mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 1139297 - Implement CSP upgrade-insecure-requests directive - tests referrer (r=sstamm)
This commit is contained in:
parent
763cf3219f
commit
6864201d72
13
dom/security/test/csp/file_upgrade_insecure_referrer.html
Normal file
13
dom/security/test/csp/file_upgrade_insecure_referrer.html
Normal file
@ -0,0 +1,13 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<!-- upgrade img from http:// to https:// -->
|
||||
<img id="testimage" src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs?img"></img>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -0,0 +1,56 @@
|
||||
// Custom *.sjs file specifically for the needs of Bug:
|
||||
// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
|
||||
|
||||
// small red image
|
||||
const IMG_BYTES = atob(
|
||||
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
|
||||
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
// avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
var queryString = request.queryString;
|
||||
|
||||
// (1) lets process the queryresult request async and
|
||||
// wait till we have received the image request.
|
||||
if (queryString == "queryresult") {
|
||||
response.processAsync();
|
||||
setObjectState("queryResult", response);
|
||||
return;
|
||||
}
|
||||
|
||||
// (2) Handle the image request and return the referrer
|
||||
// result back to the stored queryresult request.
|
||||
if (request.queryString == "img") {
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
response.write(IMG_BYTES);
|
||||
|
||||
let referrer = "";
|
||||
try {
|
||||
referrer = request.getHeader("referer");
|
||||
} catch (e) {
|
||||
referrer = "";
|
||||
}
|
||||
// make sure the received image request was upgraded to https,
|
||||
// otherwise we return not only the referrer but also indicate
|
||||
// that the request was not upgraded to https. Note, that
|
||||
// all upgrades happen in the browser before any non-secure
|
||||
// request hits the wire.
|
||||
referrer += (request.scheme == "https") ?
|
||||
"" : " but request is not https";
|
||||
|
||||
getObjectState("queryResult", function(queryResponse) {
|
||||
if (!queryResponse) {
|
||||
return;
|
||||
}
|
||||
queryResponse.write(referrer);
|
||||
queryResponse.finish();
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
// we should not get here ever, but just in case return
|
||||
// something unexpected.
|
||||
response.write("doh!");
|
||||
}
|
@ -125,6 +125,8 @@ support-files =
|
||||
file_upgrade_insecure_wsh.py
|
||||
file_upgrade_insecure_reporting.html
|
||||
file_upgrade_insecure_reporting_server.sjs
|
||||
file_upgrade_insecure_referrer.html
|
||||
file_upgrade_insecure_referrer_server.sjs
|
||||
|
||||
[test_base-uri.html]
|
||||
[test_blob_data_schemes.html]
|
||||
@ -185,3 +187,5 @@ skip-if = buildapp == 'b2g' #no ssl support
|
||||
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
|
||||
[test_upgrade_insecure_reporting.html]
|
||||
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
|
||||
[test_upgrade_insecure_referrer.html]
|
||||
skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
|
||||
|
79
dom/security/test/csp/test_upgrade_insecure_referrer.html
Normal file
79
dom/security/test/csp/test_upgrade_insecure_referrer.html
Normal file
@ -0,0 +1,79 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
|
||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<iframe style="width:100%;" id="testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/* Description of the test:
|
||||
* We load a page that makes use of the CSP referrer directive as well
|
||||
* as upgrade-insecure-requests. The page loads an image over http.
|
||||
* The test makes sure the request gets upgraded to https and the
|
||||
* correct referrer gets sent.
|
||||
*/
|
||||
|
||||
const PRE_POLICY = "upgrade-insecure-requests; default-src https:; ";
|
||||
|
||||
var tests = [
|
||||
{
|
||||
policy: "referrer origin",
|
||||
description: "upgrade insecure request with referrer = origin",
|
||||
result: "http://example.com"
|
||||
},
|
||||
{
|
||||
policy: "referrer no-referrer",
|
||||
description: "upgrade insecure request with referrer = no-referrer",
|
||||
result: ""
|
||||
}
|
||||
];
|
||||
|
||||
var counter = 0;
|
||||
var curTest;
|
||||
|
||||
function loadTestPage() {
|
||||
curTest = tests[counter++];
|
||||
var src = "http://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
|
||||
// append the file that should be served
|
||||
src += escape("tests/dom/security/test/csp/file_upgrade_insecure_referrer.html")
|
||||
// append the CSP that should be used to serve the file
|
||||
src += "&csp=" + escape(PRE_POLICY + curTest.policy);
|
||||
document.getElementById("testframe").src = src;
|
||||
}
|
||||
|
||||
function runNextTest() {
|
||||
// sends a request to the server which is processed async and returns
|
||||
// once the server received the expected image request
|
||||
var myXHR = new XMLHttpRequest();
|
||||
myXHR.open("GET", "file_upgrade_insecure_referrer_server.sjs?queryresult");
|
||||
myXHR.onload = function(e) {
|
||||
is(myXHR.responseText, curTest.result, curTest.description);
|
||||
if (counter == tests.length) {
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
// move on to the next test by setting off another query request.
|
||||
runNextTest();
|
||||
}
|
||||
myXHR.onerror = function(e) {
|
||||
ok(false, "could not query results from server (" + e.message + ")");
|
||||
SimpleTest.finish();
|
||||
}
|
||||
myXHR.send();
|
||||
|
||||
// give it some time and load the testpage
|
||||
SimpleTest.executeSoon(loadTestPage);
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
runNextTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user