summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_sss_resetState.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_sss_resetState.js')
-rw-r--r--security/manager/ssl/tests/unit/test_sss_resetState.js62
1 files changed, 62 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js
new file mode 100644
index 0000000000..4a667c05f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_sss_resetState.js
@@ -0,0 +1,62 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that resetting HSTS state in the way the "forget about this site"
+// functionality does works as expected for preloaded and non-preloaded sites.
+
+do_get_profile();
+
+var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
+ Ci.nsISiteSecurityService
+);
+
+function test_removeState(originAttributes) {
+ info(`running test_removeState(originAttributes=${originAttributes})`);
+ // Simulate visiting a non-preloaded site by processing an HSTS header check
+ // that the HSTS bit gets set, simulate "forget about this site" (call
+ // removeState), and then check that the HSTS bit isn't set.
+ let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com");
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a non-preloaded site that unsets HSTS by processing
+ // an HSTS header with "max-age=0", check that the HSTS bit isn't
+ // set, simulate "forget about this site" (call removeState), and then check
+ // that the HSTS bit isn't set.
+ gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+ gSSService.resetState(notPreloadedURI, originAttributes);
+ ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site by processing an HSTS header, check
+ // that the HSTS bit is still set, simulate "forget about this site"
+ // (call removeState), and then check that the HSTS bit is still set.
+ let preloadedHost = "includesubdomains.preloaded.test";
+ let preloadedURI = Services.io.newURI(`https://${preloadedHost}`);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+
+ // Simulate visiting a preloaded site that unsets HSTS by processing an
+ // HSTS header with "max-age=0", check that the HSTS bit is what we
+ // expect (see below), simulate "forget about this site" (call removeState),
+ // and then check that the HSTS bit is set.
+ gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes);
+ ok(!gSSService.isSecureURI(preloadedURI, originAttributes));
+ gSSService.resetState(preloadedURI, originAttributes);
+ ok(gSSService.isSecureURI(preloadedURI, originAttributes));
+}
+
+function run_test() {
+ test_removeState({});
+ test_removeState({ privateBrowsingId: 1 });
+}