dom/security/test/csp/test_upgrade_insecure_loopback.html

   1 <!DOCTYPE HTML>
   2 <html>
   3 <head>
   4   <meta charset="utf-8">
   5   <title>Bug 1447784 - Implement CSP upgrade-insecure-requests directive</title>
   6   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
   7   <script src="/tests/SimpleTest/SimpleTest.js"></script>
   8   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
   9 </head>
  10 <body>
  11 <iframe style="width:100%;" id="testframe"></iframe>
  12
  13 <script class="testbody" type="text/javascript">
  14
  15 /* Description of the test:
  16  * We load a page that performs a CORS XHR to 127.0.0.1 which shouldn't be upgraded to https:
  17  *
  18  * Test 1:
  19  *   Main page:   https://127.0.0.1:8080
  20  *   XHR request: http://127.0.0.1:8080
  21  *   No redirect to https://
  22  *   Description: Upgrade insecure should *NOT* upgrade from http to https.
  23  */
  24
  25 const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
  26 let testFiles = ["tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
  27                  "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];
  28
  29 function examiner() {
  30   SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
  31 }
  32 examiner.prototype = {
  33   observe(subject, topic, data) {
  34     if (topic === "specialpowers-http-notify-request") {
  35       // we skip looking at other requests that might be observed accidentally
  36       // e.g., we saw kinto requests when running this test locally
  37       if (data.includes("bug-1661423-dont-upgrade-localhost")) {
  38         let urlObj = new URL(data);
  39         is(urlObj.protocol, "http:", "Didn't upgrade localhost URL");
  40         loadTest();
  41       }
  42     }
  43   },
  44   remove() {
  45     SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
  46   }
  47 };
  48
  49 window.examiner = new examiner();
  50
  51
  52 function loadTest() {
  53   if (testFiles.length == 0) {
  54     removeAndFinish();
  55     return;
  56   }
  57   var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
  58   // append the file that should be served
  59   src += escape(testFiles.shift())
  60   // append the CSP that should be used to serve the file
  61   src += "&csp=" + escape(CSP_POLICY);
  62   document.getElementById("testframe").src = src;
  63 }
  64
  65 function removeAndFinish() {
  66   window.removeEventListener("message", receiveMessage);
  67   window.examiner.remove();
  68   SimpleTest.finish();
  69 }
  70
  71 // a postMessage handler that is used to bubble up results from
  72 // within the iframe.
  73 window.addEventListener("message", receiveMessage);
  74 function receiveMessage(event) {
  75   if (event.data === "request-not-https") {
  76     ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
  77     loadTest();
  78   }
  79 }
  80
  81 SimpleTest.waitForExplicitFinish();
  82
  83 // By default, proxies don't apply to 127.0.0.1.
  84 // We need them to for this test (at least on android), though:
  85 SpecialPowers.pushPrefEnv({set: [
  86   ["network.proxy.allow_hijacking_localhost", true]
  87 ]}).then(loadTest);
  88
  89 </script>
  90 </body>
  91 </html>