From b648300abe7cb781cee560c340940d2295abd4a4 Mon Sep 17 00:00:00 2001 From: Ivan Alagenchev Date: Mon, 26 Aug 2013 11:26:43 -0400 Subject: [PATCH] Bug 875456 - DEVTOOLS patch. Adds logic for logging Mixed Content messages to the security console. r=msucan --- browser/devtools/webconsole/test/Makefile.in | 3 + ...nsole_allow_mixedcontent_securityerrors.js | 69 ++++++++++++ ...nsole_block_mixedcontent_securityerrors.js | 104 ++++++++++++++++++ browser/devtools/webconsole/test/head.js | 2 +- .../test-mixedcontent-securityerrors.html | 21 ++++ browser/devtools/webconsole/webconsole.js | 36 ++++-- 6 files changed, 224 insertions(+), 11 deletions(-) create mode 100644 browser/devtools/webconsole/test/browser_webconsole_allow_mixedcontent_securityerrors.js create mode 100644 browser/devtools/webconsole/test/browser_webconsole_block_mixedcontent_securityerrors.js create mode 100644 browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html diff --git a/browser/devtools/webconsole/test/Makefile.in b/browser/devtools/webconsole/test/Makefile.in index 1b9eaf098de..515cd73307d 100644 --- a/browser/devtools/webconsole/test/Makefile.in +++ b/browser/devtools/webconsole/test/Makefile.in @@ -147,6 +147,8 @@ MOCHITEST_BROWSER_FILES = \ browser_console_navigation_marker.js \ browser_webconsole_bug_762593_insecure_passwords_web_console_warning.js \ browser_webconsole_bug_762593_insecure_passwords_about_blank_web_console_warning.js \ + browser_webconsole_allow_mixedcontent_securityerrors.js \ + browser_webconsole_block_mixedcontent_securityerrors.js \ head.js \ $(NULL) @@ -254,6 +256,7 @@ MOCHITEST_BROWSER_FILES += \ test-iframe1.html \ test-iframe2.html \ test-iframe3.html \ + test-mixedcontent-securityerrors.html \ $(NULL) include $(topsrcdir)/config/rules.mk diff --git a/browser/devtools/webconsole/test/browser_webconsole_allow_mixedcontent_securityerrors.js b/browser/devtools/webconsole/test/browser_webconsole_allow_mixedcontent_securityerrors.js new file mode 100644 index 00000000000..8cbee929e60 --- /dev/null +++ b/browser/devtools/webconsole/test/browser_webconsole_allow_mixedcontent_securityerrors.js @@ -0,0 +1,69 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +// The test loads a web page with mixed active and display content +// on it while the "block mixed content" settings are _off_. +// It then checks that the loading mixed content warning messages +// are logged to the console and have the correct "Learn More" +// url appended to them. +// Bug 875456 - Log mixed content messages from the Mixed Content +// Blocker to the Security Pane in the Web Console + +const TEST_URI = "https://example.com/browser/browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html"; +const LEARN_MORE_URI = "https://developer.mozilla.org/en/Security/MixedContent"; + +function test() +{ + SpecialPowers.pushPrefEnv({"set": + [["security.mixed_content.block_active_content", false], + ["security.mixed_content.block_display_content", false] + ]}, loadingMixedContentTest); +} + +function loadingMixedContentTest() +{ + addTab(TEST_URI); + browser.addEventListener("load", function onLoad(aEvent) { + browser.removeEventListener(aEvent.type, onLoad, true); + openConsole(null, function testSecurityErrorLogged (hud) { + waitForMessages({ + webconsole: hud, + messages: [ + { + name: "Logged mixed active content", + text: "Loading mixed (insecure) active content on a secure page \"http://example.com/\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_WARNING + }, + { + name: "Logged mixed passive content - image", + text: "Loading mixed (insecure) display content on a secure page \"http://example.com/tests/image/test/mochitest/blue.png\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_WARNING + }, + ], + }).then(() => testClickOpenNewTab(hud)); + }); + }, true); +} + +function testClickOpenNewTab(hud) { + let warningNode = hud.outputNode.querySelector(".webconsole-learn-more-link"); + + // Invoke the click event and check if a new tab would + // open to the correct page. + let linkOpened = false; + let oldOpenUILinkIn = window.openUILinkIn; + window.openUILinkIn = function(aLink) { + if (aLink == LEARN_MORE_URI) { + linkOpened = true; + } + } + + EventUtils.synthesizeMouse(warningNode, 2, 2, {}, + warningNode.ownerDocument.defaultView); + ok(linkOpened, "Clicking the Learn More Warning node opens the desired page"); + window.openUILinkIn = oldOpenUILinkIn; + + finishTest(); +} diff --git a/browser/devtools/webconsole/test/browser_webconsole_block_mixedcontent_securityerrors.js b/browser/devtools/webconsole/test/browser_webconsole_block_mixedcontent_securityerrors.js new file mode 100644 index 00000000000..24747bc9495 --- /dev/null +++ b/browser/devtools/webconsole/test/browser_webconsole_block_mixedcontent_securityerrors.js @@ -0,0 +1,104 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +// The test loads a web page with mixed active and display content +// on it while the "block mixed content" settings are _on_. +// It then checks that the blocked mixed content warning messages +// are logged to the console and have the correct "Learn More" +// url appended to them. After the first test finishes, it invokes +// a second test that overrides the mixed content blocker settings +// by clicking on the doorhanger shield and validates that the +// appropriate messages are logged to console. +// Bug 875456 - Log mixed content messages from the Mixed Content +// Blocker to the Security Pane in the Web Console + +const TEST_URI = "https://example.com/browser/browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html"; +const LEARN_MORE_URI = "https://developer.mozilla.org/en/Security/MixedContent"; + +function test() +{ + SpecialPowers.pushPrefEnv({"set": [["security.mixed_content.block_active_content", true], + ["security.mixed_content.block_display_content", true]]}, blockMixedContentTest1); +} + +function blockMixedContentTest1() +{ + addTab(TEST_URI); + browser.addEventListener("load", function onLoad(aEvent) { + browser.removeEventListener(aEvent.type, onLoad, true); + openConsole(null, function testSecurityErrorLogged (hud) { + waitForMessages({ + webconsole: hud, + messages: [ + { + name: "Logged blocking mixed active content", + text: "Blocked loading mixed active content \"http://example.com/\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_ERROR + }, + { + name: "Logged blocking mixed passive content - image", + text: "Blocked loading mixed active content \"http://example.com/\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_ERROR + }, + ], + }).then(() => { + testClickOpenNewTab(hud); + // Call the second (MCB override) test. + mixedContentOverrideTest2(hud); + }); + }); + }, true); +} + +function mixedContentOverrideTest2(hud) +{ + var notification = PopupNotifications.getNotification("mixed-content-blocked", browser); + ok(notification, "Mixed Content Doorhanger didn't appear"); + // Click on the doorhanger. + notification.secondaryActions[0].callback(); + + waitForMessages({ + webconsole: hud, + messages: [ + { + name: "Logged blocking mixed active content", + text: "Loading mixed (insecure) active content on a secure"+ + " page \"http://example.com/\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_WARNING + }, + { + name: "Logged blocking mixed passive content - image", + text: "Loading mixed (insecure) display content on a secure page"+ + " \"http://example.com/tests/image/test/mochitest/blue.png\"", + category: CATEGORY_SECURITY, + severity: SEVERITY_WARNING + }, + ], + }).then(() => { + testClickOpenNewTab(hud); + finishTest(); + }); +} + +function testClickOpenNewTab(hud) { + let warningNode = hud.outputNode.querySelector(".webconsole-learn-more-link"); + + // Invoke the click event and check if a new tab would + // open to the correct page. + let linkOpened = false; + let oldOpenUILinkIn = window.openUILinkIn; + window.openUILinkIn = function(aLink) { + if (aLink == LEARN_MORE_URI) { + linkOpened = true; + } + } + + EventUtils.synthesizeMouse(warningNode, 2, 2, {}, + warningNode.ownerDocument.defaultView); + ok(linkOpened, "Clicking the Learn More Warning node opens the desired page"); + window.openUILinkIn = oldOpenUILinkIn; + +} diff --git a/browser/devtools/webconsole/test/head.js b/browser/devtools/webconsole/test/head.js index 9518e125df5..74e8f4f94f9 100644 --- a/browser/devtools/webconsole/test/head.js +++ b/browser/devtools/webconsole/test/head.js @@ -1087,7 +1087,7 @@ function waitForMessages(aOptions) let partialMatch = !!(aRule.consoleTrace || aRule.consoleTime || aRule.consoleTimeEnd || aRule.type); - if (aRule.category && aElement.category != aRule.category) { + if ("category" in aRule && aElement.category != aRule.category) { if (partialMatch) { is(aElement.category, aRule.category, "message category for rule: " + displayRule(aRule)); diff --git a/browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html b/browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html new file mode 100644 index 00000000000..cb8cfdaaf57 --- /dev/null +++ b/browser/devtools/webconsole/test/test-mixedcontent-securityerrors.html @@ -0,0 +1,21 @@ + + + + + + + Mixed Content test - http on https + + + + + + + + diff --git a/browser/devtools/webconsole/webconsole.js b/browser/devtools/webconsole/webconsole.js index 752e496f720..61b5a4db6ac 100644 --- a/browser/devtools/webconsole/webconsole.js +++ b/browser/devtools/webconsole/webconsole.js @@ -1446,21 +1446,36 @@ WebConsoleFrame.prototype = { */ addMoreInfoLink: function WCF_addMoreInfoLink(aNode, aScriptError) { - // We have a single category for now, but more are to be - // expected soon + let url; if (aScriptError.category == "Insecure Password Field") { - this.addInsecurePasswordsWarningNode(aNode); + url = INSECURE_PASSWORDS_LEARN_MORE; } + else if (aScriptError.category == "Mixed Content Message" || + aScriptError.category == "Mixed Content Blocker") { + url = MIXED_CONTENT_LEARN_MORE; + } + else { + // Unknown category. Return without adding more info node. + return; + } + + this.addLearnMoreWarningNode(aNode, url); }, /* - * Appends a clickable insecure passwords warning node to the node passed + * Appends a clickable warning node to the node passed * as a parameter to the function. When a user clicks on the appended - * warning node, the browser navigates to a page where the user can learn - * more about security issues associated with insecure passwords. + * warning node, the browser navigates to the provided url. + * + * @param aNode + * The node to which we will be adding a clickable warning node. + * @param aURL + * The url which points to the page where the user can learn more + * about security issues associated with the specific message that's + * being logged. */ - addInsecurePasswordsWarningNode: - function WCF_addInsecurePasswordsWarningNode(aNode) + addLearnMoreWarningNode: + function WCF_addLearnMoreWarningNode(aNode, aURL) { let moreInfoLabel = "[" + l10n.getStr("webConsoleMoreInfoLabel") + "]"; @@ -1472,7 +1487,7 @@ WebConsoleFrame.prototype = { linkNode.classList.add("webconsole-msg-link"); aNode.appendChild(linkNode); - // Create the actual insecure passwords warning node and make it clickable + // Create the actual warning node and make it clickable let warningNode = this.document.createElement("label"); warningNode.setAttribute("value", moreInfoLabel); warningNode.setAttribute("title", moreInfoLabel); @@ -1480,7 +1495,7 @@ WebConsoleFrame.prototype = { warningNode.classList.add("webconsole-learn-more-link"); warningNode.addEventListener("click", function(aEvent) { - this.owner.openLink(INSECURE_PASSWORDS_LEARN_MORE); + this.owner.openLink(aURL); aEvent.preventDefault(); aEvent.stopPropagation(); }.bind(this)); @@ -4547,6 +4562,7 @@ var Utils = { return CATEGORY_CSS; case "Mixed Content Blocker": + case "Mixed Content Message": case "CSP": case "Invalid HSTS Headers": case "Insecure Password Field":