From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 02:47:55 +0200
Subject: Adding upstream version 124.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../test_forget_about_site_security_headers.js     | 119 +++++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js

(limited to 'security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js')

diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
new file mode 100644
index 0000000000..3a595a3e08
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -0,0 +1,119 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+ * vim: sw=2 ts=2 sts=2
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Ensures that HSTS (HTTP Strict Transport Security) information is cleared
+// when using "Forget About This Site".
+
+const { ForgetAboutSite } = ChromeUtils.importESModule(
+  "resource://gre/modules/ForgetAboutSite.sys.mjs"
+);
+
+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+});
+
+const GOOD_MAX_AGE_SECONDS = 69403;
+const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
+
+const sss = Cc["@mozilla.org/ssservice;1"].getService(
+  Ci.nsISiteSecurityService
+);
+const uri = Services.io.newURI("https://a.pinning.example.com");
+
+// Test the normal case of processing HSTS headers for a.pinning.example.com,
+// using "Forget About Site" on a.pinning2.example.com, and then checking
+// that the platform doesn't consider a.pinning.example.com to be HSTS any
+// longer.
+add_task(async function () {
+  sss.processHeader(uri, GOOD_MAX_AGE);
+
+  Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS");
+
+  await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com");
+
+  Assert.ok(
+    !sss.isSecureURI(uri),
+    "a.pinning.example.com should not be HSTS now"
+  );
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com, using
+// "Forget About Site" on example.com, and then checking that the platform
+// doesn't consider the subdomain to be HSTS any longer. Also test that
+// unrelated sites don't also get removed.
+add_task(async function () {
+  sss.processHeader(uri, GOOD_MAX_AGE);
+
+  Assert.ok(
+    sss.isSecureURI(uri),
+    "a.pinning.example.com should be HSTS (subdomain case)"
+  );
+
+  // Add an unrelated site to HSTS.
+  let unrelatedURI = Services.io.newURI("https://example.org");
+  sss.processHeader(unrelatedURI, GOOD_MAX_AGE);
+  Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS");
+
+  await ForgetAboutSite.removeDataFromDomain("example.com");
+
+  Assert.ok(
+    !sss.isSecureURI(uri),
+    "a.pinning.example.com should not be HSTS now (subdomain case)"
+  );
+
+  Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS");
+});
+
+// Test the case of processing HSTS headers for a.pinning.example.com with
+// various originAttributes, using "Forget About Site" on example.com, and
+// then checking that the platform doesn't consider the subdomain to be HSTS
+// for any originAttributes any longer. Also test that unrelated sites don't
+// also get removed.
+add_task(async function () {
+  let originAttributesList = [
+    {},
+    { userContextId: 1 },
+    { firstPartyDomain: "foo.com" },
+    { userContextId: 1, firstPartyDomain: "foo.com" },
+  ];
+
+  let unrelatedURI = Services.io.newURI("https://example.org");
+
+  for (let originAttributes of originAttributesList) {
+    sss.processHeader(uri, GOOD_MAX_AGE, originAttributes);
+
+    Assert.ok(
+      sss.isSecureURI(uri, originAttributes),
+      "a.pinning.example.com should be HSTS (originAttributes case)"
+    );
+
+    // Add an unrelated site to HSTS.
+    sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes);
+    Assert.ok(
+      sss.isSecureURI(unrelatedURI, originAttributes),
+      "example.org should be HSTS (originAttributes case)"
+    );
+  }
+
+  await ForgetAboutSite.removeDataFromDomain("example.com");
+
+  for (let originAttributes of originAttributesList) {
+    Assert.ok(
+      !sss.isSecureURI(uri, originAttributes),
+      "a.pinning.example.com should not be HSTS now " +
+        "(originAttributes case)"
+    );
+
+    Assert.ok(
+      sss.isSecureURI(unrelatedURI, originAttributes),
+      "example.org should still be HSTS (originAttributes case)"
+    );
+  }
+});
-- 
cgit v1.2.3