summaryrefslogtreecommitdiffstats
path: root/dom/security/test/sec-fetch/browser_external_loads.js
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/test/sec-fetch/browser_external_loads.js')
-rw-r--r--dom/security/test/sec-fetch/browser_external_loads.js176
1 files changed, 176 insertions, 0 deletions
diff --git a/dom/security/test/sec-fetch/browser_external_loads.js b/dom/security/test/sec-fetch/browser_external_loads.js
new file mode 100644
index 0000000000..0340b46899
--- /dev/null
+++ b/dom/security/test/sec-fetch/browser_external_loads.js
@@ -0,0 +1,176 @@
+"use strict";
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+ "chrome://mochitests/content",
+ "https://example.com"
+);
+
+var gExpectedHeader = {};
+
+function checkSecFetchUser(subject, topic, data) {
+ let channel = subject.QueryInterface(Ci.nsIHttpChannel);
+ if (!channel.URI.spec.startsWith("https://example.com")) {
+ return;
+ }
+
+ info(`testing headers for load of ${channel.URI.spec}`);
+
+ const secFetchHeaders = [
+ "sec-fetch-mode",
+ "sec-fetch-dest",
+ "sec-fetch-user",
+ "sec-fetch-site",
+ ];
+
+ secFetchHeaders.forEach(header => {
+ const expectedValue = gExpectedHeader[header];
+ try {
+ is(
+ channel.getRequestHeader(header),
+ expectedValue,
+ `${header} is set to ${expectedValue}`
+ );
+ } catch (e) {
+ if (expectedValue) {
+ ok(false, `${header} should be set`);
+ } else {
+ ok(true, `${header} should not be set`);
+ }
+ }
+ });
+}
+
+add_task(async function external_load() {
+ waitForExplicitFinish();
+ Services.obs.addObserver(checkSecFetchUser, "http-on-stop-request");
+
+ let headersChecked = new Promise(resolve => {
+ let reqStopped = async (subject, topic, data) => {
+ Services.obs.removeObserver(reqStopped, "http-on-stop-request");
+ resolve();
+ };
+ Services.obs.addObserver(reqStopped, "http-on-stop-request");
+ });
+
+ // System fetch. Shouldn't use Sec- headers for that.
+ gExpectedHeader = {
+ "sec-fetch-site": null,
+ "sec-fetch-mode": null,
+ "sec-fetch-dest": null,
+ "sec-fetch-user": null,
+ };
+ await window.fetch(`${TEST_PATH}file_dummy_link.html?sysfetch`);
+ await headersChecked;
+
+ // Simulate an external load in the *current* window with
+ // Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL and the system principal.
+ gExpectedHeader = {
+ "sec-fetch-site": "none",
+ "sec-fetch-mode": "navigate",
+ "sec-fetch-dest": "document",
+ "sec-fetch-user": "?1",
+ };
+
+ let loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser);
+ window.browserDOMWindow.openURI(
+ makeURI(`${TEST_PATH}file_dummy_link.html`),
+ null,
+ Ci.nsIBrowserDOMWindow.OPEN_CURRENTWINDOW,
+ Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL,
+ Services.scriptSecurityManager.getSystemPrincipal()
+ );
+ await loaded;
+
+ // Open a link in a *new* window through the context menu.
+ gExpectedHeader = {
+ "sec-fetch-site": "same-origin",
+ "sec-fetch-mode": "navigate",
+ "sec-fetch-dest": "document",
+ "sec-fetch-user": "?1",
+ };
+
+ loaded = BrowserTestUtils.waitForNewWindow({
+ url: `${TEST_PATH}file_dummy_link_location.html`,
+ });
+ BrowserTestUtils.waitForEvent(document, "popupshown", false, event => {
+ document.getElementById("context-openlink").doCommand();
+ event.target.hidePopup();
+ return true;
+ });
+ BrowserTestUtils.synthesizeMouseAtCenter(
+ "#dummylink",
+ { type: "contextmenu", button: 2 },
+ gBrowser.selectedBrowser
+ );
+
+ let win = await loaded;
+ win.close();
+
+ // Simulate an external load in a *new* window with
+ // Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL and the system principal.
+ gExpectedHeader = {
+ "sec-fetch-site": "none",
+ "sec-fetch-mode": "navigate",
+ "sec-fetch-dest": "document",
+ "sec-fetch-user": "?1",
+ };
+
+ loaded = BrowserTestUtils.waitForNewWindow({
+ url: "https://example.com/newwindow",
+ });
+ window.browserDOMWindow.openURI(
+ makeURI("https://example.com/newwindow"),
+ null,
+ Ci.nsIBrowserDOMWindow.OPEN_NEWWINDOW,
+ Ci.nsIBrowserDOMWindow.OPEN_EXTERNAL,
+ Services.scriptSecurityManager.getSystemPrincipal()
+ );
+ win = await loaded;
+ win.close();
+
+ // Open a *new* window through window.open without user activation.
+ gExpectedHeader = {
+ "sec-fetch-site": "same-origin",
+ "sec-fetch-mode": "navigate",
+ "sec-fetch-dest": "document",
+ };
+
+ loaded = BrowserTestUtils.waitForNewWindow({
+ url: "https://example.com/windowopen",
+ });
+ await SpecialPowers.spawn(gBrowser.selectedBrowser, [], () => {
+ content.window.open(
+ "https://example.com/windowopen",
+ "_blank",
+ "height=500,width=500"
+ );
+ });
+ win = await loaded;
+ win.close();
+
+ // Open a *new* window through window.open with user activation.
+ gExpectedHeader = {
+ "sec-fetch-site": "same-origin",
+ "sec-fetch-mode": "navigate",
+ "sec-fetch-dest": "document",
+ "sec-fetch-user": "?1",
+ };
+
+ loaded = BrowserTestUtils.waitForNewWindow({
+ url: "https://example.com/windowopen_withactivation",
+ });
+ await SpecialPowers.spawn(gBrowser.selectedBrowser, [], () => {
+ content.document.notifyUserGestureActivation();
+ content.window.open(
+ "https://example.com/windowopen_withactivation",
+ "_blank",
+ "height=500,width=500"
+ );
+ content.document.clearUserGestureActivation();
+ });
+ win = await loaded;
+ win.close();
+
+ Services.obs.removeObserver(checkSecFetchUser, "http-on-stop-request");
+ finish();
+});
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-17 20:06:36 +0000