Bug 62178 - Mochitest - iframe, stylesheet, object, script, image, media, xhr r=smaug

content/base/test/Makefile.in

@@ -557,6 +557,9 @@ MOCHITEST_FILES_B = \
 		test_XHR_system.html \
 		test_XHR_parameters.html \
 		test_ipc_messagemanager_blob.html \
+		test_mixed_content_blocker.html \
+		file_mixed_content_main.html \
+		file_mixed_content_server.sjs \
 		$(NULL)
 
 MOCHITEST_CHROME_FILES =	\

content/base/test/file_mixed_content_main.html

@@ -0,0 +1,209 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=62178
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 62178</title>
+  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+</head>
+<body>
+<div id="testContent"></div>
+
+<!-- types the Mixed Content Blocker can block
+     /*
+  switch (aContentType) {
+  case nsIContentPolicy::TYPE_OBJECT:
+  case nsIContentPolicy::TYPE_SCRIPT:
+  case nsIContentPolicy::TYPE_STYLESHEET:
+  case nsIContentPolicy::TYPE_SUBDOCUMENT:
+  case nsIContentPolicy::TYPE_XMLHTTPREQUEST:
+
+  case nsIContentPolicy::TYPE_FONT: - NO TEST:
+    Load events for external fonts are not detectable by javascript.
+  case nsIContentPolicy::TYPE_WEBSOCKET: - NO TEST:
+    websocket connections over https require an encrypted websocket protocol (wss:)
+
+  case nsIContentPolicy::TYPE_IMAGE:
+  case nsIContentPolicy::TYPE_MEDIA:
+  case nsIContentPolicy::TYPE_PING:
+    our ping implementation is off by default and does not comply with the current spec (bug 786347)
+  }
+     */
+-->
+
+<script>
+  var baseUrl = "http://example.com/tests/content/base/test/file_mixed_content_server.sjs";
+
+  //For tests that require setTimeout, set the maximum polling time to 100 x 100ms = 10 seconds.
+  var MAX_COUNT = 100;
+  var TIMEOUT_INTERVAL = 100;
+
+  var testContent = document.getElementById("testContent");
+
+  /* Part 1: Mixed Script tests */
+
+  // Test 1a: insecure object
+  var object = document.createElement("object");
+  object.data = baseUrl + "?type=object";
+  object.type = "application/x-test";
+  object.width = "200";
+  object.height = "200";
+
+  testContent.appendChild(object);
+
+  var objectCount = 0;
+
+  function objectStatus(object) {
+    object instanceof Components.interfaces.nsIObjectLoadingContent;
+
+    if (object.displayedType != Components.interfaces.nsIObjectLoadingContent.TYPE_NULL) {
+      //object loaded
+      parent.postMessage({"test": "object", "msg": "insecure object loaded"}, "http://mochi.test:8888");
+    }
+    else {
+      if(objectCount < MAX_COUNT) {
+        objectCount++;
+        setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
+      }
+      else {
+        //After we have called setTimeout the maximum number of times, assume object is blocked
+        parent.postMessage({"test": "object", "msg": "insecure object blocked"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  // object does not have onload and onerror events. Hence we need a setTimeout to check the object's status
+  setTimeout(objectStatus, TIMEOUT_INTERVAL, object);
+
+  // Test 1b: insecure script
+  var script = document.createElement("script");
+  var scriptLoad = false;
+  var scriptCount = 0;
+  script.src = baseUrl + "?type=script";
+  script.onload = function() {
+    parent.postMessage({"test": "script", "msg": "insecure script loaded"}, "http://mochi.test:8888");
+    scriptLoad = true;
+  }
+  testContent.appendChild(script);
+
+  function scriptStatus(script)
+  {
+    if(scriptLoad) {
+      return;
+    }
+    else {
+      if(scriptCount < MAX_COUNT) {
+        scriptCount++;
+        setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
+      }
+      else {
+        //After we have called setTimeout the maximum number of times, assume script is blocked
+        parent.postMessage({"test": "script", "msg": "insecure script blocked"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  // scripts blocked by Content Policy's do not have onerror events (see bug 789856).  Hence we need a setTimeout to check the script's status
+  setTimeout(scriptStatus, TIMEOUT_INTERVAL, script);
+
+
+  // Test 1c: insecure stylesheet
+  var cssStyleSheet = document.createElement("link");
+  cssStyleSheet.rel = "stylesheet";
+  cssStyleSheet.href = baseUrl + "?type=stylesheet";
+  cssStyleSheet.type = "text/css";
+  testContent.appendChild(cssStyleSheet);
+
+  var styleCount = 0;
+
+  function styleStatus(cssStyleSheet) {
+    if( cssStyleSheet.sheet || cssStyleSheet.styleSheet || cssStyleSheet.innerHTML ) {
+      parent.postMessage({"test": "stylesheet", "msg": "insecure stylesheet loaded"}, "http://mochi.test:8888");
+    } 
+    else {
+      if(styleCount < MAX_COUNT) {
+        styleCount++;
+        setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
+      }
+      else {
+        //After we have called setTimeout the maximum number of times, assume stylesheet is blocked
+        parent.postMessage({"test": "stylesheet", "msg": "insecure stylesheet blocked"}, "http://mochi.test:8888");
+      }
+    }
+  }
+
+  // link does not have onload and onerror events. Hence we need a setTimeout to check the link's status
+  window.setTimeout(styleStatus, TIMEOUT_INTERVAL, cssStyleSheet);
+
+  // Test 1d: insecure iframe
+  var iframe = document.createElement("iframe");
+  iframe.src = baseUrl + "?type=iframe";
+  iframe.onload = function() {
+    parent.postMessage({"test": "iframe", "msg": "insecure iframe loaded"}, "http://mochi.test:8888");
+  }
+  iframe.onerror = function() {
+    parent.postMessage({"test": "iframe", "msg": "insecure iframe blocked"}, "http://mochi.test:8888");
+  };
+  testContent.appendChild(iframe);
+
+
+  // Test 1e: insecure xhr
+  var xhrsuccess = true;
+  var xhr = new XMLHttpRequest;
+  try {
+    xhr.open("GET", baseUrl + "?type=xhr", true);
+  } catch(ex) {
+     xhrsuccess = false;
+     parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
+  }
+
+  if(xhrsuccess) {
+    xhr.onreadystatechange = function (oEvent) {
+      var result = false;
+      if (xhr.readyState == 4) {
+        if (xhr.status == 200) {
+          parent.postMessage({"test": "xhr", "msg": "insecure xhr loaded"}, "http://mochi.test:8888");
+        }
+        else {
+          parent.postMessage({"test": "xhr", "msg": "insecure xhr blocked"}, "http://mochi.test:8888");
+        }
+      }
+    }
+
+    xhr.send(null);
+  }
+
+  /* Part 2: Mixed Display tests */
+
+  // Test 2a: insecure image
+  var img = document.createElement("img");
+  img.src = "http://mochi.test:8888/tests/image/test/mochitest/blue.png";
+  img.onload = function() {
+    parent.postMessage({"test": "image", "msg": "insecure image loaded"}, "http://mochi.test:8888");
+  }
+  img.onerror = function() {
+    parent.postMessage({"test": "image", "msg": "insecure image blocked"}, "http://mochi.test:8888");
+  }
+  // We don't need to append the image to the document. Doing so causes the image test to run twice.
+
+
+  // Test 2b: insecure media
+  var media = document.createElement("video");
+  media.src = "http://mochi.test:8888/tests/content/media/test/320x240.ogv?" + Math.floor((Math.random()*1000)+1);
+  media.width = "320";
+  media.height = "200";
+  media.type = "video/ogg";
+  media.onloadeddata = function() {
+    parent.postMessage({"test": "media", "msg": "insecure media loaded"}, "http://mochi.test:8888");
+  }
+  media.onerror = function() {
+    parent.postMessage({"test": "media", "msg": "insecure media blocked"}, "http://mochi.test:8888");
+  }
+  // We don't need to append the video to the document. Doing so causes the image test to run twice.
+
+</script>
+</body>
+</html>

content/base/test/file_mixed_content_server.sjs

@@ -0,0 +1,45 @@
+
+function handleRequest(request, response)
+{
+  // get the Content-Type to serve from the query string
+  var contentType = null;
+  request.queryString.split('&').forEach( function (val) {
+     var [name, value] = val.split('=');
+       if (name == "type") {
+         contentType = unescape(value);
+       }
+  });
+
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  switch (contentType) {
+    case "iframe":
+      response.setHeader("Content-Type", "text/html", false);
+      response.write("frame content");
+      break;
+
+    case "script":
+      response.setHeader("Content-Type", "application/javascript", false);
+      break;
+
+    case "stylesheet":
+      response.setHeader("Content-Type", "text/css", false);
+      break;
+
+    case "object":
+      response.setHeader("Content-Type", "application/x-test", false);
+      break;
+
+   case "xhr":
+      response.setHeader("Content-Type", "text/xml", false);
+      response.setHeader("Access-Control-Allow-Origin", "https://example.com");
+      response.write('<?xml version="1.0" encoding="UTF-8" ?><test></test>');
+      break;
+
+    default:
+      response.setHeader("Content-Type", "text/html", false);
+      response.write("<html><body>Hello World</body></html>");
+      break;
+  }
+}

content/base/test/test_mixed_content_blocker.html

@@ -0,0 +1,142 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests for Mixed Content Blocker
+https://bugzilla.mozilla.org/show_bug.cgi?id=62178
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Bug 62178</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+
+  <script>
+
+  var origBlockDisplay = SpecialPowers.getBoolPref("security.mixed_content.block_display_content");
+  var origBlockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+
+  var counter = 0;
+  var settings = [ [true, true], [true, false], [false, true], [false, false] ];
+
+  var blockActive;
+  var blockDisplay;
+
+  //Cycle through 4 different preference settings.
+  function changePrefs(x) {
+    SpecialPowers.setBoolPref("security.mixed_content.block_display_content", settings[x][0]);
+    SpecialPowers.setBoolPref("security.mixed_content.block_active_content", settings[x][1]);
+    blockDisplay = SpecialPowers.getBoolPref("security.mixed_content.block_display_content");
+    blockActive = SpecialPowers.getBoolPref("security.mixed_content.block_active_content");
+  }
+
+  //Set the first set of settings (true, true) and increment the counter.
+  changePrefs(counter);
+  counter++;
+
+  var testsToRun = {
+    iframe: false,
+    image: false,
+    script: false,
+    stylesheet: false,
+    object: false,
+    media: false,
+    xhr: false,
+  };
+
+  function log(msg) {
+    document.getElementById("log").textContent += "\n" + msg;
+  }
+
+  function checkTestsCompleted() {
+    for (var prop in testsToRun) {
+      // some test hasn't run yet so we're not done
+      if (!testsToRun[prop])
+        return;
+    }
+    //if the testsToRun are all completed, chnage the pref and run the tests again until we have cycled through all the prefs.
+    if(counter < 4) {
+       for (var prop in testsToRun) {
+         testsToRun[prop] = false;
+       }
+      //call to change the preferences
+      changePrefs(counter);
+      counter++;
+      log("\nblockDisplay set to "+blockDisplay+", blockActive set to "+blockActive+".");
+      document.getElementById('framediv').innerHTML = '<iframe id="testHarness" src="https://example.com/tests/content/base/test/file_mixed_content_main.html"></iframe>';
+    }
+    else {
+      //set the prefs back to what they were set to originally
+      SpecialPowers.setBoolPref("security.mixed_content.block_display_content", origBlockDisplay);
+      SpecialPowers.setBoolPref("security.mixed_content.block_active_content", origBlockActive);
+      SimpleTest.finish();
+    }
+  }
+
+  var firstTest = true;
+
+  // listen for a messages from the mixed content test harness
+  window.addEventListener("message", receiveMessage, false);
+  function receiveMessage(event) {
+    if(firstTest) {
+      log("blockActive set to "+blockActive+", blockDisplay set to "+blockDisplay+".");
+      firstTest = false;
+    }
+
+    log("test: "+event.data.test+", msg: "+event.data.msg + " logging message.");
+    // test that the load type matches the pref for this type of content
+    // (i.e. active vs. display)
+
+    switch(event.data.test) {
+
+      /* Mixed Script tests */
+      case "iframe":
+        ok(blockActive == (event.data.msg == "insecure iframe blocked"), "iframe did not follow block_active_content pref");
+        testsToRun["iframe"] = true;
+        break;
+
+      case "object":
+        ok(blockActive == (event.data.msg == "insecure object blocked"), "object did not follow block_active_content pref");
+        testsToRun["object"] = true;
+        break;
+
+      case "script":
+        ok(blockActive == (event.data.msg == "insecure script blocked"), "script did not follow block_active_content pref");
+        testsToRun["script"] = true;
+        break;
+
+      case "stylesheet":
+        ok(blockActive == (event.data.msg == "insecure stylesheet blocked"), "stylesheet did not follow block_active_content pref");
+        testsToRun["stylesheet"] = true;
+        break;
+
+      case "xhr":
+        ok(blockActive == (event.data.msg == "insecure xhr blocked"), "xhr did not follow block_active_content pref");
+        testsToRun["xhr"] = true;
+        break;
+
+      /* Mixed Display tests */
+      case "image":
+        //test that the image load matches the pref for dipslay content
+        ok(blockDisplay == (event.data.msg == "insecure image blocked"), "image did not follow block_display_content pref");
+        testsToRun["image"] = true;
+        break;
+
+      case "media":
+        ok(blockDisplay == (event.data.msg == "insecure media blocked"), "media did not follow block_display_content pref");
+        testsToRun["media"] = true;
+        break;
+    }
+    checkTestsCompleted();
+  }
+
+  SimpleTest.waitForExplicitFinish();
+  </script>
+</head>
+
+<body>
+  <div id="framediv">
+    <iframe id="testHarness" src="https://example.com/tests/content/base/test/file_mixed_content_main.html"></iframe>
+  </div>
+  <pre id="log"></pre>
+</body>
+</html>