tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_upgrade_insecure_cors.html (3010B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <meta charset="utf-8">
      5  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
      6  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      7  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      8  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      9 </head>
     10 <body>
     11 <iframe style="width:100%;" id="testframe"></iframe>
     12 
     13 <script class="testbody" type="text/javascript">
     14 
     15 /* Description of the test:
     16 * We load a page serving two XHR requests (including being redirected);
     17 * one that should not require CORS and one that should require cors, in particular:
     18 *
     19 * Test 1:
     20 *   Main page:   https://test1.example.com
     21 *   XHR request: http://test1.example.com
     22 *   Redirect to: http://test1.example.com
     23 *   Description: Upgrade insecure should upgrade from http to https and also
     24 *                surpress CORS for that case.
     25 *
     26 * Test 2:
     27 *   Main page:   https://test1.example.com
     28 *   XHR request: http://test1.example.com
     29 *   Redirect to: http://test1.example.com:443
     30 *   Description: Upgrade insecure should upgrade from http to https and also
     31 *                prevent CORS for that case.
     32 *   Note: If redirecting to a different port, then CORS *should* be enforced (unless
     33 *         it's port 443). Unfortunately we can't test that because of the setup of our
     34 *         *.sjs files; they only are able to listen to port 443, see:
     35 *         http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98
     36 *
     37 * Test 3:
     38 *   Main page:   https://test1.example.com
     39 *   XHR request: http://test2.example.com
     40 *   Redirect to: http://test1.example.com
     41 *   Description: Upgrade insecure should *not* prevent CORS since
     42 *                the page performs a cross origin xhr.
     43 *
     44 */
     45 
     46 const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
     47 var tests = 3;
     48 
     49 function loadTest() {
     50  var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
     51  // append the file that should be served
     52  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")
     53  // append the CSP that should be used to serve the file
     54  src += "&csp=" + escape(CSP_POLICY);
     55  document.getElementById("testframe").src = src;
     56 }
     57 
     58 function checkResult(result) {
     59  if (result === "test1-no-cors-ok" ||
     60      result === "test2-no-cors-diffport-ok" ||
     61      result === "test3-cors-ok") {
     62    ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
     63  }
     64  else {
     65    ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
     66  }
     67  if (--tests > 0) {
     68    return;
     69  }
     70  window.removeEventListener("message", receiveMessage);
     71  SimpleTest.finish();
     72 }
     73 
     74 // a postMessage handler that is used to bubble up results from
     75 // within the iframe.
     76 window.addEventListener("message", receiveMessage);
     77 function receiveMessage(event) {
     78  checkResult(event.data);
     79 }
     80 
     81 SimpleTest.waitForExplicitFinish();
     82 loadTest();
     83 
     84 </script>
     85 </body>
     86 </html>