From 6864201d72f71c0fb87c62c04191ae99187d8fca Mon Sep 17 00:00:00 2001
From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Date: Fri, 10 Jul 2015 09:17:02 -0700
Subject: [PATCH] Bug 1139297 - Implement CSP upgrade-insecure-requests
 directive - tests referrer (r=sstamm)

---
 .../csp/file_upgrade_insecure_referrer.html   | 13 +++
 .../file_upgrade_insecure_referrer_server.sjs | 56 +++++++++++++
 dom/security/test/csp/mochitest.ini           |  4 +
 .../csp/test_upgrade_insecure_referrer.html   | 79 +++++++++++++++++++
 4 files changed, 152 insertions(+)
 create mode 100644 dom/security/test/csp/file_upgrade_insecure_referrer.html
 create mode 100644 dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs
 create mode 100644 dom/security/test/csp/test_upgrade_insecure_referrer.html

diff --git a/dom/security/test/csp/file_upgrade_insecure_referrer.html b/dom/security/test/csp/file_upgrade_insecure_referrer.html
new file mode 100644
index 00000000000..83741821bb3
--- /dev/null
+++ b/dom/security/test/csp/file_upgrade_insecure_referrer.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+</head>
+<body>
+
+  <!-- upgrade img from http:// to https:// -->
+  <img id="testimage" src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs?img"></img>
+
+</body>
+</html>
diff --git a/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs b/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs
new file mode 100644
index 00000000000..be1e6da0ca7
--- /dev/null
+++ b/dom/security/test/csp/file_upgrade_insecure_referrer_server.sjs
@@ -0,0 +1,56 @@
+// Custom *.sjs file specifically for the needs of Bug:
+// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
+
+// small red image
+const IMG_BYTES = atob(
+  "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
+  "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  var queryString = request.queryString;
+
+  // (1) lets process the queryresult request async and
+  // wait till we have received the image request.
+  if (queryString == "queryresult") {
+    response.processAsync();
+    setObjectState("queryResult", response);
+    return;
+  }
+
+  // (2) Handle the image request and return the referrer
+  // result back to the stored queryresult request.
+  if (request.queryString == "img") {
+    response.setHeader("Content-Type", "image/png");
+    response.write(IMG_BYTES);
+
+    let referrer = "";
+    try {
+      referrer = request.getHeader("referer");
+    } catch (e) {
+      referrer = "";
+    }
+    // make sure the received image request was upgraded to https,
+    // otherwise we return not only the referrer but also indicate
+    // that the request was not upgraded to https. Note, that
+    // all upgrades happen in the browser before any non-secure
+    // request hits the wire.
+    referrer += (request.scheme == "https") ?
+                 "" : " but request is not https";
+
+    getObjectState("queryResult", function(queryResponse) {
+      if (!queryResponse) {
+        return;
+      }
+      queryResponse.write(referrer);
+      queryResponse.finish();
+    });
+    return;
+  }
+
+  // we should not get here ever, but just in case return
+  // something unexpected.
+  response.write("doh!");
+}
diff --git a/dom/security/test/csp/mochitest.ini b/dom/security/test/csp/mochitest.ini
index 3270035b04d..a3a48e96ae4 100644
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -125,6 +125,8 @@ support-files =
   file_upgrade_insecure_wsh.py
   file_upgrade_insecure_reporting.html
   file_upgrade_insecure_reporting_server.sjs
+  file_upgrade_insecure_referrer.html
+  file_upgrade_insecure_referrer_server.sjs
 
 [test_base-uri.html]
 [test_blob_data_schemes.html]
@@ -185,3 +187,5 @@ skip-if = buildapp == 'b2g' #no ssl support
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_reporting.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
+[test_upgrade_insecure_referrer.html]
+skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
diff --git a/dom/security/test/csp/test_upgrade_insecure_referrer.html b/dom/security/test/csp/test_upgrade_insecure_referrer.html
new file mode 100644
index 00000000000..f71be50ea4e
--- /dev/null
+++ b/dom/security/test/csp/test_upgrade_insecure_referrer.html
@@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a page that makes use of the CSP referrer directive as well
+ * as upgrade-insecure-requests. The page loads an image over http.
+ * The test makes sure the request gets upgraded to https and the
+ * correct referrer gets sent.
+ */
+
+const PRE_POLICY = "upgrade-insecure-requests; default-src https:; ";
+
+var tests = [
+  {
+    policy: "referrer origin",
+    description: "upgrade insecure request with referrer = origin",
+    result: "http://example.com"
+  },
+  {
+    policy: "referrer no-referrer",
+    description: "upgrade insecure request with referrer = no-referrer",
+    result: ""
+  }
+];
+
+var counter = 0;
+var curTest;
+
+function loadTestPage() {
+  curTest = tests[counter++];
+  var src = "http://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_referrer.html")
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(PRE_POLICY + curTest.policy);
+  document.getElementById("testframe").src = src;
+}
+
+function runNextTest() {
+  // sends a request to the server which is processed async and returns
+  // once the server received the expected image request
+  var myXHR = new XMLHttpRequest();
+  myXHR.open("GET", "file_upgrade_insecure_referrer_server.sjs?queryresult");
+  myXHR.onload = function(e) {
+    is(myXHR.responseText, curTest.result, curTest.description);
+    if (counter == tests.length) {
+      SimpleTest.finish();
+      return;
+    }
+    // move on to the next test by setting off another query request.
+    runNextTest();
+  }
+  myXHR.onerror = function(e) {
+    ok(false, "could not query results from server (" + e.message + ")");
+    SimpleTest.finish();
+  }
+  myXHR.send();
+
+  // give it some time and load the testpage
+  SimpleTest.executeSoon(loadTestPage);
+}
+
+SimpleTest.waitForExplicitFinish();
+runNextTest();
+
+</script>
+</body>
+</html>