Bug 1405971 - Test that Webextension UUID doesn't leak via XHR/Fetch requests. r=mixedpuppy
authorTom Schuster <evilpies@gmail.com>
Thu, 14 Nov 2019 18:11:30 +0000
changeset 502012 dd473ab6821ecc27e748a756dca9ea8ebceaf0c5
parent 502011 3b42f1a5097a3ea23d91740ffd3bac899d128952
child 502013 7405a856572c00f82145b8e5bf397998f6349ac1
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmixedpuppy
bugs1405971
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1405971 - Test that Webextension UUID doesn't leak via XHR/Fetch requests. r=mixedpuppy Differential Revision: https://phabricator.services.mozilla.com/D40854
toolkit/components/extensions/test/mochitest/mochitest-common.ini
toolkit/components/extensions/test/mochitest/return_headers_cors.sjs
toolkit/components/extensions/test/mochitest/test_ext_fetch_origin.html
--- a/toolkit/components/extensions/test/mochitest/mochitest-common.ini
+++ b/toolkit/components/extensions/test/mochitest/mochitest-common.ini
@@ -43,16 +43,17 @@ support-files =
   head_unlimitedStorage.js
   head_webrequest.js
   hsts.sjs
   mochitest_console.js
   oauth.html
   redirect_auto.sjs
   redirection.sjs
   return_headers.sjs
+  return_headers_cors.sjs
   slow_response.sjs
   webrequest_worker.js
   !/dom/tests/mochitest/geolocation/network_geolocation.sjs
   !/toolkit/components/passwordmgr/test/authenticate.sjs
   file_redirect_data_uri.html
   file_redirect_cors_bypass.html
 prefs =
   security.mixed_content.upgrade_display_content=false
@@ -148,8 +149,9 @@ skip-if = (webrender && os == 'linux') #
 [test_ext_webrequest_hsts.html]
 skip-if = os == 'android' || os == 'linux'
 [test_ext_webrequest_upgrade.html]
 [test_ext_webrequest_upload.html]
 skip-if = os == 'android' # Currently fails in emulator tests
 [test_ext_webrequest_redirect_data_uri.html]
 [test_ext_window_postMessage.html]
 [test_ext_webrequest_redirect_bypass_cors.html]
+[test_ext_fetch_origin.html]
new file mode 100644
--- /dev/null
+++ b/toolkit/components/extensions/test/mochitest/return_headers_cors.sjs
@@ -0,0 +1,24 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set ft=javascript sts=2 sw=2 et tw=80: */
+"use strict";
+
+/* exported handleRequest */
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "text/json", false);
+  response.setHeader("Access-Control-Allow-Credentials", "true", false);
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+
+
+  let headers = {};
+  // Why on earth is this a nsISimpleEnumerator...
+  let enumerator = request.headers;
+  while (enumerator.hasMoreElements()) {
+    let header = enumerator.getNext().data;
+    headers[header.toLowerCase()] = request.getHeader(header);
+  }
+
+  response.write(JSON.stringify(headers));
+}
+
new file mode 100644
--- /dev/null
+++ b/toolkit/components/extensions/test/mochitest/test_ext_fetch_origin.html
@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for simple WebExtension</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/ExtensionTestUtils.js"></script>
+  <script type="text/javascript" src="head.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+
+<script type="text/javascript">
+"use strict";
+
+add_task(async function test_fetch_origin() {
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      permissions: [
+        // We purposefully don't add any host permission for example.org
+        // (or all_urls). This ensures the requests below use CORS,
+        // which would normally send an Origin header with a moz-extension:
+        // scheme.
+      ],
+    },
+    async background() {
+      const PATH = "https://example.org/tests/toolkit/components/extensions/test/mochitest/return_headers_cors.sjs";
+
+      let response = await fetch(PATH);
+      let headers = await response.json();
+
+      browser.test.assertEq(headers.host, "example.org", "right host");
+      browser.test.assertFalse("origin" in headers, "no Origin header")
+
+      headers = await new Promise((resolve, reject) => {
+        /* eslint-disable mozilla/balanced-listeners */
+        let xhr = new XMLHttpRequest();
+        xhr.open("GET", PATH);
+        xhr.addEventListener("load", () => {
+          resolve(JSON.parse(xhr.response));
+        })
+        xhr.addEventListener("error", reject)
+        xhr.send();
+      })
+
+      browser.test.assertEq(headers.host, "example.org", "right host");
+      browser.test.assertFalse("origin" in headers, "no Origin header");
+
+      browser.test.sendMessage("finished");
+    },
+  });
+
+  await extension.startup();
+  await extension.awaitMessage("finished");
+  await extension.unload();
+});
+
+</script>
+
+</body>
+</html>