blob: 3ed53d8108a25b1d5946527d79f44d77bcec78dc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>
<script class="testbody" type="text/javascript">
/* Description of the test:
* We load a page serving two XHR requests (including being redirected);
* one that should not require CORS and one that should require cors, in particular:
*
* Test 1:
* Main page: https://test1.example.com
* XHR request: http://test1.example.com
* Redirect to: http://test1.example.com
* Description: Upgrade insecure should upgrade from http to https and also
* surpress CORS for that case.
*
* Test 2:
* Main page: https://test1.example.com
* XHR request: http://test1.example.com
* Redirect to: http://test1.example.com:443
* Description: Upgrade insecure should upgrade from http to https and also
* prevent CORS for that case.
* Note: If redirecting to a different port, then CORS *should* be enforced (unless
* it's port 443). Unfortunately we can't test that because of the setup of our
* *.sjs files; they only are able to listen to port 443, see:
* http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98
*
* Test 3:
* Main page: https://test1.example.com
* XHR request: http://test2.example.com
* Redirect to: http://test1.example.com
* Description: Upgrade insecure should *not* prevent CORS since
* the page performs a cross origin xhr.
*
*/
const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
var tests = 3;
function loadTest() {
var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
// append the file that should be served
src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")
// append the CSP that should be used to serve the file
src += "&csp=" + escape(CSP_POLICY);
document.getElementById("testframe").src = src;
}
function checkResult(result) {
if (result === "test1-no-cors-ok" ||
result === "test2-no-cors-diffport-ok" ||
result === "test3-cors-ok") {
ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
}
else {
ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
}
if (--tests > 0) {
return;
}
window.removeEventListener("message", receiveMessage);
SimpleTest.finish();
}
// a postMessage handler that is used to bubble up results from
// within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
checkResult(event.data);
}
SimpleTest.waitForExplicitFinish();
loadTest();
</script>
</body>
</html>
|
