diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js')
| -rw-r--r-- | security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js new file mode 100644 index 0000000000..3a595a3e08 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js @@ -0,0 +1,119 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Ensures that HSTS (HTTP Strict Transport Security) information is cleared +// when using "Forget About This Site". + +const { ForgetAboutSite } = ChromeUtils.importESModule( + "resource://gre/modules/ForgetAboutSite.sys.mjs" +); + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); +}); + +const GOOD_MAX_AGE_SECONDS = 69403; +const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; + +const sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); +const uri = Services.io.newURI("https://a.pinning.example.com"); + +// Test the normal case of processing HSTS headers for a.pinning.example.com, +// using "Forget About Site" on a.pinning2.example.com, and then checking +// that the platform doesn't consider a.pinning.example.com to be HSTS any +// longer. +add_task(async function () { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now" + ); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com, using +// "Forget About Site" on example.com, and then checking that the platform +// doesn't consider the subdomain to be HSTS any longer. Also test that +// unrelated sites don't also get removed. +add_task(async function () { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok( + sss.isSecureURI(uri), + "a.pinning.example.com should be HSTS (subdomain case)" + ); + + // Add an unrelated site to HSTS. + let unrelatedURI = Services.io.newURI("https://example.org"); + sss.processHeader(unrelatedURI, GOOD_MAX_AGE); + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now (subdomain case)" + ); + + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS"); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com with +// various originAttributes, using "Forget About Site" on example.com, and +// then checking that the platform doesn't consider the subdomain to be HSTS +// for any originAttributes any longer. Also test that unrelated sites don't +// also get removed. +add_task(async function () { + let originAttributesList = [ + {}, + { userContextId: 1 }, + { firstPartyDomain: "foo.com" }, + { userContextId: 1, firstPartyDomain: "foo.com" }, + ]; + + let unrelatedURI = Services.io.newURI("https://example.org"); + + for (let originAttributes of originAttributesList) { + sss.processHeader(uri, GOOD_MAX_AGE, originAttributes); + + Assert.ok( + sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should be HSTS (originAttributes case)" + ); + + // Add an unrelated site to HSTS. + sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes); + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should be HSTS (originAttributes case)" + ); + } + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + for (let originAttributes of originAttributesList) { + Assert.ok( + !sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should not be HSTS now " + + "(originAttributes case)" + ); + + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should still be HSTS (originAttributes case)" + ); + } +}); |