1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=1247733
-->
<head>
<meta charset="utf-8">
<title>Test for Bug 1247733</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<script src="/tests/SimpleTest/WindowSnapshot.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>
<p id="display">
<iframe id="myIframe"></iframe>
</p>
<div id="content" style="display: none">
</div>
<pre id="test"></pre>
<script type="application/javascript">
/** Test for Bug 1247733 **/
/**
* This test ensures that we render the SVG 'use' element correctly, in
* pages that have been upgraded from HTTP to HTTPS using strict transport
* security (HSTS)
*
* Specifically:
* (1) We load a file using HTTPS, in an iframe. The file gets sent
* with a Strict-Transport-Security flag.
* (2) We load the same file again, but now over HTTP (which should get
* upgraded to HTTPS, since we received the Strict-Transport-Security
* flag during the first load).
* (3) After each of the above loads, we take a snapshot of the iframe
* and ensure that it renders as fully lime (which the 'use' element
* is responsible for). If the 'use' element fails to render, the iframe
* will be fully red, and we'll fail an "assertSnapshots" check.
*/
SimpleTest.waitForExplicitFinish();
const iframe = document.getElementById("myIframe");
const iframeWin = iframe.contentWindow;
// URI for our testcase with 'use' element, via HTTP and HTTPS:
const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
const secureURI = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
// Bookkeeping to be sure receiveMessage is called as many times as we expect:
var numPostMessageCalls = 0;
const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)
// Helper function, called via postMessage, to check iframe's actual location:
function receiveMessage(event) {
is(event.data, secureURI, "iframe should end up viewing secure URI");
numPostMessageCalls++;
}
// Convenience helper which makes |iframe| load the given |uri|. Returns
// a promise that resolves when the load completes. This makes it handy to
// use with 'await', to avoid onload callback hell.
async function LoadIframeAsync(uri) {
return new Promise(resolve => {
iframe.addEventListener("load", resolve, {once: true});
// Kick off the requested load:
iframe.src = uri;
});
}
// MAIN TEST CODE BEGINS HERE.
async function runTest() {
// Capture a snapshot with nothing in the iframe, so we can do a
// sanity-check not-equal comparison against our reference case, to be
// sure we're rendering anything at all:
let blankSnapshot = await snapshotWindow(iframeWin);
// Load & snapshot a reference case (fully lime):
await LoadIframeAsync("data:text/html,<body style='background:lime'>");
let refSnapshot = await snapshotWindow(iframeWin);
// Ensure reference snapshot looks different from blank snapshot:
assertSnapshots(refSnapshot, blankSnapshot,
false /* not equal*/, null /* no fuzz*/,
"refSnapshot", "blankSnapshot");
// OK, assuming we've got a valid refSnapshot, we can now proceed to
// capture test screenshots.
// Register a postMessage handler, so that iframe can report its location:
window.addEventListener("message", receiveMessage);
// Load & snapshot secure (HTTPS) version of testcase, & check against ref:
await LoadIframeAsync(secureURI);
let secureSnapshot = await snapshotWindow(iframeWin);
assertSnapshots(secureSnapshot, refSnapshot,
true /* equal*/, null /* no fuzz*/,
"secureSnapshot", "refSnapshot");
// Load insecure (HTTP) version of testcase (which should get
// automatically upgraded to secure (HTTPS) under the hood):
await LoadIframeAsync(insecureURI);
// Double-check that iframe is really pointed at insecure URI, to be sure
// we're actually exercising HSTS. (Note that receiveMessage() will make
// sure it's been upgraded to a secure HTTPS URI under the hood.)
is(iframe.src, insecureURI,
"test should've attempted to load insecure HTTP URI, to exercise HSTS");
// Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:
let upgradedSnapshot = await snapshotWindow(iframeWin);
assertSnapshots(upgradedSnapshot, refSnapshot,
true /* equal*/, null /* no fuzz*/,
"upgradedSnapshot", "refSnapshot");
// Check that the iframe did actually invoke our postMessage handler (which
// is where we verify that the HSTS upgrade actually happened):
is(numPostMessageCalls, expectedNumPostMessageCalls,
"didn't receive as many messages from child iframe as expected");
// We're done! Clear the STS headers that we set, and finish.
SpecialPowers.cleanUpSTSData("http://example.com");
SimpleTest.finish();
}
SpecialPowers.pushPrefEnv(
{ 'set': [["security.mixed_content.block_active_content", false]] },
function() { runTest(); }
);
</script>
</body>
</html>
|