Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match. r=ckerschb, a=lizzard
authorSebastian Streich <sstreich@mozilla.com>
Mon, 07 Oct 2019 12:05:36 +0000
changeset 552365 9e9523dd9fe95bac23c481080398341d688617e9
parent 552364 27a820b8753a1320bb724b7fd164fe487a3f1729
child 552366 ff97b7b66c717dfaa02d0991a141f81e3572e87c
push id12155
push userjcristau@mozilla.com
push dateThu, 10 Oct 2019 14:13:03 +0000
treeherdermozilla-beta@2ce58a99cbfd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb, lizzard
bugs1585055
milestone70.0
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match. r=ckerschb, a=lizzard *** Use Window.opener in test Differential Revision: https://phabricator.services.mozilla.com/D47635
dom/security/test/general/mochitest.ini
dom/security/test/general/test_nosniff_navigation.html
dom/security/test/general/window_nosniff_navigation.html
modules/libpref/init/StaticPrefList.yaml
--- a/dom/security/test/general/mochitest.ini
+++ b/dom/security/test/general/mochitest.ini
@@ -21,16 +21,17 @@ support-files =
   file_same_site_cookies_blob_iframe_inclusion.html
   file_same_site_cookies_iframe.html
   file_same_site_cookies_iframe.sjs
   file_same_site_cookies_about_navigation.html
   file_same_site_cookies_about_inclusion.html
   file_same_site_cookies_about.sjs
   file_cache_splitting_server.sjs
   file_cache_splitting_window.html
+  window_nosniff_navigation.html
 
 
 [test_contentpolicytype_targeted_link_iframe.html]
 [test_nosniff.html]
 [test_cache_split.html]
 skip-if = fission || verify
 [test_nosniff_navigation.html]
 [test_block_script_wrong_mime.html]
--- a/dom/security/test/general/test_nosniff_navigation.html
+++ b/dom/security/test/general/test_nosniff_navigation.html
@@ -1,92 +1,41 @@
 <!DOCTYPE HTML>
 <html>
+
 <head>
   <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-  <style>
-    iframe{
-      border: 1px solid orange;
-    }
-  </style>
+</head>
 
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
-  <iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
- 
-  <hr>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
-  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
-  <hr>
-
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
-  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
- 
-
-</head>
 <body>
 
-<!-- add the two script tests -->
-<script id="scriptCorrectType"></script>
-<script id="scriptWrongType"></script>
+  <!-- add the two script tests -->
+  <script id="scriptCorrectType"></script>
+  <script id="scriptWrongType"></script>
 
-<script class="testbody" type="text/javascript">
-/* Description of the test:
- * We're testing if Firefox respects the nosniff Header for Top-Level 
- * Navigations.
- * If Firefox cant Display the Page, it will prompt a download 
- * and the URL of the Page will be about:blank.
- * So we will try to open different content send with
- * no-mime, mismatched-mime and garbage-mime types.
- * 
- */
-
-SimpleTest.waitForExplicitFinish();
-
-window.addEventListener("load", ()=>{
-  let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
+  <script class="testbody" type="text/javascript">
+    /* Description of the test:
+     * We're testing if Firefox respects the nosniff Header for Top-Level 
+     * Navigations.
+     * If Firefox cant Display the Page, it will prompt a download 
+     * and the URL of the Page will be about:blank.
+     * So we will try to open different content send with
+     * no-mime, mismatched-mime and garbage-mime types.
+     * 
+     */
 
-  noMimeFrames.forEach( frame => {
-    // In case of no Provided Content Type, not rendering or assuming text/plain is valid
-    let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} without MIME - was not Sniffed`);
-  });
-
-  let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
-  mismatchedMimes.forEach(frame => {
-    // In case the Server mismatches the Mime Type (sends content X as image/png)
-    // assert that we do not sniff and correct this.
-    let result = frame.contentWindow.document.contentType == "image/png";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
-  });
+    SimpleTest.waitForExplicitFinish();
 
-  let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
+    window.addEventListener("load", async () => {
+      await SpecialPowers.pushPrefEnv(
+      {
+          set: [["dom.security.respect_document_nosniff", true]],
+        }
+    );
+    window.open("window_nosniff_navigation.html");
+});
+  </script>
+</body>
 
-  badMimeFrames.forEach( frame => {
-    // In the case we got a bogous mime, assert that we dont sniff. 
-    // We must not default here to text/plain
-    // as the Server at least provided a mime type. 
-    let result = frame.contentWindow.document.URL == "about:blank";
-    let sniffTarget = (new URL(frame.src)).search;
-    ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
-  });
-  
-  SimpleTest.finish();
-});
-</script>
-</body>
-</html>
+</html>
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/dom/security/test/general/window_nosniff_navigation.html
@@ -0,0 +1,95 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1428473 Support X-Content-Type-Options: nosniff when navigating</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+  <style>
+    iframe{
+      border: 1px solid orange;
+    }
+  </style>
+
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?xml"> </iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?html"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?css" ></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?json"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs?img"></iframe>
+  <iframe class="no-mime" src="file_nosniff_navigation.sjs"></iframe>
+ 
+  <hr>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?html"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?xml"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?css"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?json"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs?img"></iframe>
+  <iframe class="mismatch-mime" src="file_nosniff_navigation_mismatch.sjs"></iframe>
+  <hr>
+
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?xml"> </iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?html"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?css" ></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?json"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs?img"></iframe>
+  <iframe class="garbage-mime" src="file_nosniff_navigation_garbage.sjs"></iframe>
+ 
+
+</head>
+
+<body>
+
+<!-- add the two script tests -->
+<script id="scriptCorrectType"></script>
+<script id="scriptWrongType"></script>
+
+<script class="testbody" type="text/javascript">
+/* Description of the test:
+ * We're testing if Firefox respects the nosniff Header for Top-Level 
+ * Navigations.
+ * If Firefox cant Display the Page, it will prompt a download 
+ * and the URL of the Page will be about:blank.
+ * So we will try to open different content send with
+ * no-mime, mismatched-mime and garbage-mime types.
+ * 
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+window.addEventListener("load", ()=>{
+  let noMimeFrames = Array.from(document.querySelectorAll(".no-mime"));
+
+  noMimeFrames.forEach( frame => {
+    // In case of no Provided Content Type, not rendering or assuming text/plain is valid
+    let result = frame.contentWindow.document.URL == "about:blank" || frame.contentWindow.document.contentType == "text/plain";
+    let sniffTarget = (new URL(frame.src)).search;
+    window.opener.ok(result, `${sniffTarget} without MIME - was not Sniffed`);
+  });
+
+  let mismatchedMimes = Array.from(document.querySelectorAll(".mismatch-mime"));
+  mismatchedMimes.forEach(frame => {
+    // In case the Server mismatches the Mime Type (sends content X as image/png)
+    // assert that we do not sniff and correct this.
+    let result = frame.contentWindow.document.contentType == "image/png";
+    let sniffTarget = (new URL(frame.src)).search;
+    window.opener.ok(result, `${sniffTarget} send as image/png - was not Sniffed`);
+  });
+
+  let badMimeFrames = Array.from(document.querySelectorAll(".garbage-mime"));
+
+  badMimeFrames.forEach( frame => {
+    // In the case we got a bogous mime, assert that we dont sniff. 
+    // We must not default here to text/plain
+    // as the Server at least provided a mime type. 
+    let result = frame.contentWindow.document.URL == "about:blank";
+    let sniffTarget = (new URL(frame.src)).search;
+    window.opener.ok(result, `${sniffTarget} send as garbage/garbage - was not Sniffed`);
+  });
+  
+  window.opener.SimpleTest.finish();
+  this.close();
+});
+</script>
+</body>
+
+</html>
\ No newline at end of file
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -2034,17 +2034,17 @@
 # This pref enables the featurePolicy header support.
 - name: dom.security.featurePolicy.header.enabled
   type: bool
   value: @IS_NIGHTLY_BUILD@
   mirror: always
 
 - name: dom.security.respect_document_nosniff
   type: RelaxedAtomicBool
-  value: true
+  value: false
   mirror: always
 
 # Expose the 'policy' attribute in document and HTMLIFrameElement
 - name: dom.security.featurePolicy.webidl.enabled
   type: bool
   value: @IS_NIGHTLY_BUILD@
   mirror: always