summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_sss_resetState.js
blob: 4a667c05f065d32c8903e33a7c0bd25c1b85aeaa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

// Tests that resetting HSTS state in the way the "forget about this site"
// functionality does works as expected for preloaded and non-preloaded sites.

do_get_profile();

var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
  Ci.nsISiteSecurityService
);

function test_removeState(originAttributes) {
  info(`running test_removeState(originAttributes=${originAttributes})`);
  // Simulate visiting a non-preloaded site by processing an HSTS header check
  // that the HSTS bit gets set, simulate "forget about this site" (call
  // removeState), and then check that the HSTS bit isn't set.
  let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com");
  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
  gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes);
  ok(gSSService.isSecureURI(notPreloadedURI, originAttributes));
  gSSService.resetState(notPreloadedURI, originAttributes);
  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));

  // Simulate visiting a non-preloaded site that unsets HSTS by processing
  // an HSTS header with "max-age=0", check that the HSTS bit isn't
  // set, simulate "forget about this site" (call removeState), and then check
  // that the HSTS bit isn't set.
  gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes);
  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
  gSSService.resetState(notPreloadedURI, originAttributes);
  ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));

  // Simulate visiting a preloaded site by processing an HSTS header, check
  // that the HSTS bit is still set, simulate "forget about this site"
  // (call removeState), and then check that the HSTS bit is still set.
  let preloadedHost = "includesubdomains.preloaded.test";
  let preloadedURI = Services.io.newURI(`https://${preloadedHost}`);
  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
  gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes);
  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
  gSSService.resetState(preloadedURI, originAttributes);
  ok(gSSService.isSecureURI(preloadedURI, originAttributes));

  // Simulate visiting a preloaded site that unsets HSTS by processing an
  // HSTS header with "max-age=0", check that the HSTS bit is what we
  // expect (see below), simulate "forget about this site" (call removeState),
  // and then check that the HSTS bit is set.
  gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes);
  ok(!gSSService.isSecureURI(preloadedURI, originAttributes));
  gSSService.resetState(preloadedURI, originAttributes);
  ok(gSSService.isSecureURI(preloadedURI, originAttributes));
}

function run_test() {
  test_removeState({});
  test_removeState({ privateBrowsingId: 1 });
}