Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
☠☠ backed out by e9322fe03f36 ☠ ☠
authorSebastian Streich <sstreich@mozilla.com>
Tue, 01 Oct 2019 09:43:36 +0000
changeset 495776 7978f68a53554de5a679c49e48719a7ac0eff4dc
parent 495775 22f474cf97b3ef550bfb6ab9c73b471db2ee8044
child 495777 9c01fefd14aab6fcb667fbcd06797d964e829c8a
push id96857
push userdvarga@mozilla.com
push dateTue, 01 Oct 2019 20:10:57 +0000
treeherderautoland@7978f68a5355 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1585055
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47635
dom/security/test/general/mochitest.ini
dom/security/test/general/test_nosniff_navigation.html
dom/security/test/general/window_nosniff_navigation.html
modules/libpref/init/StaticPrefList.yaml
--- a/dom/security/test/general/mochitest.ini
+++ b/dom/security/test/general/mochitest.ini
@@ -21,16 +21,17 @@ support-files =
   file_same_site_cookies_blob_iframe_inclusion.html
   file_same_site_cookies_iframe.html
   file_same_site_cookies_iframe.sjs
   file_same_site_cookies_about_navigation.html
   file_same_site_cookies_about_inclusion.html
   file_same_site_cookies_about.sjs
   file_cache_splitting_server.sjs
   file_cache_splitting_window.html
+  window_nosniff_navigation.html
 
 
 [test_contentpolicytype_targeted_link_iframe.html]
 [test_nosniff.html]
 [test_cache_split.html]
 skip-if = fission || verify
 [test_nosniff_navigation.html]
 [test_block_script_wrong_mime.html]
--- a/dom/security/test/general/test_nosniff_navigation.html
+++ b/dom/security/test/general/test_nosniff_navigation.html
@@ -1,92 +1,41 @@
 <!DOCTYPE HTML>
 <html>
+
 <head>
   <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-  <style>
-    iframe{
-      border: 1px solid orange;
-    }
-  </style>
+</head>
 
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
- 
-  <hr>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
-  <hr>
-
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
- 
-
-</head>
 <body>
 
-<!-- add the two script tests -->
-<script id="scriptCorrectType"></script>
-<script id="scriptWrongType"></script>
+  <!-- add the two script tests -->
+  <script id="scriptCorrectType"></script>
+  <script id="scriptWrongType"></script>
 
-<script class="testbody" type="text/javascript">
-/* Description of the test:
- * We're testing if Firefox respects the nosniff Header for Top-Level 
- * Navigations.
- * If Firefox cant Display the Page, it will prompt a download 
- * and the URL of the Page will be about:blank.
- * So we will try to open different content send with
- * no-mime, mismatched-mime and garbage-mime types.
- * 
- */
-
-SimpleTest.waitForExplicitFinish();
-
-window.addEventListener("load", ()=>{
-  let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
+  <script class="testbody" type="text/javascript">
+    /* Description of the test:
+     * We're testing if Firefox respects the nosniff Header for Top-Level 
+     * Navigations.
+     * If Firefox cant Display the Page, it will prompt a download 
+     * and the URL of the Page will be about:blank.
+     * So we will try to open different content send with
+     * no-mime, mismatched-mime and garbage-mime types.
+     * 
+     */
 
-  noMimeFrames.forEach( frame => {
-    // In case of no Provided Content Type, not rendering or assuming text/plain is valid
-    let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} without MIME - was not Sniffed`);
-  });
-
-  let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
-  mismatchedMimes.forEach(frame => {
-    // In case the Server mismatches the Mime Type (sends content X as image/png)
-    // assert that we do not sniff and correct this.
-    let result = frame.contentWindow.document.contentType == "image/png";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
-  });
+    SimpleTest.waitForExplicitFinish();
 
-  let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
+    window.addEventListener("load", async () => {
+      await SpecialPowers.pushPrefEnv(
+      {
+          set: [["dom.security.respect_document_nosniff", true]],
+        }
+    );
+    window.open("window_nosniff_navigation.html");
+});
+  </script>
+</body>
 
-  badMimeFrames.forEach( frame => {
-    // In the case we got a bogous mime, assert that we dont sniff. 
-    // We must not default here to text/plain
-    // as the Server at least provided a mime type. 
-    let result = frame.contentWindow.document.URL == "about:blank";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
-  });
-  
-  SimpleTest.finish();
-});
-</script>
-</body>
-</html>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/general/window_nosniff_navigation.html
@@ -0,0 +1,94 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+  <style>
+    iframe{
+      border: 1px solid orange;
+    }
+  </style>
+
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
+ 
+  <hr>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
+  <hr>
+
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
+ 
+
+</head>
+
+<body>
+
+<!-- add the two script tests -->
+<script id="scriptCorrectType"></script>
+<script id="scriptWrongType"></script>
+
+<script class="testbody" type="text/javascript">
+/* Description of the test:
+ * We're testing if Firefox respects the nosniff Header for Top-Level 
+ * Navigations.
+ * If Firefox cant Display the Page, it will prompt a download 
+ * and the URL of the Page will be about:blank.
+ * So we will try to open different content send with
+ * no-mime, mismatched-mime and garbage-mime types.
+ * 
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+window.addEventListener("load", ()=>{
+  let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
+
+  noMimeFrames.forEach( frame => {
+    // In case of no Provided Content Type, not rendering or assuming text/plain is valid
+    let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
+    let sniffTarget = (new URL(frame.src)).search;
+    ok(result, `${sniffTarget} without MIME - was not Sniffed`);
+  });
+
+  let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
+  mismatchedMimes.forEach(frame => {
+    // In case the Server mismatches the Mime Type (sends content X as image/png)
+    // assert that we do not sniff and correct this.
+    let result = frame.contentWindow.document.contentType == "image/png";
+    let sniffTarget = (new URL(frame.src)).search;
+    ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
+  });
+
+  let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
+
+  badMimeFrames.forEach( frame => {
+    // In the case we got a bogous mime, assert that we dont sniff. 
+    // We must not default here to text/plain
+    // as the Server at least provided a mime type. 
+    let result = frame.contentWindow.document.URL == "about:blank";
+    let sniffTarget = (new URL(frame.src)).search;
+    ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
+  });
+  
+  SimpleTest.finish();
+});
+</script>
+</body>
+
+</html>
\ No newline at end of file
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -2077,17 +2077,17 @@
 # This pref enables the featurePolicy header support.
 - name: dom.security.featurePolicy.header.enabled
   type: bool
   value: @IS_NIGHTLY_BUILD@
   mirror: always
 
 - name: dom.security.respect_document_nosniff
   type: RelaxedAtomicBool
-  value: true
+  value: false
   mirror: always
 
 # Expose the 'policy' attribute in document and HTMLIFrameElement
 - name: dom.security.featurePolicy.webidl.enabled
   type: bool
   value: @IS_NIGHTLY_BUILD@
   mirror: always