From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- dom/security/test/sec-fetch/browser.ini | 10 ++ .../test/sec-fetch/browser_external_loads.js | 176 ++++++++++++++++++++ dom/security/test/sec-fetch/browser_navigation.js | 178 +++++++++++++++++++++ dom/security/test/sec-fetch/file_dummy_link.html | 9 ++ .../test/sec-fetch/file_dummy_link_location.html | 9 ++ dom/security/test/sec-fetch/file_no_cache.sjs | 28 ++++ dom/security/test/sec-fetch/file_redirect.sjs | 34 ++++ .../test/sec-fetch/file_trustworthy_loopback.html | 11 ++ dom/security/test/sec-fetch/file_websocket_wsh.py | 6 + dom/security/test/sec-fetch/mochitest.ini | 19 +++ .../test_iframe_history_manipulation.html | 85 ++++++++++ .../sec-fetch/test_iframe_src_metaRedirect.html | 95 +++++++++++ .../sec-fetch/test_iframe_srcdoc_metaRedirect.html | 95 +++++++++++ .../test_iframe_window_open_metaRedirect.html | 98 ++++++++++++ .../test/sec-fetch/test_trustworthy_loopback.html | 77 +++++++++ dom/security/test/sec-fetch/test_websocket.html | 74 +++++++++ 16 files changed, 1004 insertions(+) create mode 100644 dom/security/test/sec-fetch/browser.ini create mode 100644 dom/security/test/sec-fetch/browser_external_loads.js create mode 100644 dom/security/test/sec-fetch/browser_navigation.js create mode 100644 dom/security/test/sec-fetch/file_dummy_link.html create mode 100644 dom/security/test/sec-fetch/file_dummy_link_location.html create mode 100644 dom/security/test/sec-fetch/file_no_cache.sjs create mode 100644 dom/security/test/sec-fetch/file_redirect.sjs create mode 100644 dom/security/test/sec-fetch/file_trustworthy_loopback.html create mode 100644 dom/security/test/sec-fetch/file_websocket_wsh.py create mode 100644 dom/security/test/sec-fetch/mochitest.ini create mode 100644 dom/security/test/sec-fetch/test_iframe_history_manipulation.html create mode 100644 dom/security/test/sec-fetch/test_iframe_src_metaRedirect.html create mode 100644 dom/security/test/sec-fetch/test_iframe_srcdoc_metaRedirect.html create mode 100644 dom/security/test/sec-fetch/test_iframe_window_open_metaRedirect.html create mode 100644 dom/security/test/sec-fetch/test_trustworthy_loopback.html create mode 100644 dom/security/test/sec-fetch/test_websocket.html (limited to 'dom/security/test/sec-fetch') diff --git a/dom/security/test/sec-fetch/browser.ini b/dom/security/test/sec-fetch/browser.ini new file mode 100644 index 0000000000..ab9c0b1a7d --- /dev/null +++ b/dom/security/test/sec-fetch/browser.ini @@ -0,0 +1,10 @@ +[DEFAULT] +support-files = file_no_cache.sjs + +[browser_navigation.js] +[browser_external_loads.js] +skip-if = + os == "win" && os_version == "6.1" # Skip on Azure - frequent failure +support-files = + file_dummy_link.html + file_dummy_link_location.html diff --git a/dom/security/test/sec-fetch/browser_external_loads.js b/dom/security/test/sec-fetch/browser_external_loads.js new file mode 100644 index 0000000000..0340b46899 --- /dev/null +++ b/dom/security/test/sec-fetch/browser_external_loads.js @@ -0,0 +1,176 @@ +"use strict"; + +const TEST_PATH = getRootDirectory(gTestPath).replace( + "chrome://mochitests/content", + "https://example.com" +); + +var gExpectedHeader = {}; + +function checkSecFetchUser(subject, topic, data) { + let channel = subject.QueryInterface(Ci.nsIHttpChannel); + if (!channel.URI.spec.startsWith("https://example.com")) { + return; + } + + info(`testing headers for load of ${channel.URI.spec}`); + + const secFetchHeaders = [ + "sec-fetch-mode", + "sec-fetch-dest", + "sec-fetch-user", + "sec-fetch-site", + ]; + + secFetchHeaders.forEach(header => { + const expectedValue = gExpectedHeader[header]; + try { + is( + channel.getRequestHeader(header), + expectedValue, + `${header} is set to ${expectedValue}` + ); + } catch (e) { + if (expectedValue) { + ok(false, `${header} should be set`); + } else { + ok(true, `${header} should not be set`); + } + } + }); +} + +add_task(async function external_load() { + waitForExplicitFinish(); + Services.obs.addObserver(checkSecFetchUser, "http-on-stop-request"); + + let headersChecked = new Promise(resolve => { + let reqStopped = async (subject, topic, data) => { + Services.obs.removeObserver(reqStopped, "http-on-stop-request"); + resolve(); + }; + Services.obs.addObserver(reqStopped, "http-on-stop-request"); + }); + + // System fetch. Shouldn't use Sec- headers for that. + gExpectedHeader = { + "sec-fetch-site": null, + "sec-fetch-mode": null, + "sec-fetch-dest": null, + "sec-fetch-user": null, + }; + await window.fetch(`${TEST_PATH}file_dummy_link.html?sysfetch`); + await headersChecked; + + // Simulate an external load in the *current* window with + // Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL and the system principal. + gExpectedHeader = { + "sec-fetch-site": "none", + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-user": "?1", + }; + + let loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + window.browserDOMWindow.openURI( + makeURI(`${TEST_PATH}file_dummy_link.html`), + null, + Ci.nsIBrowserDOMWindow.OPEN_CURRENTWINDOW, + Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL, + Services.scriptSecurityManager.getSystemPrincipal() + ); + await loaded; + + // Open a link in a *new* window through the context menu. + gExpectedHeader = { + "sec-fetch-site": "same-origin", + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-user": "?1", + }; + + loaded = BrowserTestUtils.waitForNewWindow({ + url: `${TEST_PATH}file_dummy_link_location.html`, + }); + BrowserTestUtils.waitForEvent(document, "popupshown", false, event => { + document.getElementById("context-openlink").doCommand(); + event.target.hidePopup(); + return true; + }); + BrowserTestUtils.synthesizeMouseAtCenter( + "#dummylink", + { type: "contextmenu", button: 2 }, + gBrowser.selectedBrowser + ); + + let win = await loaded; + win.close(); + + // Simulate an external load in a *new* window with + // Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL and the system principal. + gExpectedHeader = { + "sec-fetch-site": "none", + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-user": "?1", + }; + + loaded = BrowserTestUtils.waitForNewWindow({ + url: "https://example.com/newwindow", + }); + window.browserDOMWindow.openURI( + makeURI("https://example.com/newwindow"), + null, + Ci.nsIBrowserDOMWindow.OPEN_NEWWINDOW, + Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL, + Services.scriptSecurityManager.getSystemPrincipal() + ); + win = await loaded; + win.close(); + + // Open a *new* window through window.open without user activation. + gExpectedHeader = { + "sec-fetch-site": "same-origin", + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + }; + + loaded = BrowserTestUtils.waitForNewWindow({ + url: "https://example.com/windowopen", + }); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], () => { + content.window.open( + "https://example.com/windowopen", + "_blank", + "height=500,width=500" + ); + }); + win = await loaded; + win.close(); + + // Open a *new* window through window.open with user activation. + gExpectedHeader = { + "sec-fetch-site": "same-origin", + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-user": "?1", + }; + + loaded = BrowserTestUtils.waitForNewWindow({ + url: "https://example.com/windowopen_withactivation", + }); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], () => { + content.document.notifyUserGestureActivation(); + content.window.open( + "https://example.com/windowopen_withactivation", + "_blank", + "height=500,width=500" + ); + content.document.clearUserGestureActivation(); + }); + win = await loaded; + win.close(); + + Services.obs.removeObserver(checkSecFetchUser, "http-on-stop-request"); + finish(); +}); diff --git a/dom/security/test/sec-fetch/browser_navigation.js b/dom/security/test/sec-fetch/browser_navigation.js new file mode 100644 index 0000000000..642dcab76e --- /dev/null +++ b/dom/security/test/sec-fetch/browser_navigation.js @@ -0,0 +1,178 @@ +"use strict"; + +const REQUEST_URL = + "https://example.com/browser/dom/security/test/sec-fetch/file_no_cache.sjs"; + +let gTestCounter = 0; +let gExpectedHeader = {}; + +async function setup() { + waitForExplicitFinish(); +} + +function checkSecFetchUser(subject, topic, data) { + let channel = subject.QueryInterface(Ci.nsIHttpChannel); + if (!channel.URI.spec.startsWith("https://example.com/")) { + return; + } + + info(`testing headers for load of ${channel.URI.spec}`); + + const secFetchHeaders = [ + "sec-fetch-mode", + "sec-fetch-dest", + "sec-fetch-user", + "sec-fetch-site", + ]; + + secFetchHeaders.forEach(header => { + const expectedValue = gExpectedHeader[header]; + try { + is( + channel.getRequestHeader(header), + expectedValue, + `${header} is set to ${expectedValue}` + ); + } catch (e) { + if (expectedValue) { + ok(false, "required headers are set"); + } else { + ok(true, `${header} should not be set`); + } + } + }); + + gTestCounter++; +} + +async function testNavigations() { + gTestCounter = 0; + + // Load initial site + let loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + BrowserTestUtils.loadURIString(gBrowser, REQUEST_URL + "?test1"); + await loaded; + + // Load another site + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.document.notifyUserGestureActivation(); // simulate user activation + let test2Button = content.document.getElementById("test2_button"); + test2Button.click(); + content.document.clearUserGestureActivation(); + }); + await loaded; + // Load another site + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.document.notifyUserGestureActivation(); // simulate user activation + let test3Button = content.document.getElementById("test3_button"); + test3Button.click(); + content.document.clearUserGestureActivation(); + }); + await loaded; + + gExpectedHeader = { + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-site": "same-origin", + "sec-fetch-user": "?1", + }; + + // Register the http request observer. + // All following actions should cause requests with the sec-fetch-user header + // set. + Services.obs.addObserver(checkSecFetchUser, "http-on-stop-request"); + + // Go back one site by clicking the back button + info("Clicking back button"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + document.notifyUserGestureActivation(); // simulate user activation + let backButton = document.getElementById("back-button"); + backButton.click(); + document.clearUserGestureActivation(); + await loaded; + + // Reload the site by clicking the reload button + info("Clicking reload button"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + document.notifyUserGestureActivation(); // simulate user activation + let reloadButton = document.getElementById("reload-button"); + await TestUtils.waitForCondition(() => { + return !reloadButton.disabled; + }); + reloadButton.click(); + document.clearUserGestureActivation(); + await loaded; + + // Go forward one site by clicking the forward button + info("Clicking forward button"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + document.notifyUserGestureActivation(); // simulate user activation + let forwardButton = document.getElementById("forward-button"); + forwardButton.click(); + document.clearUserGestureActivation(); + await loaded; + + // Testing history.back/forward... + + info("going back with history.back"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.document.notifyUserGestureActivation(); // simulate user activation + content.history.back(); + content.document.clearUserGestureActivation(); + }); + await loaded; + + info("going forward with history.forward"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.document.notifyUserGestureActivation(); // simulate user activation + content.history.forward(); + content.document.clearUserGestureActivation(); + }); + await loaded; + + gExpectedHeader = { + "sec-fetch-mode": "navigate", + "sec-fetch-dest": "document", + "sec-fetch-site": "same-origin", + }; + + info("going back with history.back without user activation"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.history.back(); + }); + await loaded; + + info("going forward with history.forward without user activation"); + loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); + await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async function () { + content.history.forward(); + }); + await loaded; + + ok(gTestCounter === 7, "testing that all five actions have been tested."); + + Services.obs.removeObserver(checkSecFetchUser, "http-on-stop-request"); +} + +add_task(async function () { + waitForExplicitFinish(); + + await testNavigations(); + + // If fission is enabled we also want to test the navigations with the bfcache + // in the parent. + if (SpecialPowers.getBoolPref("fission.autostart")) { + await SpecialPowers.pushPrefEnv({ + set: [["fission.bfcacheInParent", true]], + }); + + await testNavigations(); + } + + finish(); +}); diff --git a/dom/security/test/sec-fetch/file_dummy_link.html b/dom/security/test/sec-fetch/file_dummy_link.html new file mode 100644 index 0000000000..2150054226 --- /dev/null +++ b/dom/security/test/sec-fetch/file_dummy_link.html @@ -0,0 +1,9 @@ + + + + Bug 1738694 - Sec-Fetch-User header is missing when opening a link in a new window + + + Open + + diff --git a/dom/security/test/sec-fetch/file_dummy_link_location.html b/dom/security/test/sec-fetch/file_dummy_link_location.html new file mode 100644 index 0000000000..9f9400e1c3 --- /dev/null +++ b/dom/security/test/sec-fetch/file_dummy_link_location.html @@ -0,0 +1,9 @@ + + + + Bug 1738694 - Sec-Fetch-User header is missing when opening a link in a new window + + +

file_dummy_link_location.html

+ + diff --git a/dom/security/test/sec-fetch/file_no_cache.sjs b/dom/security/test/sec-fetch/file_no_cache.sjs new file mode 100644 index 0000000000..9e75209e44 --- /dev/null +++ b/dom/security/test/sec-fetch/file_no_cache.sjs @@ -0,0 +1,28 @@ +const MESSAGE_PAGE = function (msg) { + return ` + + + + + Click me + Click me + + +`; +}; + +function handleRequest(request, response) { + response.setHeader("Cache-Control", "no-store"); + response.setHeader("Content-Type", "text/html"); + + response.write(MESSAGE_PAGE(request.queryString)); +} diff --git a/dom/security/test/sec-fetch/file_redirect.sjs b/dom/security/test/sec-fetch/file_redirect.sjs new file mode 100644 index 0000000000..84c2c39913 --- /dev/null +++ b/dom/security/test/sec-fetch/file_redirect.sjs @@ -0,0 +1,34 @@ +const SITE_META_REDIRECT = ` + + + + + + META REDIRECT + + +`; + +const REDIRECT_302 = + "https://example.com/tests/dom/security/test/sec-fetch/file_redirect.sjs?pageC"; + +function handleRequest(req, res) { + // avoid confusing cache behaviour + res.setHeader("Cache-Control", "no-cache", false); + res.setHeader("Content-Type", "text/html", false); + + switch (req.queryString) { + case "meta": + res.write(SITE_META_REDIRECT); + return; + case "redirect302": + res.setStatusLine("1.1", 302, "Found"); + res.setHeader("Location", REDIRECT_302, false); + return; + case "pageC": + res.write("PAGE C"); + return; + } + + res.write(`THIS SHOULD NEVER BE DISPLAYED`); +} diff --git a/dom/security/test/sec-fetch/file_trustworthy_loopback.html b/dom/security/test/sec-fetch/file_trustworthy_loopback.html new file mode 100644 index 0000000000..88f9242650 --- /dev/null +++ b/dom/security/test/sec-fetch/file_trustworthy_loopback.html @@ -0,0 +1,11 @@ + + + + Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs + + + + + + + diff --git a/dom/security/test/sec-fetch/file_websocket_wsh.py b/dom/security/test/sec-fetch/file_websocket_wsh.py new file mode 100644 index 0000000000..b7159c742b --- /dev/null +++ b/dom/security/test/sec-fetch/file_websocket_wsh.py @@ -0,0 +1,6 @@ +def web_socket_do_extra_handshake(request): + pass + + +def web_socket_transfer_data(request): + pass diff --git a/dom/security/test/sec-fetch/mochitest.ini b/dom/security/test/sec-fetch/mochitest.ini new file mode 100644 index 0000000000..4c27cdb2fe --- /dev/null +++ b/dom/security/test/sec-fetch/mochitest.ini @@ -0,0 +1,19 @@ +[DEFAULT] +support-files = + file_no_cache.sjs + file_redirect.sjs + +[test_iframe_history_manipulation.html] +[test_iframe_src_metaRedirect.html] +[test_iframe_srcdoc_metaRedirect.html] +[test_iframe_window_open_metaRedirect.html] +[test_trustworthy_loopback.html] +skip-if = + os == "linux" && !fission # Bug 1805760 + http3 +support-files = file_trustworthy_loopback.html +[test_websocket.html] +skip-if = + toolkit == 'android' # no websocket support Bug 982828 + http3 +support-files = file_websocket_wsh.py diff --git a/dom/security/test/sec-fetch/test_iframe_history_manipulation.html b/dom/security/test/sec-fetch/test_iframe_history_manipulation.html new file mode 100644 index 0000000000..5ec749bf4d --- /dev/null +++ b/dom/security/test/sec-fetch/test_iframe_history_manipulation.html @@ -0,0 +1,85 @@ + + + + Bug 1648825 - Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for history manipulation + + + + + + + + + + diff --git a/dom/security/test/sec-fetch/test_iframe_src_metaRedirect.html b/dom/security/test/sec-fetch/test_iframe_src_metaRedirect.html new file mode 100644 index 0000000000..28eae80226 --- /dev/null +++ b/dom/security/test/sec-fetch/test_iframe_src_metaRedirect.html @@ -0,0 +1,95 @@ + + + + Bug 1647128 - Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for meta redirects + + + + + + + + + + diff --git a/dom/security/test/sec-fetch/test_iframe_srcdoc_metaRedirect.html b/dom/security/test/sec-fetch/test_iframe_srcdoc_metaRedirect.html new file mode 100644 index 0000000000..adee5afe84 --- /dev/null +++ b/dom/security/test/sec-fetch/test_iframe_srcdoc_metaRedirect.html @@ -0,0 +1,95 @@ + + + + Bug 1647128 - Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for meta redirects + + + + + + + + + + diff --git a/dom/security/test/sec-fetch/test_iframe_window_open_metaRedirect.html b/dom/security/test/sec-fetch/test_iframe_window_open_metaRedirect.html new file mode 100644 index 0000000000..b532baeb5e --- /dev/null +++ b/dom/security/test/sec-fetch/test_iframe_window_open_metaRedirect.html @@ -0,0 +1,98 @@ + + + + Bug 1647128 - Fetch Metadata Headers contain invalid value for Sec-Fetch-Site for meta redirects + + + + + + + + + + diff --git a/dom/security/test/sec-fetch/test_trustworthy_loopback.html b/dom/security/test/sec-fetch/test_trustworthy_loopback.html new file mode 100644 index 0000000000..95ecac17ed --- /dev/null +++ b/dom/security/test/sec-fetch/test_trustworthy_loopback.html @@ -0,0 +1,77 @@ + + + + Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs + + + + + + + diff --git a/dom/security/test/sec-fetch/test_websocket.html b/dom/security/test/sec-fetch/test_websocket.html new file mode 100644 index 0000000000..33053ff20a --- /dev/null +++ b/dom/security/test/sec-fetch/test_websocket.html @@ -0,0 +1,74 @@ + + + + Bug 1628605: Test Sec-Fetch-* header for websockets + + + + + + + -- cgit v1.2.3