test_upgrade_insecure_report_only.html (3445B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 1832249 - Consider report-only flag when upgrading insecure requests</title> 6 <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> 7 <script src="/tests/SimpleTest/SimpleTest.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 9 </head> 10 <body> 11 <iframe id="reportonlyframe"></iframe> 12 <iframe id="enforceframe"></iframe> 13 14 <script class="testbody" type="text/javascript"> 15 16 /* Description of the test: 17 * When we load an http page with the `content-security-policy-report-only: upgrade-insecure-requests` 18 * header the `upgrade-insecure-requests` directive must be ignored according to the spec. 19 * https://w3c.github.io/webappsec-upgrade-insecure-requests/#delivery 20 */ 21 22 var expectedResults = 4; 23 24 function finishTest() { 25 // need to wait until all of the tests have resolved before exiting 26 if (--expectedResults > 0) { 27 return; 28 } 29 window.removeEventListener("message", receiveMessage); 30 SimpleTest.finish(); 31 } 32 33 window.addEventListener("message", receiveMessage); 34 function receiveMessage(event) { 35 // make sure the image was correctly loaded. this is the primary purpose of 36 // this test. if image isn't loaded correctly then that means we attempted to 37 // upgrade the request when we shouldn't have and vice-versa. 38 let result = event.data.result; 39 if (result === "reportonly-img-ok") { 40 ok(true, "successfully loaded insecure image from http without upgrade"); 41 finishTest(); 42 } 43 if (result === "enforce-img-ok") { 44 ok(true, "successfully loaded insecure image from http with upgrade"); 45 finishTest(); 46 } 47 if (result === "reportonly-img-error") { 48 ok (false, "failed to load reportonly image correctly"); 49 finishTest(); 50 } 51 if (result === "enforce-img-error") { 52 ok (false, "failed to load enforce image correctly"); 53 finishTest(); 54 } 55 } 56 57 function runTest(route) { 58 // Send off an XHR request which will return once the server receives the 59 // violation report from the report only policy. 60 var myXHR = new XMLHttpRequest(); 61 myXHR.open("GET", `file_upgrade_insecure_report_only_server.sjs?queryresult-${route}`); 62 myXHR.onload = function(e) { 63 // make sure that the csp violation report we get is the one we expected 64 let report = JSON.parse(myXHR.responseText)["csp-report"]; 65 ok( 66 report["original-policy"].includes("upgrade-insecure-requests"), 67 "report should be given by malformed report-only policy" 68 ); 69 ok( 70 report["blocked-uri"].startsWith("http:") && report["blocked-uri"].endsWith(`.sjs?img-${route}`), 71 "request should be for an img load" 72 ); 73 74 finishTest(); 75 } 76 myXHR.onerror = function(e) { 77 ok(false, "could not query result for csp-report from server (" + e.message + ")"); 78 SimpleTest.finish(); 79 } 80 myXHR.send(); 81 82 // We load a page that is served using a report only CSP which loads an image. 83 SimpleTest.executeSoon(function() { 84 // we need to test http functionality here, so we need to load an http url 85 /* eslint-disable @microsoft/sdl/no-insecure-url */ 86 document.getElementById(`${route}frame`).src = 87 `http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_report_only_server.sjs?${route}=true`; 88 /* eslint-enable @microsoft/sdl/no-insecure-url */ 89 }); 90 } 91 92 SimpleTest.waitForExplicitFinish(); 93 runTest("reportonly"); 94 runTest("enforce"); 95 96 </script> 97 </body> 98 </html>