summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_upgrade_insecure_loopback.html
blob: f72f95215e3469122a71947a09e000c9b7a20c19 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Bug 1447784 - Implement CSP upgrade-insecure-requests directive</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:
 * We load a page that performs a CORS XHR to 127.0.0.1 which shouldn't be upgraded to https:
 *
 * Test 1:
 *   Main page:   https://127.0.0.1:8080
 *   XHR request: http://127.0.0.1:8080
 *   No redirect to https://
 *   Description: Upgrade insecure should *NOT* upgrade from http to https.
 */

const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
let testFiles = ["tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
                 "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];

function examiner() {
  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
}
examiner.prototype = {
  observe(subject, topic, data) {
    if (topic === "specialpowers-http-notify-request") {
      // we skip looking at other requests that might be observed accidentally
      // e.g., we saw kinto requests when running this test locally
      if (data.includes("bug-1661423-dont-upgrade-localhost")) {
        let urlObj = new URL(data);
        is(urlObj.protocol, "http:", "Didn't upgrade localhost URL");
        loadTest();
      }
    }
  },
  remove() {
    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
  }
};

window.examiner = new examiner();


function loadTest() {
  if (!testFiles.length) {
    removeAndFinish();
    return;
  }
  var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
  // append the file that should be served
  src += escape(testFiles.shift())
  // append the CSP that should be used to serve the file
  src += "&csp=" + escape(CSP_POLICY);
  document.getElementById("testframe").src = src;
}

function removeAndFinish() {
  window.removeEventListener("message", receiveMessage);
  window.examiner.remove();
  SimpleTest.finish();
}

// a postMessage handler that is used to bubble up results from
// within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
  if (event.data === "request-not-https") {
    ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
    loadTest();
  }
}

SimpleTest.waitForExplicitFinish();

// By default, proxies don't apply to 127.0.0.1.
// We need them to for this test (at least on android), though:
SpecialPowers.pushPrefEnv({set: [
  ["network.proxy.allow_hijacking_localhost", true]
]}).then(loadTest);

</script>
</body>
</html>