1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
<!DOCTYPE HTML>
<html>
<head>
<title>Test bug 466080</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe id="frame1"
src="https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs">
This iframe should load the resource via the src-attribute from
a secure server which requires a client-cert. Doing this is
supposed to work, but further below in the test we try to load
the resource from the same url using a XHR, which should not work.
TODO : What if we change 'src' from JS? Would/should it load?
</iframe>
<script class="testbody" type="text/javascript">
"use strict";
onWindowLoad();
let alltests = [
// load resource from a relative url - this should work
{ url:"bug466080.sjs",
status_check:"==200",
error:"XHR from relative URL"},
// TODO - load the resource from a relative url via https..?
// load a non-existing resource - should get "404 Not Found"
{ url:"bug466080-does-not.exist",
status_check:"==404",
error:"XHR loading non-existing resource"},
// load resource from cross-site non-secure server
{ url:"http://test1.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR from cross-site plaintext server"},
// load resource from cross-site secure server - should work since no credentials are needed
{ url:"https://test1.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR from cross-site secure server"},
// load resource from cross-site secure server - should work since the server just requests certs
{ url:"https://requestclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR from cross-site secure server requesting certificate"},
// load resource from cross-site secure server - should NOT work since the server requires cert
// note that this is the url which is used in the iframe.src above
{ url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"!=200",
error:"XHR from cross-site secure server requiring certificate"},
// repeat previous, - should NOT work
{ url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR w/ credentials from cross-site secure server requiring certificate",
withCredentials:"true"},
// repeat previous, but with credentials - should work
{ url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR w/ credentials from cross-site secure server requiring certificate",
withCredentials:"true"},
// repeat previous, withCredentials but using a weird method to force preflight
// should NOT work since our preflight is anonymous and will fail with our simple server
{ url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"!=200",
error:"XHR PREFLIGHT from cross-site secure server requiring certificate",
withCredentials:"true",
method:"XMETHOD"},
// repeat previous, withCredentials but using a weird method to force preflight
// Set network.cors_preflight.allow_client_cert pref, that will allow cers on an
// anonymous connection.
// This should work since our preflight will work now.
{ url:"https://requireclientcert.example.com/tests/dom/base/test/bug466080.sjs",
status_check:"==200",
error:"XHR PREFLIGHT from cross-site secure server requiring certificate",
withCredentials:"true",
method:"XMETHOD",
enableCertOnPreflight: true},
{ cleanEnableCertOnPreflight: true},
];
async function onWindowLoad() {
// First, check that resource was loaded into the iframe
// This check in fact depends on bug #444165... :)
await new Promise(resolve => {
document.getElementById("frame1").onload = () => { resolve(); };
});
async function runTest(test) {
if (test.cleanEnableCertOnPreflight) {
await SpecialPowers.pushPrefEnv({"set": [["network.cors_preflight.allow_client_cert", false]]});
if (!alltests.length) {
SimpleTest.finish();
} else {
runTest(alltests.shift());
}
} else {
if (test.enableCertOnPreflight != null) {
await SpecialPowers.pushPrefEnv({"set": [["network.cors_preflight.allow_client_cert", true]]});
}
var xhr = new XMLHttpRequest();
var method = "GET";
if (test.method != null) { method = test.method; }
xhr.open(method, test.url);
xhr.withCredentials = test.withCredentials;
SpecialPowers.wrap(xhr).setRequestHeader("Connection", "Keep-Alive", false);
try {
xhr.send();
} catch(e) {
}
xhr.onloadend = function() {
// eslint-disable-next-line no-eval
var success = eval(xhr.status + test.status_check);
ok(success, test.error);
if (!alltests.length) {
SimpleTest.finish();
} else {
runTest(alltests.shift());
}
};
}
}
runTest(alltests.shift());
}
SimpleTest.waitForExplicitFinish();
</script>
</body>
</html>
|