dom/security/test/https-first/browser_subdocument_downgrade.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

/* Any copyright is dedicated to the Public Domain.
   https://creativecommons.org/publicdomain/zero/1.0/ */

"use strict";

const EMPTY_URL =
  "http://example.com/browser/dom/security/test/https-first/file_empty.html";
const SUBDOCUMENT_URL =
  "https://example.com/browser/dom/security/test/https-first/file_subdocument_downgrade.sjs";

add_task(async function test_subdocument_downgrade() {
  await SpecialPowers.pushPrefEnv({
    set: [
      // We want to test HTTPS-First
      ["dom.security.https_first", true],
      // Makes it easier to detect the error
      ["security.mixed_content.block_active_content", false],
    ],
  });

  // Open a empty document with origin http://example.com, which gets upgraded
  // to https://example.com by HTTPS-First and thus is marked as
  // HTTPS_ONLY_UPGRADED_HTTPS_FIRST.
  await BrowserTestUtils.withNewTab(EMPTY_URL, async browser => {
    await SpecialPowers.spawn(
      browser,
      [SUBDOCUMENT_URL],
      async SUBDOCUMENT_URL => {
        function isCrossOriginIframe(iframe) {
          try {
            return !iframe.contentDocument;
          } catch (e) {
            return true;
          }
        }
        const subdocument = content.document.createElement("iframe");
        // We open https://example.com/.../file_subdocument_downgrade.sjs in a
        // iframe, which sends a invalid response if the scheme is https. Thus
        // we should get an error. But if we accidentally copy the
        // HTTPS_ONLY_UPGRADED_HTTPS_FIRST flag from the parent into the iframe
        // loadinfo, HTTPS-First will try to downgrade the iframe. We test that
        // this doesn't happen.
        subdocument.src = SUBDOCUMENT_URL;
        const loadPromise = new Promise(resolve => {
          subdocument.addEventListener("load", () => {
            ok(
              // If the iframe got downgraded, it should now have the origin
              // http://example.com, which we can detect as being cross-origin.
              !isCrossOriginIframe(subdocument),
              "Subdocument should not be downgraded"
            );
            resolve();
          });
        });
        content.document.body.appendChild(subdocument);
        await loadPromise;
      }
    );
  });
});