Bug 1182551 - HTTP top level page with HTTPS mixed passive frame should have STATE_IS_INSECURE. r=ttaubert
authorTanvi Vyas <tanvi@mozilla.com>
Thu, 13 Aug 2015 17:13:51 -0700
changeset 257744 a0ab71814ee94ab9d872fdb8a7ef0fe3e31a23ad
parent 257743 7d8a664fd55b6d1faf6b088c90706d5c2e4a59ec
child 257745 84e68150485c1a7d9043dee3d82ca5df33b5e78c
push id29226
push userryanvm@gmail.com
push dateFri, 14 Aug 2015 13:01:14 +0000
treeherdermozilla-central@1b2402247429 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersttaubert
bugs1182551
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1182551 - HTTP top level page with HTTPS mixed passive frame should have STATE_IS_INSECURE. r=ttaubert
browser/base/content/test/general/browser.ini
browser/base/content/test/general/browser_mixedContentFramesOnHttp.js
browser/base/content/test/general/browser_mixedContentFromOnunload.js
browser/base/content/test/general/file_mixedContentFramesOnHttp.html
browser/base/content/test/general/file_mixedPassiveContent.html
browser/base/content/test/general/head.js
dom/security/test/mixedcontentblocker/mochitest.ini
--- a/browser/base/content/test/general/browser.ini
+++ b/browser/base/content/test/general/browser.ini
@@ -50,16 +50,18 @@ support-files =
   file_bug906190_3_4.html
   file_bug906190_redirected.html
   file_bug906190.js
   file_bug906190.sjs
   file_mediaPlayback.html
   file_mixedContentFromOnunload.html
   file_mixedContentFromOnunload_test1.html
   file_mixedContentFromOnunload_test2.html
+  file_mixedContentFramesOnHttp.html
+  file_mixedPassiveContent.html
   file_bug970276_popup1.html
   file_bug970276_popup2.html
   file_bug970276_favicon1.ico
   file_bug970276_favicon2.ico
   file_documentnavigation_frameset.html
   file_dom_notifications.html
   file_double_close_tab.html
   file_favicon_change.html
@@ -266,16 +268,19 @@ tags = mcb
 [browser_bug880101.js]
 [browser_bug882977.js]
 [browser_bug902156.js]
 tags = mcb
 [browser_bug906190.js]
 tags = mcb
 skip-if = buildapp == "mulet" || e10s # Bug 1093642 - test manipulates content and relies on content focus
 [browser_mixedContentFromOnunload.js]
+tags = mcb
+[browser_mixedContentFramesOnHttp.js]
+tags = mcb
 [browser_bug970746.js]
 [browser_bug1015721.js]
 skip-if = os == 'win' || e10s # Bug 1159268 - Need a content-process safe version of synthesizeWheel
 [browser_bug1064280_changeUrlInPinnedTab.js]
 [browser_bug1070778.js]
 [browser_canonizeURL.js]
 skip-if = e10s # Bug 1094510 - test hits the network in e10s mode only
 [browser_clipboard.js]
@@ -483,16 +488,17 @@ skip-if = (os == "win" && !debug)
 [browser_web_channel.js]
 [browser_windowopen_reflows.js]
 skip-if = buildapp == 'mulet'
 [browser_wyciwyg_urlbarCopying.js]
 [browser_zbug569342.js]
 skip-if = e10s # Bug 1094240 - has findbar-related failures
 [browser_registerProtocolHandler_notification.js]
 [browser_no_mcb_on_http_site.js]
+tags = mcb
 [browser_bug1104165-switchtab-decodeuri.js]
 [browser_bug1003461-switchtab-override.js]
 [browser_bug1024133-switchtab-override-keynav.js]
 [browser_bug1025195_switchToTabHavingURI_aOpenParams.js]
 [browser_addCertException.js]
 skip-if = e10s # Bug 1100687 - test directly manipulates content (content.document.getElementById)
 [browser_bug1045809.js]
 tags = mcb
new file mode 100644
--- /dev/null
+++ b/browser/base/content/test/general/browser_mixedContentFramesOnHttp.js
@@ -0,0 +1,52 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ *
+ * Test for Bug 1182551 -
+ *
+ * This test has a top level HTTP page with an HTTPS iframe.  The HTTPS iframe
+ * includes an HTTP image.  We check that the top level security state is
+ * STATE_IS_INSECURE.  The mixed content from the iframe shouldn't "upgrade"
+ * the HTTP top level page to broken HTTPS.
+ */
+
+const gHttpTestRoot = "http://example.com/browser/browser/base/content/test/general/";
+
+let gTestBrowser = null;
+
+function SecStateTestsCompleted() {
+  gBrowser.removeCurrentTab();
+  window.focus();
+  finish();
+}
+
+function test() {
+  waitForExplicitFinish();
+  SpecialPowers.pushPrefEnv({"set": [
+    ["security.mixed_content.block_active_content", true],
+    ["security.mixed_content.block_display_content", false]
+  ]}, SecStateTests);
+}
+
+function SecStateTests() {
+  let url = gHttpTestRoot + "file_mixedContentFramesOnHttp.html";
+  gBrowser.selectedTab = gBrowser.addTab();
+  gTestBrowser = gBrowser.selectedBrowser;
+  whenLoaded(gTestBrowser, SecStateTest1);
+  gTestBrowser.contentWindow.location = url;
+}
+
+// The http page loads an https frame with an http image.
+function SecStateTest1() {
+  // check security state is insecure
+  isSecurityState("insecure");
+
+  SecStateTestsCompleted();
+}
+
+function whenLoaded(aElement, aCallback) {
+  aElement.addEventListener("load", function onLoad() {
+    aElement.removeEventListener("load", onLoad, true);
+    executeSoon(aCallback);
+  }, true);
+}
--- a/browser/base/content/test/general/browser_mixedContentFromOnunload.js
+++ b/browser/base/content/test/general/browser_mixedContentFromOnunload.js
@@ -65,43 +65,14 @@ function SecStateTest2A() {
 }
 
 function SecStateTest2B() {
   isSecurityState("broken");
 
   SecStateTestsCompleted();
 }
 
-// Compares the security state of the page with what is expected
-function isSecurityState(expectedState) {
-  let ui = gTestBrowser.securityUI;
-  if (!ui) {
-    ok(false, "No security UI to get the security state");
-    return;
-  }
-
-  const wpl = Components.interfaces.nsIWebProgressListener;
-
-  // determine the security state
-  let isSecure = ui.state & wpl.STATE_IS_SECURE;
-  let isBroken = ui.state & wpl.STATE_IS_BROKEN;
-  let isInsecure = ui.state & wpl.STATE_IS_INSECURE;
-
-  let actualState;
-  if (isSecure && !(isBroken || isInsecure)) {
-    actualState = "secure";
-  } else if (isBroken && !(isSecure || isInsecure)) {
-    actualState = "broken";
-  } else if (isInsecure && !(isSecure || isBroken)) {
-    actualState = "insecure";
-  } else {
-    actualState = "unknown";
-  }
-
-  is(expectedState, actualState, "Expected state " + expectedState + " and the actual state is " + actualState + ".");
-}
-
 function whenLoaded(aElement, aCallback) {
   aElement.addEventListener("load", function onLoad() {
     aElement.removeEventListener("load", onLoad, true);
     executeSoon(aCallback);
   }, true);
 }
new file mode 100644
--- /dev/null
+++ b/browser/base/content/test/general/file_mixedContentFramesOnHttp.html
@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Test for https://bugzilla.mozilla.org/show_bug.cgi?id=1182551
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1182551</title>
+</head>
+<body>
+  <p>Test for Bug 1182551.  This is an HTTP top level page.  We include an HTTPS iframe that loads mixed passive content.</p>
+  <iframe src="https://example.org/browser/browser/base/content/test/general/file_mixedPassiveContent.html"></iframe>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/browser/base/content/test/general/file_mixedPassiveContent.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Test for https://bugzilla.mozilla.org/show_bug.cgi?id=1182551
+-->
+<head>
+  <meta charset="utf-8">
+  <title>HTTPS page with HTTP image</title>
+</head>
+<body>
+  <img src="http://mochi.test:8888/tests/image/test/mochitest/blue.png">
+</body>
+</html>
--- a/browser/base/content/test/general/head.js
+++ b/browser/base/content/test/general/head.js
@@ -956,8 +956,37 @@ function promiseNewSearchEngine(basename
       },
       onError: function (errCode) {
         Assert.ok(false, "addEngine failed with error code " + errCode);
         reject();
       },
     });
   });
 }
+
+// Compares the security state of the page with what is expected
+function isSecurityState(expectedState) {
+  let ui = gTestBrowser.securityUI;
+  if (!ui) {
+    ok(false, "No security UI to get the security state");
+    return;
+  }
+
+  const wpl = Components.interfaces.nsIWebProgressListener;
+
+  // determine the security state
+  let isSecure = ui.state & wpl.STATE_IS_SECURE;
+  let isBroken = ui.state & wpl.STATE_IS_BROKEN;
+  let isInsecure = ui.state & wpl.STATE_IS_INSECURE;
+
+  let actualState;
+  if (isSecure && !(isBroken || isInsecure)) {
+    actualState = "secure";
+  } else if (isBroken && !(isSecure || isInsecure)) {
+    actualState = "broken";
+  } else if (isInsecure && !(isSecure || isBroken)) {
+    actualState = "insecure";
+  } else {
+    actualState = "unknown";
+  }
+
+  is(expectedState, actualState, "Expected state " + expectedState + " and the actual state is " + actualState + ".");
+}
--- a/dom/security/test/mixedcontentblocker/mochitest.ini
+++ b/dom/security/test/mixedcontentblocker/mochitest.ini
@@ -1,9 +1,10 @@
 [DEFAULT]
+tags = mcb
 support-files =
   file_bug803225_test_mailto.html
   file_frameNavigation.html
   file_frameNavigation_blankTarget.html
   file_frameNavigation_grandchild.html
   file_frameNavigation_innermost.html
   file_frameNavigation_secure.html
   file_frameNavigation_secure_grandchild.html