Bug 1525036 - Add Test for Cross-Origin header policy r=nika
☠☠ backed out by 9da6e8f78737 ☠ ☠
authorValentin Gosu <valentin.gosu@gmail.com>
Fri, 08 Mar 2019 15:33:49 +0000
changeset 524159 6391f42aaa6d59c51c81c2da0681243a463a8012
parent 524158 de92c0248a0b0ecbf0ad104650305a31985fa6ff
child 524160 fa0363d33dbd074afe05a3278617d368e4d13aa1
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnika
bugs1525036
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525036 - Add Test for Cross-Origin header policy r=nika Differential Revision: https://phabricator.services.mozilla.com/D21414
toolkit/components/remotebrowserutils/tests/browser/browser.ini
toolkit/components/remotebrowserutils/tests/browser/browser_httpCrossOriginHeader.js
toolkit/components/remotebrowserutils/tests/browser/cross_origin_header.sjs
--- a/toolkit/components/remotebrowserutils/tests/browser/browser.ini
+++ b/toolkit/components/remotebrowserutils/tests/browser/browser.ini
@@ -1,13 +1,15 @@
 [DEFAULT]
 run-if = e10s
 support-files =
   dummy_page.html
   print_postdata.sjs
   307redirect.sjs
   head.js
   coop_header.sjs
+  cross_origin_header.sjs
 
 [browser_RemoteWebNavigation.js]
 [browser_httpResponseProcessSelection.js]
 [browser_httpCrossOriginOpenerPolicy.js]
 [browser_httpToFileHistory.js]
+[browser_httpCrossOriginHeader.js]
new file mode 100644
--- /dev/null
+++ b/toolkit/components/remotebrowserutils/tests/browser/browser_httpCrossOriginHeader.js
@@ -0,0 +1,150 @@
+"use strict";
+
+const {E10SUtils} = ChromeUtils.import("resource://gre/modules/E10SUtils.jsm");
+
+const PREF_NAME = "browser.tabs.remote.useCrossOriginPolicy";
+
+function httpURL(filename, host = "https://example.com") {
+  let root = getRootDirectory(gTestPath)
+    .replace("chrome://mochitests/content", host);
+  return root + filename;
+}
+
+async function performLoad(browser, opts, action) {
+  let loadedPromise = BrowserTestUtils.browserStopped(
+    browser, opts.url, opts.maybeErrorPage);
+  await action();
+  await loadedPromise;
+}
+
+async function test_policy(start, target, expectError) {
+  return BrowserTestUtils.withNewTab({
+    gBrowser,
+    url: start,
+    waitForStateStop: true,
+  }, async function(browser) {
+    info(`Test tab ready: ${start}`);
+
+    await performLoad(browser, {
+      url: target,
+      maybeErrorPage: expectError,
+    }, async () => {
+      BrowserTestUtils.loadURI(browser, target);
+    });
+
+    info(`Navigated to: ${target}`);
+
+    let isError = await ContentTask.spawn(browser, null, () => {
+      return content.document.documentURI.startsWith("about:neterror");
+    });
+
+    Assert.equal(isError, expectError);
+  });
+}
+
+add_task(async function test_disabled() {
+  await SpecialPowers.pushPrefEnv({set: [[PREF_NAME, false]]});
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.org"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.org"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.com"), false);
+});
+
+
+add_task(async function test_enabled() {
+  await SpecialPowers.pushPrefEnv({set: [[PREF_NAME, true]]});
+  await test_policy(httpURL("cross_origin_header.sjs", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.org"), false);
+  await test_policy(httpURL("cross_origin_header.sjs", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs", "https://example.com"), httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs?use-credentials", "https://example.org"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), false);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.org"), true);
+  await test_policy(httpURL("cross_origin_header.sjs?use-credentials", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.com"), true);
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.org"), true);
+  await test_policy(httpURL("cross_origin_header.sjs?anonymous", "https://example.com"), httpURL("cross_origin_header.sjs", "https://example.com"), true);
+});
+
+// Loading an iframe without the header in a page that does should be an error
+add_task(async function test_frame_is_blocked() {
+  await SpecialPowers.pushPrefEnv({set: [[PREF_NAME, true]]});
+  let start = httpURL("cross_origin_header.sjs?use-credentials", "https://example.com");
+  return BrowserTestUtils.withNewTab({
+    gBrowser,
+    url: start,
+    waitForStateStop: true,
+  }, async function(browser) {
+    info(`Test tab ready: ${start}`);
+
+    await ContentTask.spawn(browser,
+                            httpURL("cross_origin_header.sjs?anonymous", "https://example.org"),
+                            async (target) => {
+      let subframe = content.document.createElement("iframe");
+      subframe.src = target;
+
+      let loaded = ContentTaskUtils.waitForEvent(content.wrappedJSObject, "DOMFrameContentLoaded");
+      content.document.body.appendChild(subframe);
+      await loaded;
+
+      info(`frame uri: ${subframe.contentDocument.documentURI}`);
+      Assert.ok(!subframe.contentDocument.documentURI.startsWith("about:neterror"), "Loading the frame should work");
+
+      let url = new URL(target);
+      url.search = "";
+
+      loaded = ContentTaskUtils.waitForEvent(content.wrappedJSObject, "DOMFrameContentLoaded");
+      subframe.src = url.href;
+      await loaded;
+
+      Assert.ok(subframe.contentDocument.documentURI.startsWith("about:neterror"), "navigation to page without header should error");
+    });
+
+    await ContentTask.spawn(browser,
+                            httpURL("cross_origin_header.sjs", "https://example.org"),
+                            async (target) => {
+      let subframe = content.document.createElement("iframe");
+      subframe.src = target;
+
+      let loaded = ContentTaskUtils.waitForEvent(content.wrappedJSObject, "DOMFrameContentLoaded");
+      content.document.body.appendChild(subframe);
+      await loaded;
+
+      info(`frame uri: ${subframe.contentDocument.documentURI}`);
+      Assert.ok(subframe.contentDocument.documentURI.startsWith("about:neterror"), "Loading the frame has failed");
+    });
+  });
+});
+
+add_task(async function test_frame2() {
+  await SpecialPowers.pushPrefEnv({set: [[PREF_NAME, true]]});
+  let start = httpURL("cross_origin_header.sjs", "https://example.com");
+  return BrowserTestUtils.withNewTab({
+    gBrowser,
+    url: start,
+    waitForStateStop: true,
+  }, async function(browser) {
+    info(`Test tab ready: ${start}`);
+
+    let iframe_target = httpURL("cross_origin_header.sjs?use-credentials", "https://example.org");
+    await ContentTask.spawn(browser, iframe_target, async (target) => {
+      let subframe = content.document.createElement("iframe");
+      subframe.src = target;
+
+      let loadedPromise = ContentTaskUtils.waitForEvent(subframe, "load");
+      content.document.body.appendChild(subframe);
+      await loadedPromise;
+
+      Assert.ok(!subframe.contentDocument.documentURI.startsWith("about:neterror"), "should not be an error");
+      let url = new URL(target);
+      url.search = "";
+
+      let loaded = ContentTaskUtils.waitForEvent(content.wrappedJSObject, "DOMFrameContentLoaded");
+      subframe.src = url.href;
+      await loaded;
+
+      Assert.ok(subframe.contentDocument.documentURI.startsWith("about:neterror"), "navigation to page without header should error");
+    });
+  });
+});
new file mode 100644
--- /dev/null
+++ b/toolkit/components/remotebrowserutils/tests/browser/cross_origin_header.sjs
@@ -0,0 +1,13 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 200, "OK");
+
+  let coop = request.queryString;
+  if (coop.length > 0) {
+    response.setHeader("Cross-Origin", unescape(coop), false);
+  }
+
+  response.setHeader("Content-Type", "text/html; charset=utf-8", false);
+
+  response.write(`<!DOCTYPE html><html><body><p>Hello world: ${coop}</p></body></html>`);
+}