blob: 5ec749bf4d5c42428af27feb9ad884c641f91bae (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1648825 - Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for history manipulation</title>
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
const REQUEST_PATH = 'tests/dom/security/test/sec-fetch/file_no_cache.sjs'
let sendHome = true;
let testCounter = 0;
let testFrame;
var script = SpecialPowers.loadChromeScript(() => {
/* eslint-env mozilla/chrome-script */
Services.obs.addObserver(function onExamResp(subject, topic, data) {
let channel = subject.QueryInterface(Ci.nsIHttpChannel);
info("request observed: " + channel.URI.spec);
if (!channel.URI.spec.startsWith("https://example.org")) {
return;
}
let headerPresent = false;
try {
is(channel.getRequestHeader("Sec-Fetch-Site"), "cross-site", "testing sec-fetch-site is cross-site");
// This should fail and cause the catch clause to be executed.
channel.getRequestHeader("Sec-Fetch-User");
headerPresent = true;
} catch (e) {
headerPresent = false;
}
ok(!headerPresent, "testing sec-fetch-user header is not set");
sendAsyncMessage("test-pass");
}, "http-on-stop-request");
});
script.addMessageListener("test-pass", () => {
testCounter++;
if(testCounter == 2) {
SimpleTest.finish();
}
});
window.addEventListener("message", function (event) {
iframeAction(event.data.test);
});
function iframeAction(test) {
info("received message " + test);
switch (test) {
case 'test':
testFrame.contentWindow.location = `https://example.org/${REQUEST_PATH}?test#bypass`;
if(sendHome) {
// We need to send the message manually here because there is no request send to the server.
window.postMessage({test: "home"}, "*");
sendHome = false;
}
break;
case 'home':
testFrame.contentWindow.location = `/${REQUEST_PATH}?back`;
break;
case 'back':
testFrame.contentWindow.history.back();
break;
}
}
SimpleTest.waitForExplicitFinish();
testFrame = document.createElement('iframe');
testFrame.src = `https://example.org/${REQUEST_PATH}?test`;
document.body.appendChild(testFrame);
</script>
</body>
</html>
|