file_upgrade_insecure_meta.html (3483B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; default-src https: wss: 'unsafe-inline'; form-action https:;"> 5 <meta charset="utf-8"> 6 <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title> 7 <!-- style --> 8 <link rel='stylesheet' type='text/css' href='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?style' media='screen' /> 9 10 <!-- font --> 11 <style> 12 @font-face { 13 font-family: "foofont"; 14 src: url('http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?font'); 15 } 16 .div_foo { font-family: "foofont"; } 17 </style> 18 </head> 19 <body> 20 21 <!-- images: --> 22 <img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?img"></img> 23 24 <!-- redirects: upgrade http:// to https:// redirect to http:// and then upgrade to https:// again --> 25 <img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?redirect-image"></img> 26 27 <!-- script: --> 28 <script src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?script"></script> 29 30 <!-- media: --> 31 <audio src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?media"></audio> 32 33 <!-- objects: --> 34 <object width="10" height="10" data="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?object"></object> 35 36 <!-- font: (apply font loaded in header to div) --> 37 <div class="div_foo">foo</div> 38 39 <!-- iframe: (same origin) --> 40 <iframe src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?iframe"> 41 <!-- within that iframe we load an image over http and make sure the requested gets upgraded to https --> 42 </iframe> 43 44 <!-- xhr: --> 45 <script type="application/javascript"> 46 var myXHR = new XMLHttpRequest(); 47 myXHR.open("GET", "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?xhr"); 48 myXHR.send(null); 49 </script> 50 51 <!-- websockets: upgrade ws:// to wss://--> 52 <script type="application/javascript"> 53 // WebSocket tests are not supported on Android Yet. Bug 1566168. 54 const { AppConstants } = SpecialPowers.ChromeUtils.importESModule( 55 "resource://gre/modules/AppConstants.sys.mjs" 56 ); 57 if (AppConstants.platform !== "android") { 58 var mySocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_upgrade_insecure"); 59 mySocket.onopen = function(e) { 60 if (mySocket.url.includes("wss://")) { 61 window.parent.postMessage({result: "websocket-ok"}, "*"); 62 } 63 else { 64 window.parent.postMessage({result: "websocket-error"}, "*"); 65 } 66 mySocket.close(); 67 }; 68 mySocket.onerror = function(e) { 69 window.parent.postMessage({result: "websocket-unexpected-error"}, "*"); 70 }; 71 } 72 </script> 73 74 <!-- form action: (upgrade POST from http:// to https://) --> 75 <iframe name='formFrame' id='formFrame'></iframe> 76 <form target="formFrame" action="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?form" method="POST"> 77 <input name="foo" value="foo"> 78 <input type="submit" id="submitButton" formenctype='multipart/form-data' value="Submit form"> 79 </form> 80 <script type="text/javascript"> 81 var submitButton = document.getElementById('submitButton'); 82 submitButton.click(); 83 </script> 84 85 </body> 86 </html>