1 files changed, 91 insertions, 0 deletions

diff --git a/dom/security/test/csp/test_upgrade_insecure_loopback.html b/dom/security/test/csp/test_upgrade_insecure_loopback.html
new file mode 100644
index 0000000000..f72f95215e
--- /dev/null
+++ b/dom/security/test/csp/test_upgrade_insecure_loopback.html
@@ -0,0 +1,91 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1447784 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a page that performs a CORS XHR to 127.0.0.1 which shouldn't be upgraded to https:
+ *
+ * Test 1:
+ *   Main page:   https://127.0.0.1:8080
+ *   XHR request: http://127.0.0.1:8080
+ *   No redirect to https://
+ *   Description: Upgrade insecure should *NOT* upgrade from http to https.
+ */
+
+const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
+let testFiles = ["tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
+                 "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];
+
+function examiner() {
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
+}
+examiner.prototype = {
+  observe(subject, topic, data) {
+    if (topic === "specialpowers-http-notify-request") {
+      // we skip looking at other requests that might be observed accidentally
+      // e.g., we saw kinto requests when running this test locally
+      if (data.includes("bug-1661423-dont-upgrade-localhost")) {
+        let urlObj = new URL(data);
+        is(urlObj.protocol, "http:", "Didn't upgrade localhost URL");
+        loadTest();
+      }
+    }
+  },
+  remove() {
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+};
+
+window.examiner = new examiner();
+
+
+function loadTest() {
+  if (!testFiles.length) {
+    removeAndFinish();
+    return;
+  }
+  var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape(testFiles.shift())
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(CSP_POLICY);
+  document.getElementById("testframe").src = src;
+}
+
+function removeAndFinish() {
+  window.removeEventListener("message", receiveMessage);
+  window.examiner.remove();
+  SimpleTest.finish();
+}
+
+// a postMessage handler that is used to bubble up results from
+// within the iframe.
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  if (event.data === "request-not-https") {
+    ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
+    loadTest();
+  }
+}
+
+SimpleTest.waitForExplicitFinish();
+
+// By default, proxies don't apply to 127.0.0.1.
+// We need them to for this test (at least on android), though:
+SpecialPowers.pushPrefEnv({set: [
+  ["network.proxy.allow_hijacking_localhost", true]
+]}).then(loadTest);
+
+</script>
+</body>
+</html>