Bug 1402363 - Test Mixed Content Redirect Blocking. r=tanvi, r=kate, a=ritu DEVEDITION_57_0b5_RELEASE FIREFOX_57_0b5_BUILD1 FIREFOX_57_0b5_RELEASE
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Mon, 02 Oct 2017 09:12:12 +0200
changeset 434501 37d18f6628dcecba2f3f59a3d853071b7ca799e0
parent 434500 e28505bd7c0402f9b778956c214becf896032799
child 434502 2cc69216f323ea33c977f7186b0b5668707c88f1
push id1567
push userjlorenzo@mozilla.com
push dateThu, 02 Nov 2017 12:36:05 +0000
treeherdermozilla-release@e512c14a0406 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstanvi, kate, ritu
bugs1402363
milestone57.0
Bug 1402363 - Test Mixed Content Redirect Blocking. r=tanvi, r=kate, a=ritu
dom/security/test/mixedcontentblocker/file_redirect.html
dom/security/test/mixedcontentblocker/file_redirect_handler.sjs
dom/security/test/mixedcontentblocker/mochitest.ini
dom/security/test/mixedcontentblocker/test_redirect.html
new file mode 100644
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_redirect.html
@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug1402363: Test mixed content redirects</title>
+</head>
+<body>
+
+<script type="text/javascript">
+  const PATH = "https://example.com/tests/dom/security/test/mixedcontentblocker/";
+
+  // check a fetch redirect from https to https (should be allowed)
+  fetch(PATH + "file_redirect_handler.sjs?https-to-https-redirect", {
+    method: 'get'
+  }).then(function(response) {
+    window.parent.postMessage("https-to-https-loaded", "*");
+  }).catch(function(err) {
+    window.parent.postMessage("https-to-https-blocked", "*");
+  });
+
+  // check a fetch redirect from https to http (should be blocked)
+  fetch(PATH + "file_redirect_handler.sjs?https-to-http-redirect", {
+    method: 'get'
+  }).then(function(response) {
+    window.parent.postMessage("https-to-http-loaded", "*");
+  }).catch(function(err) {
+    window.parent.postMessage("https-to-http-blocked", "*");
+  });
+
+</script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/file_redirect_handler.sjs
@@ -0,0 +1,29 @@
+// custom *.sjs file for
+// Bug 1402363: Test Mixed Content Redirect Blocking.
+
+const URL_PATH = "example.com/tests/dom/security/test/mixedcontentblocker/";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  let queryStr = request.queryString;
+
+  if (queryStr === "https-to-https-redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "https://" + URL_PATH + "file_redirect_handler.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "https-to-http-redirect") {
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location",
+      "http://" + URL_PATH + "file_redirect_handler.sjs?load", false);
+    return;
+  }
+
+  if (queryStr === "load") {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write("foo");
+    return;
+  }
+}
--- a/dom/security/test/mixedcontentblocker/mochitest.ini
+++ b/dom/security/test/mixedcontentblocker/mochitest.ini
@@ -9,15 +9,18 @@ support-files =
   file_frameNavigation_secure.html
   file_frameNavigation_secure_grandchild.html
   file_main.html
   file_main_bug803225.html
   file_main_bug803225_websocket_wsh.py
   file_server.sjs
   !/dom/media/test/320x240.ogv
   !/image/test/mochitest/blue.png
+  file_redirect.html
+  file_redirect_handler.sjs
 
 [test_main.html]
 skip-if = toolkit == 'android' #TIMED_OUT
 [test_bug803225.html]
 skip-if = toolkit == 'android' || (os=='linux' && bits==32) #Android: TIMED_OUT; Linux32:bug 1324870
 [test_frameNavigation.html]
 skip-if = toolkit == 'android' #TIMED_OUT
+[test_redirect.html]
new file mode 100644
--- /dev/null
+++ b/dom/security/test/mixedcontentblocker/test_redirect.html
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug1402363: Test mixed content redirects</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body onload='startTest()'>
+<iframe style="width:100%;height:300px;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+const PATH = "https://example.com/tests/dom/security/test/mixedcontentblocker/";
+let testcounter = 0;
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  if (event.data === "https-to-https-loaded") {
+    ok(true, "https to https fetch redirect should be allowed");
+  }
+  else if (event.data === "https-to-http-blocked") {
+    ok(true, "https to http fetch redirect should be blocked");
+  }
+  else {
+    ok(false, "sanity: we should never enter that branch (" + event.data + ")");
+  }
+  testcounter++;
+  if (testcounter < 2) {
+    return;
+  }
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+function startTest() {
+  SpecialPowers.pushPrefEnv({
+  	'set': [["security.mixed_content.use_hsts", false],
+            ["security.mixed_content.send_hsts_priming", false]]
+  }, function () {
+    let testframe = document.getElementById("testframe");
+    testframe.src = PATH + "file_redirect.html";
+  });
+}
+
+</script>
+</body>
+</html>