1 files changed, 90 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
new file mode 100644
index 0000000000..aec0ec45aa
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_speculative_connection.js
@@ -0,0 +1,90 @@
+/* eslint-disable mozilla/no-arbitrary-setTimeout */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+// Tests that with speculative connections enabled, connections to servers that
+// request a client authentication certificate succeed (the specific bug that
+// was addressed with this patch involved navigation hanging because the
+// connection to the server couldn't make progress without asking for a client
+// authentication certificate, but it also wouldn't ask for a client
+// authentication certificate until the connection had been claimed, which
+// required that it make progress first).
+
+const { MockRegistrar } = ChromeUtils.importESModule(
+  "resource://testing-common/MockRegistrar.sys.mjs"
+);
+
+const TEST_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+
+let chooseCertificateCalled = false;
+
+const clientAuthDialogs = {
+  chooseCertificate(
+    hostname,
+    port,
+    organization,
+    issuerOrg,
+    certList,
+    selectedIndex,
+    rememberClientAuthCertificate
+  ) {
+    is(certList.length, 1, "should have only one client certificate available");
+    selectedIndex.value = 0;
+    rememberClientAuthCertificate.value = false;
+    ok(
+      !chooseCertificateCalled,
+      "chooseCertificate should only be called once"
+    );
+    chooseCertificateCalled = true;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIClientAuthDialogs"]),
+};
+
+add_setup(async function () {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      // Enable speculative connections.
+      ["network.http.speculative-parallel-limit", 6],
+      // Always ask to select a client authentication certificate.
+      ["security.default_personal_cert", "Ask Every Time"],
+    ],
+  });
+  let clientAuthDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsClientAuthDialogs;1",
+    clientAuthDialogs
+  );
+  registerCleanupFunction(async function () {
+    MockRegistrar.unregister(clientAuthDialogsCID);
+  });
+});
+
+add_task(
+  async function test_no_client_auth_selection_dialog_for_speculative_connections() {
+    await BrowserTestUtils.withNewTab(
+      `${TEST_PATH}browser_clientAuth_speculative_connection.html`,
+      async browser => {
+        // Click the link to navigate to a page that requests a client
+        // authentication certificate. Necko will make a speculative
+        // connection, but unfortunately there's no event or notification to
+        // observe. This test ensures that the navigation succeeds and that a
+        // client authentication certificate was requested.
+        let loaded = BrowserTestUtils.browserLoaded(
+          browser,
+          false,
+          "https://requireclientcert.example.com/"
+        );
+        await BrowserTestUtils.synthesizeMouseAtCenter("#link", {}, browser);
+        await loaded;
+        ok(chooseCertificateCalled, "chooseCertificate must have been called");
+      }
+    );
+  }
+);