test_upgrade_insecure.html (7279B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title> 6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 7 <script src="/tests/SimpleTest/SimpleTest.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 <body> 11 <iframe style="width:100%;" id="testframe"></iframe> 12 13 <script class="testbody" type="text/javascript"> 14 15 /* Description of the test: 16 * We load resources (img, script, sytle, etc) over *http* and make sure 17 * that all the resources get upgraded to use >> https << when the 18 * csp-directive "upgrade-insecure-requests" is specified. We further 19 * test that subresources within nested contexts (iframes) get upgraded 20 * and also test the handling of server side redirects. 21 * 22 * In detail: 23 * We perform an XHR request to the *.sjs file which is processed async on 24 * the server and waits till all the requests were processed by the server. 25 * Once the server received all the different requests, the server responds 26 * to the initial XHR request with an array of results which must match 27 * the expected results from each test, making sure that all requests 28 * received by the server (*.sjs) were actually *https* requests. 29 */ 30 31 const { AppConstants } = SpecialPowers.ChromeUtils.importESModule( 32 "resource://gre/modules/AppConstants.sys.mjs" 33 ); 34 35 const UPGRADE_POLICY = 36 "upgrade-insecure-requests;" + // upgrade all http requests to https 37 "block-all-mixed-content;" + // upgrade should be enforced before block-all. 38 "default-src https: wss: 'unsafe-inline';" + // only allow https: and wss: 39 "form-action https:;"; // explicit, no fallback to default-src 40 41 const UPGRADE_POLICY_NO_DEFAULT_SRC = 42 "upgrade-insecure-requests;" + // upgrade all http requests to https 43 "script-src 'unsafe-inline' *"; // we have to allowlist the inline scripts 44 // in the test. 45 const NO_UPGRADE_POLICY = 46 "default-src http: ws: 'unsafe-inline';" + // allow http:// and ws:// 47 "form-action http:;"; // explicit, no fallback to default-src 48 49 var tests = [ 50 { // (1) test that all requests within an >> https << page get updated 51 policy: UPGRADE_POLICY, 52 topLevelScheme: "https://", 53 description: "upgrade all requests on toplevel https", 54 deliveryMethod: "header", 55 results: [ 56 "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok", 57 "media-ok", "object-ok", "form-ok", "nested-img-ok" 58 ] 59 }, 60 { // (2) test that all requests within an >> http << page get updated 61 policy: UPGRADE_POLICY, 62 topLevelScheme: "http://", 63 description: "upgrade all requests on toplevel http", 64 deliveryMethod: "header", 65 results: [ 66 "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok", 67 "media-ok", "object-ok", "form-ok", "nested-img-ok" 68 ] 69 }, 70 { // (3) test that all requests within an >> http << page get updated, but do 71 // not specify a default-src directive. 72 policy: UPGRADE_POLICY_NO_DEFAULT_SRC, 73 topLevelScheme: "http://", 74 description: "upgrade all requests on toplevel http where default-src is not specified", 75 deliveryMethod: "header", 76 results: [ 77 "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok", 78 "media-ok", "object-ok", "form-ok", "nested-img-ok" 79 ] 80 }, 81 { // (4) test that no requests get updated if >> upgrade-insecure-requests << is not used 82 policy: NO_UPGRADE_POLICY, 83 topLevelScheme: "http://", 84 description: "do not upgrade any requests on toplevel http", 85 deliveryMethod: "header", 86 results: [ 87 "iframe-error", "script-error", "img-error", "img-redir-error", "font-error", 88 "xhr-error", "style-error", "media-error", "object-error", "form-error", 89 "nested-img-error" 90 ] 91 }, 92 { // (5) test that all requests within an >> https << page using meta CSP get updated 93 // policy: UPGRADE_POLICY, that test uses UPGRADE_POLICY within 94 // file_upgrade_insecure_meta.html 95 // no need to define it within that object. 96 topLevelScheme: "https://", 97 description: "upgrade all requests on toplevel https using meta csp", 98 deliveryMethod: "meta", 99 results: [ 100 "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok", 101 "media-ok", "object-ok", "form-ok", "nested-img-ok" 102 ] 103 }, 104 ]; 105 106 // TODO: WebSocket tests are not supported on Android Yet. Bug 1566168. 107 if (AppConstants.platform !== "android") { 108 for (let test of tests) { 109 test.results.push(test.results[0] == "iframe-ok" ? "websocket-ok" : "websocket-error"); 110 } 111 } 112 113 var counter = 0; 114 var curTest; 115 116 function loadTestPage() { 117 curTest = tests[counter++]; 118 var src = curTest.topLevelScheme + "example.com/tests/dom/security/test/csp/file_testserver.sjs?file="; 119 if (curTest.deliveryMethod === "header") { 120 // append the file that should be served 121 src += escape("tests/dom/security/test/csp/file_upgrade_insecure.html"); 122 // append the CSP that should be used to serve the file 123 src += "&csp=" + escape(curTest.policy); 124 } 125 else { 126 src += escape("tests/dom/security/test/csp/file_upgrade_insecure_meta.html"); 127 // no csp here, since it's in the meta element 128 } 129 document.getElementById("testframe").src = src; 130 } 131 132 function finishTest() { 133 window.removeEventListener("message", receiveMessage); 134 SimpleTest.finish(); 135 } 136 137 function checkResults(result) { 138 // try to find the expected result within the results array 139 var index = curTest.results.indexOf(result); 140 isnot(index, -1, curTest.description + " (result: " + result + ")"); 141 142 // take the element out the array and continue till the results array is empty 143 if (index != -1) { 144 curTest.results.splice(index, 1); 145 } 146 // lets check if we are expecting more results to bubble up 147 if (curTest.results.length) { 148 return; 149 } 150 // lets see if we ran all the tests 151 if (counter == tests.length) { 152 finishTest(); 153 return; 154 } 155 // otherwise it's time to run the next test 156 runNextTest(); 157 } 158 159 // a postMessage handler that is used by sandboxed iframes without 160 // 'allow-same-origin' to bubble up results back to this main page. 161 window.addEventListener("message", receiveMessage); 162 function receiveMessage(event) { 163 checkResults(event.data.result); 164 } 165 166 function runNextTest() { 167 // sends an xhr request to the server which is processed async, which only 168 // returns after the server has received all the expected requests. 169 var myXHR = new XMLHttpRequest(); 170 myXHR.open("GET", "file_upgrade_insecure_server.sjs?queryresult"); 171 myXHR.onload = function(e) { 172 var results = myXHR.responseText.split(","); 173 for (var index in results) { 174 checkResults(results[index]); 175 } 176 } 177 myXHR.onerror = function(e) { 178 ok(false, "could not query results from server (" + e.message + ")"); 179 finishTest(); 180 } 181 myXHR.send(); 182 183 // give it some time and run the testpage 184 SimpleTest.executeSoon(loadTestPage); 185 } 186 187 SimpleTest.waitForExplicitFinish(); 188 runNextTest(); 189 190 </script> 191 </body> 192 </html>