1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
"use strict";
const WARNING_PATTERN = [
{
key: "INSECURE_FORM_ACTION",
msg: 'JavaScript Warning: "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen."',
},
{
key: "INSECURE_PAGE",
msg: 'JavaScript Warning: "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen."',
},
];
add_task(async function testInsecurePasswordWarning() {
// By default, proxies don't apply to 127.0.0.1. We need them to for this test, though:
await SpecialPowers.pushPrefEnv({
set: [["network.proxy.allow_hijacking_localhost", true]],
});
let warningPatternHandler;
function messageHandler(msgObj) {
function findWarningPattern(msg) {
return WARNING_PATTERN.find(patternPair => {
return msg.includes(patternPair.msg);
});
}
let warning = findWarningPattern(msgObj.message);
// Only handle the insecure password related warning messages.
if (warning) {
// Prevent any unexpected or redundant matched warning message coming after
// the test case is ended.
Assert.ok(
warningPatternHandler,
"Invoke a valid warning message handler"
);
warningPatternHandler(warning, msgObj.message);
}
}
Services.console.registerListener(messageHandler);
registerCleanupFunction(function () {
Services.console.unregisterListener(messageHandler);
});
for (let [origin, testFile, expectWarnings] of [
["http://127.0.0.1", "form_basic.html", []],
["http://127.0.0.1", "formless_basic.html", []],
["http://example.com", "form_basic.html", ["INSECURE_PAGE"]],
["http://example.com", "formless_basic.html", ["INSECURE_PAGE"]],
["https://example.com", "form_basic.html", []],
["https://example.com", "formless_basic.html", []],
// For a form with customized action link in the same origin.
["http://127.0.0.1", "form_same_origin_action.html", []],
["http://example.com", "form_same_origin_action.html", ["INSECURE_PAGE"]],
["https://example.com", "form_same_origin_action.html", []],
// For a form with an insecure (http) customized action link.
[
"http://127.0.0.1",
"form_cross_origin_insecure_action.html",
["INSECURE_FORM_ACTION"],
],
[
"http://example.com",
"form_cross_origin_insecure_action.html",
["INSECURE_PAGE"],
],
[
"https://example.com",
"form_cross_origin_insecure_action.html",
["INSECURE_FORM_ACTION"],
],
// For a form with a secure (https) customized action link.
["http://127.0.0.1", "form_cross_origin_secure_action.html", []],
[
"http://example.com",
"form_cross_origin_secure_action.html",
["INSECURE_PAGE"],
],
["https://example.com", "form_cross_origin_secure_action.html", []],
]) {
let testURL = origin + DIRECTORY_PATH + testFile;
let promiseConsoleMessages = new Promise(resolve => {
warningPatternHandler = function (warning, originMessage) {
Assert.ok(warning, "Handling a warning pattern");
let fullMessage = `[${warning.msg} {file: "${testURL}" line: 0 column: 0 source: "0"}]`;
Assert.equal(
originMessage,
fullMessage,
"Message full matched:" + originMessage
);
let index = expectWarnings.indexOf(warning.key);
isnot(
index,
-1,
"Found warning: " + warning.key + " for URL:" + testURL
);
if (index !== -1) {
// Remove the shown message.
expectWarnings.splice(index, 1);
}
if (expectWarnings.length === 0) {
info("All warnings are shown for URL:" + testURL);
resolve();
}
};
});
await BrowserTestUtils.withNewTab(
{
gBrowser,
url: testURL,
},
function () {
if (expectWarnings.length === 0) {
info("All warnings are shown for URL:" + testURL);
return Promise.resolve();
}
return promiseConsoleMessages;
}
);
// Remove warningPatternHandler to stop handling the matched warning pattern
// and the task should not get any warning anymore.
warningPatternHandler = null;
}
});
|
