeunload_permit_http.html"] support-files = [ "file_mixed_content_auto_upgrade.html", "pass.png", - "test.ogv", + "test.webm", "test.wav", ] @@ -40,6 +40,12 @@ support-files = [ ["browser_navigation.js"] support-files = ["file_navigation.html"] +["browser_subdocument_downgrade.js"] +support-files = [ + "file_empty.html", + "file_subdocument_downgrade.sjs", +] + ["browser_schemeless.js"] ["browser_slow_download.js"] diff --git a/dom/security/test/https-first/browser_beforeunload_permit_http.js b/dom/security/test/https-first/browser_beforeunload_permit_http.js index 660c1a352d..281def37e9 100644 --- a/dom/security/test/https-first/browser_beforeunload_permit_http.js +++ b/dom/security/test/https-first/browser_beforeunload_permit_http.js @@ -162,7 +162,7 @@ async function loadPageAndReload(testCase) { } ); is(true, hasInteractedWith, "Simulated successfully user interaction"); - BrowserReloadWithFlags(testCase.reloadFlag); + BrowserCommands.reloadWithFlags(testCase.reloadFlag); await BrowserTestUtils.browserLoaded(browser); is(true, true, `reload with flag ${testCase.name} was successful`); } diff --git a/dom/security/test/https-first/browser_subdocument_downgrade.js b/dom/security/test/https-first/browser_subdocument_downgrade.js new file mode 100644 index 0000000000..4cb5b4ed2e --- /dev/null +++ b/dom/security/test/https-first/browser_subdocument_downgrade.js @@ -0,0 +1,60 @@ +/* Any copyright is dedicated to the Public Domain. + https://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +const EMPTY_URL = + "http://example.com/browser/dom/security/test/https-first/file_empty.html"; +const SUBDOCUMENT_URL = + "https://example.com/browser/dom/security/test/https-first/file_subdocument_downgrade.sjs"; + +add_task(async function test_subdocument_downgrade() { + await SpecialPowers.pushPrefEnv({ + set: [ + // We want to test HTTPS-First + ["dom.security.https_first", true], + // Makes it easier to detect the error + ["security.mixed_content.block_active_content", false], + ], + }); + + // Open a empty document with origin http://example.com, which gets upgraded + // to https://example.com by HTTPS-First and thus is marked as + // HTTPS_ONLY_UPGRADED_HTTPS_FIRST. + await BrowserTestUtils.withNewTab(EMPTY_URL, async browser => { + await SpecialPowers.spawn( + browser, + [SUBDOCUMENT_URL], + async SUBDOCUMENT_URL => { + function isCrossOriginIframe(iframe) { + try { + return !iframe.contentDocument; + } catch (e) { + return true; + } + } + const subdocument = content.document.createElement("iframe"); + // We open https://example.com/.../file_subdocument_downgrade.sjs in a + // iframe, which sends a invalid response if the scheme is https. Thus + // we should get an error. But if we accidentally copy the + // HTTPS_ONLY_UPGRADED_HTTPS_FIRST flag from the parent into the iframe + // loadinfo, HTTPS-First will try to downgrade the iframe. We test that + // this doesn't happen. + subdocument.src = SUBDOCUMENT_URL; + const loadPromise = new Promise(resolve => { + subdocument.addEventListener("load", () => { + ok( + // If the iframe got downgraded, it should now have the origin + // http://example.com, which we can detect as being cross-origin. + !isCrossOriginIframe(subdocument), + "Subdocument should not be downgraded" + ); + resolve(); + }); + }); + content.document.body.appendChild(subdocument); + await loadPromise; + } + ); + }); +}); diff --git a/dom/security/test/https-first/file_empty.html b/dom/security/test/https-first/file_empty.html new file mode 100644 index 0000000000..39d495653e --- /dev/null +++ b/dom/security/test/https-first/file_empty.html @@ -0,0 +1 @@ +<!doctype html><html><body></body></html> diff --git a/dom/security/test/https-first/file_mixed_content_auto_upgrade.html b/dom/security/test/https-first/file_mixed_content_auto_upgrade.html index 7dda8909a5..5a8bef6bb0 100644 --- a/dom/security/test/https-first/file_mixed_content_auto_upgrade.html +++ b/dom/security/test/https-first/file_mixed_content_auto_upgrade.html @@ -6,7 +6,7 @@ <body> <!--upgradeable resources---> <img src="http://example.com/browser/dom/security/test/https-first/pass.png"> - <video src="http://example.com/browser/dom/security/test/https-first/test.ogv"> + <video src="http://example.com/browser/dom/security/test/https-first/test.webm"> <audio src="http://example.com/browser/dom/security/test/https-first/test.wav"> </body> </html> diff --git a/dom/security/test/https-first/file_multiple_redirection.sjs b/dom/security/test/https-first/file_multiple_redirection.sjs index 49098ccdb7..e34a360fa6 100644 --- a/dom/security/test/https-first/file_multiple_redirection.sjs +++ b/dom/security/test/https-first/file_multiple_redirection.sjs @@ -5,6 +5,8 @@ const REDIRECT_URI = "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?redirect"; const REDIRECT_URI_HTTP = "http://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; +const OTHERHOST_REDIRECT_URI_HTTP = + "http://example.org/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; const REDIRECT_URI_HTTPS = "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify"; @@ -44,6 +46,11 @@ function sendRedirection(query, response) { if (query.includes("test3")) { response.setHeader("Strict-Transport-Security", "max-age=60"); response.setHeader("Location", REDIRECT_URI_HTTP, false); + return; + } + // send a redirection to a different http uri + if (query.includes("test4")) { + response.setHeader("Location", OTHERHOST_REDIRECT_URI_HTTP, false); } } @@ -53,6 +60,11 @@ function handleRequest(request, response) { // if the query contains a test query start first test if (query.startsWith("test")) { + // all of these should be upgraded + if (request.scheme !== "https") { + response.setStatusLine(request.httpVersion, 500, "OK"); + response.write("Request should have been HTTPS."); + } // send a 302 redirection response.setStatusLine(request.httpVersion, 302, "Found"); response.setHeader("Location", REDIRECT_URI + query, false); @@ -60,6 +72,10 @@ function handleRequest(request, response) { } // Send a redirection if (query.includes("redirect")) { + if (request.scheme !== "https") { + response.setStatusLine(request.httpVersion, 500, "OK"); + response.write("Request should have been HTTPS."); + } response.setStatusLine(request.httpVersion, 302, "Found"); sendRedirection(query, response); return; @@ -83,5 +99,5 @@ function handleRequest(request, response) { // We should never get here, but just in case ... response.setStatusLine(request.httpVersion, 500, "OK"); - response.write("unexepcted query"); + response.write("unexpected query"); } diff --git a/dom/security/test/https-first/file_subdocument_downgrade.sjs b/dom/security/test/https-first/file_subdocument_downgrade.sjs new file mode 100644 index 0000000000..53ced94ba8 --- /dev/null +++ b/dom/security/test/https-first/file_subdocument_downgrade.sjs @@ -0,0 +1,8 @@ +function handleRequest(request, response) { + if (request.scheme === "https") { + response.setStatusLine("1.1", 429, "Too Many Requests"); + } else { + response.setHeader("Content-Type", "text/html", false); + response.write("<!doctype html><html><body></body></html>"); + } +} diff --git a/dom/security/test/https-first/test.ogv b/dom/security/test/https-first/test.ogv Binary files differdeleted file mode 100644 index 0f83996e5d..0000000000 --- a/dom/security/test/https-first/test.ogv +++ /dev/null diff --git a/dom/security/test/https-first/test.webm b/dom/security/test/https-first/test.webm Binary files differnew file mode 100644 index 0000000000..221877e303 --- /dev/null +++ b/dom/security/test/https-first/test.webm diff --git a/dom/security/test/https-first/test_multiple_redirection.html b/dom/security/test/https-first/test_multiple_redirection.html index d631f140e6..678a8133a8 100644 --- a/dom/security/test/https-first/test_multiple_redirection.html +++ b/dom/security/test/https-first/test_multiple_redirection.html @@ -37,6 +37,12 @@ Test multiple redirects using https-first and ensure the entire redirect chain i {name: "test last redirect HSTS", result: "scheme-https", query: "test3"}, // reset: reset hsts header for example.com {name: "reset HSTS header", result: "scheme-https", query: "reset"}, + // test 4: http://example.com/...test4 -upgrade-> httpS://example.com/...test4 + // https://example.com/...test4 -redir-> https://example.com/.../REDIRECT + // https://example.com/.../redirect -redir-> http://example.ORG/.../verify + // http://example.org/.../verify -upgrade-> httpS://example.ORG/.../verify + // Everything should be upgraded and accessed only via HTTPS! + {name: "test last redirect other HTTP origin gets upgraded", result: "scheme-https", query: "test4" }, ] let currentTest = 0; let testWin; @@ -48,7 +54,7 @@ Test multiple redirects using https-first and ensure the entire redirect chain i let test = testCase[currentTest]; is(event.data.result, test.result, - "same-origin redirect results in " + test.name + "redirect results in " + test.name ); testWin.close(); if (++currentTest < testCase.length) { diff --git a/dom/security/test/https-only/browser_save_as.js b/dom/security/test/https-only/browser_save_as.js index fbfdf276a8..28f3df539d 100644 --- a/dom/security/test/https-only/browser_save_as.js +++ b/dom/security/test/https-only/browser_save_as.js @@ -155,11 +155,7 @@ async function setHttpsFirstAndOnlyPrefs(httpsFirst, httpsOnly) { add_task(async function testBaseline() { // Run with HTTPS-First and HTTPS-Only disabled await setHttpsFirstAndOnlyPrefs(false, false); - await runTest( - "#insecure-link", - HTTP_LINK, - "We blocked a download that’s not secure: “http://example.org/”." - ); + await runTest("#insecure-link", HTTP_LINK, undefined); await runTest("#secure-link", HTTPS_LINK, undefined); }); @@ -173,7 +169,7 @@ add_task(async function testHttpsFirst() { await runTest( "#insecure-link", HTTP_LINK, - "We blocked a download that’s not secure: “http://example.org/”." + "Blocked downloading insecure content “http://example.org/”." ); await runTest("#secure-link", HTTPS_LINK, undefined); }); @@ -185,7 +181,7 @@ add_task(async function testHttpsOnly() { await runTest( "#insecure-link", HTTP_LINK, - "We blocked a download that’s not secure: “http://example.org/”." + "Blocked downloading insecure content “http://example.org/”." ); await runTest("#secure-link", HTTPS_LINK, undefined); }); diff --git a/dom/security/test/mixedcontentblocker/browser.toml b/dom/security/test/mixedcontentblocker/browser.toml index 5b0b85cb0b..402e8b91b1 100644 --- a/dom/security/test/mixedcontentblocker/browser.toml +++ b/dom/security/test/mixedcontentblocker/browser.toml @@ -15,7 +15,7 @@ support-files = [ support-files = [ "file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html", "pass.png", - "test.ogv", + "test.webm", "test.wav", ] diff --git a/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js index 25fee8de3c..57842eb623 100644 --- a/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js +++ b/dom/security/test/mixedcontentblocker/browser_mixed_content_auth_download.js @@ -12,10 +12,6 @@ const { PromptTestUtils } = ChromeUtils.importESModule( "resource://testing-common/PromptTestUtils.sys.mjs" ); -let authPromptModalType = Services.prefs.getIntPref( - "prompts.modalType.httpAuth" -); - const downloadMonitoringView = { _listeners: [], onDownloadAdded(download) { @@ -107,7 +103,7 @@ async function runTest(url, link, checkFunction, description) { // Wait for the auth prompt, enter the login details and close the prompt await PromptTestUtils.handleNextPrompt( gBrowser.selectedBrowser, - { modalType: authPromptModalType, promptType: "promptUserAndPass" }, + { modalType: Ci.nsIPrompt.MODAL_TYPE_TAB, promptType: "promptUserAndPass" }, { buttonNumClick: 0, loginInput: "user", passwordInput: "pass" } ); await checkPromise; diff --git a/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js b/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js index b103d83cd7..ee350008aa 100644 --- a/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js +++ b/dom/security/test/mixedcontentblocker/browser_test_mixed_content_download.js @@ -101,7 +101,7 @@ function shouldTriggerDownload(action = "save") { }); } -const CONSOLE_ERROR_MESSAGE = "We blocked a download that’s not secure"; +const CONSOLE_ERROR_MESSAGE = "Blocked downloading insecure content"; function shouldConsoleError() { // Waits until CONSOLE_ERROR_MESSAGE was logged diff --git a/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html index 80e97443ed..62e705227f 100644 --- a/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html +++ b/dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html @@ -8,7 +8,7 @@ <body> <!--upgradeable resources---> <img id="some-img" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/pass.png" width="100px"> - <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.ogv" width="100px"> + <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.webm" width="100px"> <audio id="some-audio" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.wav" width="100px"> </body> </html> diff --git a/dom/security/test/mixedcontentblocker/file_server.sjs b/dom/security/test/mixedcontentblocker/file_server.sjs index 4f86c282ee..90034dad3f 100644 --- a/dom/security/test/mixedcontentblocker/file_server.sjs +++ b/dom/security/test/mixedcontentblocker/file_server.sjs @@ -96,8 +96,8 @@ function handleRequest(request, response) { break; case "media": - response.setHeader("Content-Type", "video/ogg", false); - response.write(loadContentFromFile("tests/dom/media/test/320x240.ogv")); + response.setHeader("Content-Type", "video/webm", false); + response.write(loadContentFromFile("tests/dom/media/test/vp9.webm")); break; case "iframe": diff --git a/dom/security/test/mixedcontentblocker/mochitest.toml b/dom/security/test/mixedcontentblocker/mochitest.toml index 17d8cb4608..cf1d4827a0 100644 --- a/dom/security/test/mixedcontentblocker/mochitest.toml +++ b/dom/security/test/mixedcontentblocker/mochitest.toml @@ -16,7 +16,9 @@ support-files = [ "file_main_bug803225.html", "file_main_bug803225_websocket_wsh.py", "file_server.sjs", - "!/dom/media/test/320x240.ogv", + "!/dom/media/test/vp9.webm", + "test.webm", + "test.wav", "!/image/test/mochitest/blue.png", "file_redirect.html", "file_redirect_handler.sjs", diff --git a/dom/security/test/mixedcontentblocker/test.ogv b/dom/security/test/mixedcontentblocker/test.ogv Binary files differdeleted file mode 100644 index 0f83996e5d..0000000000 --- a/dom/security/test/mixedcontentblocker/test.ogv +++ /dev/null diff --git a/dom/security/test/mixedcontentblocker/test.webm b/dom/security/test/mixedcontentblocker/test.webm Binary files differnew file mode 100644 index 0000000000..221877e303 --- /dev/null +++ b/dom/security/test/mixedcontentblocker/test.webm diff --git a/dom/security/test/referrer-policy/browser.toml b/dom/security/test/referrer-policy/browser.toml index a77046c85b..ba571fec81 100644 --- a/dom/security/test/referrer-policy/browser.toml +++ b/dom/security/test/referrer-policy/browser.toml @@ -1,9 +1,10 @@ [DEFAULT] support-files = ["referrer_page.sjs"] -["browser_session_history.js"] -support-files = ["file_session_history.sjs"] - ["browser_referrer_disallow_cross_site_relaxing.js"] +skip-if = ["asan"] # too slow ["browser_referrer_telemetry.js"] + +["browser_session_history.js"] +support-files = ["file_session_history.sjs"] diff --git a/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js b/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js index 7f8df7b34b..84e79af3ef 100644 --- a/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js +++ b/dom/security/test/referrer-policy/browser_referrer_disallow_cross_site_relaxing.js @@ -191,6 +191,8 @@ add_setup(async function () { set: [ // Disable mixed content blocking to be able to test downgrade scenario. ["security.mixed_content.block_active_content", false], + // Disable https-first since we are testing http and https referrers + ["dom.security.https_first", false], ], }); }); |