tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_upgrade_insecure_loopback.html (2867B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <meta charset="utf-8">
      5  <title>Bug 1447784 - Implement CSP upgrade-insecure-requests directive</title>
      6  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      7  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      8  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      9 </head>
     10 <body>
     11 <iframe style="width:100%;" id="testframe"></iframe>
     12 
     13 <script class="testbody" type="text/javascript">
     14 
     15 /* Description of the test:
     16 * We load a page that performs a CORS XHR to 127.0.0.1 which shouldn't be upgraded to https:
     17 *
     18 * Test 1:
     19 *   Main page:   https://127.0.0.1:8080
     20 *   XHR request: http://127.0.0.1:8080
     21 *   No redirect to https://
     22 *   Description: Upgrade insecure should *NOT* upgrade from http to https.
     23 */
     24 
     25 const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
     26 let testFiles = ["tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
     27                 "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];
     28 
     29 function examiner() {
     30  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
     31 }
     32 examiner.prototype = {
     33  observe(subject, topic, data) {
     34    if (topic === "specialpowers-http-notify-request") {
     35      // we skip looking at other requests that might be observed accidentally
     36      // e.g., we saw kinto requests when running this test locally
     37      if (data.includes("bug-1661423-dont-upgrade-localhost")) {
     38        let urlObj = new URL(data);
     39        is(urlObj.protocol, "http:", "Didn't upgrade localhost URL");
     40        loadTest();
     41      }
     42    }
     43  },
     44  remove() {
     45    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
     46  }
     47 };
     48 
     49 window.examiner = new examiner();
     50 
     51 
     52 function loadTest() {
     53  if (!testFiles.length) {
     54    removeAndFinish();
     55    return;
     56  }
     57  var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
     58  // append the file that should be served
     59  src += escape(testFiles.shift())
     60  // append the CSP that should be used to serve the file
     61  src += "&csp=" + escape(CSP_POLICY);
     62  document.getElementById("testframe").src = src;
     63 }
     64 
     65 function removeAndFinish() {
     66  window.removeEventListener("message", receiveMessage);
     67  window.examiner.remove();
     68  SimpleTest.finish();
     69 }
     70 
     71 // a postMessage handler that is used to bubble up results from
     72 // within the iframe.
     73 window.addEventListener("message", receiveMessage);
     74 function receiveMessage(event) {
     75  if (event.data === "request-not-https") {
     76    ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
     77    loadTest();
     78  }
     79 }
     80 
     81 SimpleTest.waitForExplicitFinish();
     82 
     83 // By default, proxies don't apply to 127.0.0.1.
     84 // We need them to for this test (at least on android), though:
     85 SpecialPowers.pushPrefEnv({set: [
     86  ["network.proxy.allow_hijacking_localhost", true]
     87 ]}).then(loadTest);
     88 
     89 </script>
     90 </body>
     91 </html>