dom/svg/test/test_use_with_hsts.html

   1 <!DOCTYPE HTML>
   2 <html>
   3 <!--
   4 https://bugzilla.mozilla.org/show_bug.cgi?id=1247733
   5 -->
   6 <head>
   7   <meta charset="utf-8">
   8   <title>Test for Bug 1247733</title>
   9   <script src="/tests/SimpleTest/SimpleTest.js"></script>
  10   <script src="/tests/SimpleTest/WindowSnapshot.js"></script>
  11   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
  12 </head>
  13 <body>
  14 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>
  15 <p id="display">
  16   <iframe id="myIframe"></iframe>
  17 </p>
  18 <div id="content" style="display: none">
  19
  20 </div>
  21 <pre id="test"></pre>
  22 <script type="application/javascript">
  23   /** Test for Bug 1247733 **/
  24
  25   /**
  26    * This test ensures that we render the SVG 'use' element correctly, in
  27    * pages that have been upgraded from HTTP to HTTPS using strict transport
  28    * security (HSTS)
  29    *
  30    * Specifically:
  31    *  (1) We load a file using HTTPS, in an iframe. The file gets sent
  32    *      with a Strict-Transport-Security flag.
  33    *  (2) We load the same file again, but now over HTTP (which should get
  34    *      upgraded to HTTPS, since we received the Strict-Transport-Security
  35    *      flag during the first load).
  36    *  (3) After each of the above loads, we take a snapshot of the iframe
  37    *      and ensure that it renders as fully lime (which the 'use' element
  38    *      is responsible for). If the 'use' element fails to render, the iframe
  39    *      will be fully red, and we'll fail an "assertSnapshots" check.
  40    */
  41   SimpleTest.waitForExplicitFinish();
  42
  43   const iframe = document.getElementById("myIframe");
  44   const iframeWin = iframe.contentWindow;
  45
  46   // URI for our testcase with 'use' element, via HTTP and HTTPS:
  47   const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
  48   const secureURI   = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
  49
  50   // Bookkeeping to be sure receiveMessage is called as many times as we expect:
  51   var numPostMessageCalls = 0;
  52   const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)
  53
  54   // Helper function, called via postMessage, to check iframe's actual location:
  55   function receiveMessage(event) {
  56     is(event.data, secureURI, "iframe should end up viewing secure URI");
  57     numPostMessageCalls++;
  58   }
  59
  60   // Convenience helper which makes |iframe| load the given |uri|. Returns
  61   // a promise that resolves when the load completes. This makes it handy to
  62   // use with 'await', to avoid onload callback hell.
  63   async function LoadIframeAsync(uri) {
  64     return new Promise(resolve => {
  65       iframe.addEventListener("load", resolve, {once: true});
  66       // Kick off the requested load:
  67       iframe.src = uri;
  68     });
  69   }
  70
  71   // MAIN TEST CODE BEGINS HERE.
  72   async function runTest() {
  73     // Capture a snapshot with nothing in the iframe, so we can do a
  74     // sanity-check not-equal comparison against our reference case, to be
  75     // sure we're rendering anything at all:
  76     let blankSnapshot = await snapshotWindow(iframeWin);
  77
  78     // Load & snapshot a reference case (fully lime):
  79     await LoadIframeAsync("data:text/html,<body style='background:lime'>");
  80     let refSnapshot = await snapshotWindow(iframeWin);
  81
  82     // Ensure reference snapshot looks different from blank snapshot:
  83     assertSnapshots(refSnapshot, blankSnapshot,
  84                     false /* not equal*/, null /* no fuzz*/,
  85                     "refSnapshot", "blankSnapshot");
  86
  87     // OK, assuming we've got a valid refSnapshot, we can now proceed to
  88     // capture test screenshots.
  89
  90     // Register a postMessage handler, so that iframe can report its location:
  91     window.addEventListener("message", receiveMessage);
  92
  93     // Load & snapshot secure (HTTPS) version of testcase, & check against ref:
  94     await LoadIframeAsync(secureURI);
  95     let secureSnapshot = await snapshotWindow(iframeWin);
  96     assertSnapshots(secureSnapshot, refSnapshot,
  97                     true /* equal*/, null /* no fuzz*/,
  98                     "secureSnapshot", "refSnapshot");
  99
 100     // Load insecure (HTTP) version of testcase (which should get
 101     // automatically upgraded to secure (HTTPS) under the hood):
 102     await LoadIframeAsync(insecureURI);
 103
 104     // Double-check that iframe is really pointed at insecure URI, to be sure
 105     // we're actually exercising HSTS. (Note that receiveMessage() will make
 106     // sure it's been upgraded to a secure HTTPS URI under the hood.)
 107     is(iframe.src, insecureURI,
 108        "test should've attempted to load insecure HTTP URI, to exercise HSTS");
 109
 110     // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:
 111     let upgradedSnapshot = await snapshotWindow(iframeWin);
 112     assertSnapshots(upgradedSnapshot, refSnapshot,
 113                     true /* equal*/, null /* no fuzz*/,
 114                     "upgradedSnapshot", "refSnapshot");
 115
 116     // Check that the iframe did actually invoke our postMessage handler (which
 117     // is where we verify that the HSTS upgrade actually happened):
 118     is(numPostMessageCalls, expectedNumPostMessageCalls,
 119       "didn't receive as many messages from child iframe as expected");
 120
 121     // We're done! Clear the STS headers that we set, and finish.
 122     SpecialPowers.cleanUpSTSData("http://example.com");
 123     SimpleTest.finish();
 124   }
 125
 126   SpecialPowers.pushPrefEnv(
 127     { 'set': [["security.mixed_content.block_active_content", false]] },
 128     function() { runTest(); }
 129   );
 130 </script>
 131 </body>
 132 </html>