5 <title>Bug
1447784 - Implement CSP upgrade-insecure-requests directive
</title>
6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
7 <script src=
"/tests/SimpleTest/SimpleTest.js"></script>
8 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
11 <iframe style=
"width:100%;" id=
"testframe"></iframe>
13 <script class=
"testbody" type=
"text/javascript">
15 /* Description of the test:
16 * We load a page that performs a CORS XHR to
127.0.0.1 which shouldn't be upgraded to https:
19 * Main page: https://
127.0.0.1:
8080
20 * XHR request: http://
127.0.0.1:
8080
21 * No redirect to https://
22 * Description: Upgrade insecure should *NOT* upgrade from http to https.
25 const CSP_POLICY =
"upgrade-insecure-requests; script-src 'unsafe-inline'";
26 let testFiles = [
"tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
27 "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];
30 SpecialPowers.addObserver(this,
"specialpowers-http-notify-request");
32 examiner.prototype = {
33 observe(subject, topic, data) {
34 if (topic ===
"specialpowers-http-notify-request") {
35 // we skip looking at other requests that might be observed accidentally
36 // e.g., we saw kinto requests when running this test locally
37 if (data.includes(
"bug-1661423-dont-upgrade-localhost")) {
38 let urlObj = new URL(data);
39 is(urlObj.protocol,
"http:",
"Didn't upgrade localhost URL");
45 SpecialPowers.removeObserver(this,
"specialpowers-http-notify-request");
49 window.examiner = new examiner();
53 if (!testFiles.length) {
57 var src =
"https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
58 // append the file that should be served
59 src += escape(testFiles.shift())
60 // append the CSP that should be used to serve the file
61 src +=
"&csp=" + escape(CSP_POLICY);
62 document.getElementById(
"testframe").src = src;
65 function removeAndFinish() {
66 window.removeEventListener(
"message", receiveMessage);
67 window.examiner.remove();
71 // a postMessage handler that is used to bubble up results from
73 window.addEventListener(
"message", receiveMessage);
74 function receiveMessage(event) {
75 if (event.data ===
"request-not-https") {
76 ok(true,
"Didn't upgrade 127.0.0.1:8080 to https://");
81 SimpleTest.waitForExplicitFinish();
83 // By default, proxies don't apply to
127.0.0.1.
84 // We need them to for this test (at least on android), though:
85 SpecialPowers.pushPrefEnv({set: [
86 [
"network.proxy.allow_hijacking_localhost", true]