From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 19:32:43 +0200
Subject: Adding upstream version 1:115.7.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../browser_triggering_principal_exemption.js      | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 dom/security/test/https-only/browser_triggering_principal_exemption.js

(limited to 'dom/security/test/https-only/browser_triggering_principal_exemption.js')

diff --git a/dom/security/test/https-only/browser_triggering_principal_exemption.js b/dom/security/test/https-only/browser_triggering_principal_exemption.js
new file mode 100644
index 0000000000..09a867a63b
--- /dev/null
+++ b/dom/security/test/https-only/browser_triggering_principal_exemption.js
@@ -0,0 +1,72 @@
+// Bug 1662359 - Don't upgrade subresources whose triggering principal is exempt from HTTPS-Only mode.
+// https://bugzilla.mozilla.org/bug/1662359
+"use strict";
+
+const TRIGGERING_PAGE = "http://example.org";
+const LOADED_RESOURCE = "http://example.com";
+
+add_task(async function () {
+  // Enable HTTPS-Only Mode
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.security.https_only_mode", true]],
+  });
+
+  await runTest(
+    "Request with not exempt triggering principal should get upgraded.",
+    "https://"
+  );
+
+  // Now exempt the triggering page
+  await SpecialPowers.pushPermissions([
+    {
+      type: "https-only-load-insecure",
+      allow: true,
+      context: TRIGGERING_PAGE,
+    },
+  ]);
+
+  await runTest(
+    "Request with exempt triggering principal should not get upgraded.",
+    "http://"
+  );
+
+  await SpecialPowers.popPermissions();
+});
+
+async function runTest(desc, startsWith) {
+  const responseURL = await new Promise(resolve => {
+    let xhr = new XMLHttpRequest();
+    xhr.open("GET", LOADED_RESOURCE);
+
+    // Replace loadinfo with one whose triggeringPrincipal is a content
+    // principal for TRIGGERING_PAGE.
+    const triggeringPrincipal =
+      Services.scriptSecurityManager.createContentPrincipalFromOrigin(
+        TRIGGERING_PAGE
+      );
+    let dummyURI = Services.io.newURI(LOADED_RESOURCE);
+    let dummyChannel = NetUtil.newChannel({
+      uri: dummyURI,
+      triggeringPrincipal,
+      loadingPrincipal: xhr.channel.loadInfo.loadingPrincipal,
+      securityFlags: xhr.channel.loadInfo.securityFlags,
+      contentPolicyType: xhr.channel.loadInfo.externalContentPolicyType,
+    });
+    xhr.channel.loadInfo = dummyChannel.loadInfo;
+
+    xhr.onreadystatechange = () => {
+      // We don't care about the result, just if Firefox upgraded the URL
+      // internally.
+      if (
+        xhr.readyState !== XMLHttpRequest.OPENED ||
+        xhr.readyState !== XMLHttpRequest.UNSENT
+      ) {
+        // Let's make sure this function doesn't get called anymore
+        xhr.onreadystatechange = undefined;
+        resolve(xhr.responseURL);
+      }
+    };
+    xhr.send();
+  });
+  ok(responseURL.startsWith(startsWith), desc);
+}
-- 
cgit v1.2.3