Bug 1273430 - Test CSP upgrade-insecure-requests for doc.write(iframe). r=tanvi
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 20 Jul 2016 09:26:16 +0200
changeset 330876 90f9475f974640c8ccbadfaef6ab442752d869f5
parent 330875 a0f0837ba27de9a5d109c74ae860229ae425abfa
child 330877 82ee6a3e31d66cc776e8869dceaa05a8da6e0429
push id9858
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 14:37:10 +0000
treeherdermozilla-aurora@203106ef6cb6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstanvi
bugs1273430
milestone50.0a1
Bug 1273430 - Test CSP upgrade-insecure-requests for doc.write(iframe). r=tanvi
dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_upgrade_insecure_docwrite_iframe.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs
@@ -0,0 +1,54 @@
+// custom *.sjs for Bug 1273430
+// META CSP: upgrade-insecure-requests
+
+// important: the IFRAME_URL is *http* and needs to be upgraded to *https* by upgrade-insecure-requests
+const IFRAME_URL =
+  "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs?docwriteframe";
+
+const TEST_FRAME = `
+  <!DOCTYPE HTML>
+  <html><head><meta charset="utf-8">
+  <title>TEST_FRAME</title>
+  <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+  </head>
+  <body>
+  <script type="text/javascript">
+    document.write('<iframe src="` + IFRAME_URL + `"/>');
+  </script>
+  </body>
+  </html>`;
+
+
+// doc.write(iframe) sends a post message to the parent indicating the current
+// location so the parent can make sure the request was upgraded to *https*.
+const DOC_WRITE_FRAME = `
+  <!DOCTYPE HTML>
+  <html><head><meta charset="utf-8">
+  <title>DOC_WRITE_FRAME</title>
+  </head>
+  <body onload="window.parent.parent.postMessage({result: document.location.href}, '*');">
+  </body>
+  </html>`;
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setHeader("Content-Type", "text/html", false);
+
+  var queryString = request.queryString;
+
+  if (queryString === "testframe") {
+    response.write(TEST_FRAME);
+    return;
+  }
+
+  if (queryString === "docwriteframe") {
+    response.write(DOC_WRITE_FRAME);
+    return;
+  }
+
+  // we should never get here, but just in case
+  // return something unexpected
+  response.write("do'h");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -180,16 +180,17 @@ support-files =
   file_sandbox_8.html
   file_sandbox_9.html
   file_sandbox_10.html
   file_sandbox_11.html
   file_sandbox_12.html
   file_require_sri_meta.sjs
   file_require_sri_meta.js
   file_sendbeacon.html
+  file_upgrade_insecure_docwrite_iframe.sjs
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 skip-if = buildapp == 'b2g' #no ssl support
 [test_bug663567.html]
@@ -272,8 +273,9 @@ tags = mcb
 [test_form_action_blocks_url.html]
 [test_meta_whitespace_skipping.html]
 [test_iframe_sandbox.html]
 [test_iframe_sandbox_top_1.html]
 [test_sandbox.html]
 [test_ping.html]
 [test_require_sri_meta.html]
 [test_sendbeacon.html]
+[test_upgrade_insecure_docwrite_iframe.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/csp/test_upgrade_insecure_docwrite_iframe.html
@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1273430 - Test CSP upgrade-insecure-requests for doc.write(iframe)</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * Load an iframe which ships with a CSP of upgrade-insecure-requests.
+ * Within that iframe a script performs doc.write(iframe) using an
+ * *http* URL. Make sure, the URL is upgraded to *https*.
+ *
+ * +-----------------------------------------+
+ * |                                         |
+ * | http(s); csp: upgrade-insecure-requests |       |
+ * | +---------------------------------+     |
+ * | |                                 |     |
+ * | | doc.write(<iframe src='http'>); | <--------- upgrade to https
+ * | |                                 |     |
+ * | +---------------------------------+     |
+ * |                                         |
+ * +-----------------------------------------+
+ *
+ */
+
+const TEST_FRAME_URL =
+  "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs?testframe";
+
+// important: the RESULT should have a scheme of *https*
+const RESULT =
+  "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs?docwriteframe";
+
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  is(event.data.result, RESULT, "doc.write(iframe) of http should be upgraded to https!");
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
+}
+
+// start the test
+SimpleTest.waitForExplicitFinish();
+var testframe = document.getElementById("testframe");
+testframe.src = TEST_FRAME_URL;
+
+</script>
+</body>
+</html>