dom/security/test/https-only/browser_upgrade_exceptions.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

// Bug 1625448 - HTTPS Only Mode - Exceptions for loopback and local IP addresses
// https://bugzilla.mozilla.org/show_bug.cgi?id=1631384
// This test ensures that various configurable upgrade exceptions work
"use strict";

add_task(async function () {
  requestLongerTimeout(2);

  await SpecialPowers.pushPrefEnv({
    set: [["dom.security.https_only_mode", true]],
  });

  // Loopback test
  await runTest(
    "Loopback IP addresses should always be exempt from upgrades (localhost)",
    "http://localhost",
    "http://"
  );
  await runTest(
    "Loopback IP addresses should always be exempt from upgrades (127.0.0.1)",
    "http://127.0.0.1",
    "http://"
  );
  // Default local-IP and onion tests
  await runTest(
    "Local IP addresses should be exempt from upgrades by default",
    "http://10.0.250.250",
    "http://"
  );
  await runTest(
    "Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default",
    "http://grocery.shopping.for.one.onion",
    "http://"
  );

  await SpecialPowers.pushPrefEnv({
    set: [
      ["dom.security.https_only_mode.upgrade_local", true],
      ["dom.security.https_only_mode.upgrade_onion", true],
    ],
  });

  // Local-IP and onion tests with upgrade enabled
  await runTest(
    "Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true",
    "http://10.0.250.250",
    "https://"
  );
  await runTest(
    "Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true",
    "http://grocery.shopping.for.one.onion",
    "https://"
  );
  // Local-IP request with HTTPS_ONLY_EXEMPT flag
  await runTest(
    "The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs",
    "http://10.0.250.250",
    "http://",
    true
  );
});

async function runTest(desc, url, startsWith, exempt = false) {
  const responseURL = await new Promise(resolve => {
    let xhr = new XMLHttpRequest();
    xhr.timeout = 1200;
    xhr.open("GET", url);
    if (exempt) {
      xhr.channel.loadInfo.httpsOnlyStatus |= Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
    }
    xhr.onreadystatechange = () => {
      // We don't care about the result and it's possible that
      // the requests might even succeed in some testing environments
      if (
        xhr.readyState !== XMLHttpRequest.OPENED ||
        xhr.readyState !== XMLHttpRequest.UNSENT
      ) {
        // Let's make sure this function doesn't get caled anymore
        xhr.onreadystatechange = undefined;
        resolve(xhr.responseURL);
      }
    };
    xhr.send();
  });
  ok(responseURL.startsWith(startsWith), desc);
}