browser/base/content/test/siteIdentity/browser_iframe_navigation.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/publicdomain/zero/1.0/ */

// Tests that the site identity icon and related machinery reflects the correct
// security state after navigating an iframe in various contexts.
// See bug 1490982.

const ROOT_URI = getRootDirectory(gTestPath).replace(
  "chrome://mochitests/content",
  "https://example.com"
);
const SECURE_TEST_URI = ROOT_URI + "iframe_navigation.html";
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
const INSECURE_TEST_URI = SECURE_TEST_URI.replace("https://", "http://");

const NOT_SECURE_LABEL = Services.prefs.getBoolPref(
  "security.insecure_connection_text.enabled"
)
  ? "notSecure notSecureText"
  : "notSecure";

// From a secure URI, navigate the iframe to about:blank (should still be
// secure).
add_task(async function () {
  let uri = SECURE_TEST_URI + "#blank";
  await BrowserTestUtils.withNewTab(uri, async browser => {
    let identityMode = window.document.getElementById("identity-box").className;
    is(identityMode, "verifiedDomain", "identity should be secure before");

    await SpecialPowers.spawn(browser, [], async () => {
      content.postMessage("", "*"); // This kicks off the navigation.
      await ContentTaskUtils.waitForCondition(() => {
        return !content.document.body.classList.contains("running");
      });
    });

    let newIdentityMode =
      window.document.getElementById("identity-box").className;
    is(newIdentityMode, "verifiedDomain", "identity should be secure after");
  });
});

// From a secure URI, navigate the iframe to an insecure URI (http://...)
// (mixed active content should be blocked, should still be secure).
add_task(async function () {
  let uri = SECURE_TEST_URI + "#insecure";
  await BrowserTestUtils.withNewTab(uri, async browser => {
    let identityMode = window.document.getElementById("identity-box").className;
    is(identityMode, "verifiedDomain", "identity should be secure before");

    await SpecialPowers.spawn(browser, [], async () => {
      content.postMessage("", "*"); // This kicks off the navigation.
      await ContentTaskUtils.waitForCondition(() => {
        return !content.document.body.classList.contains("running");
      });
    });

    let newIdentityMode =
      window.document.getElementById("identity-box").classList;
    ok(
      newIdentityMode.contains("mixedActiveBlocked"),
      "identity should be blocked mixed active content after"
    );
    ok(
      newIdentityMode.contains("verifiedDomain"),
      "identity should still contain 'verifiedDomain'"
    );
    is(newIdentityMode.length, 2, "shouldn't have any other identity states");
  });
});

// From an insecure URI (http://..), navigate the iframe to about:blank (should
// still be insecure).
add_task(async function () {
  let uri = INSECURE_TEST_URI + "#blank";
  await BrowserTestUtils.withNewTab(uri, async browser => {
    let identityMode = window.document.getElementById("identity-box").className;
    is(
      identityMode,
      NOT_SECURE_LABEL,
      "identity should be 'not secure' before"
    );

    await SpecialPowers.spawn(browser, [], async () => {
      content.postMessage("", "*"); // This kicks off the navigation.
      await ContentTaskUtils.waitForCondition(() => {
        return !content.document.body.classList.contains("running");
      });
    });

    let newIdentityMode =
      window.document.getElementById("identity-box").className;
    is(
      newIdentityMode,
      NOT_SECURE_LABEL,
      "identity should be 'not secure' after"
    );
  });
});

// From an insecure URI (http://..), navigate the iframe to a secure URI
// (https://...) (should still be insecure).
add_task(async function () {
  let uri = INSECURE_TEST_URI + "#secure";
  await BrowserTestUtils.withNewTab(uri, async browser => {
    let identityMode = window.document.getElementById("identity-box").className;
    is(
      identityMode,
      NOT_SECURE_LABEL,
      "identity should be 'not secure' before"
    );

    await SpecialPowers.spawn(browser, [], async () => {
      content.postMessage("", "*"); // This kicks off the navigation.
      await ContentTaskUtils.waitForCondition(() => {
        return !content.document.body.classList.contains("running");
      });
    });

    let newIdentityMode =
      window.document.getElementById("identity-box").className;
    is(
      newIdentityMode,
      NOT_SECURE_LABEL,
      "identity should be 'not secure' after"
    );
  });
});