tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_upgrade_insecure_reporting.html (2292B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <meta charset="utf-8">
      5  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
      6  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
      7  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      8  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      9 </head>
     10 <body>
     11 <iframe style="width:100%;" id="testframe"></iframe>
     12 
     13 <script class="testbody" type="text/javascript">
     14 
     15 /* Description of the test:
     16 * We load an https page which includes an http image. We make sure that
     17 * the image request gets upgraded to https but also make sure that a report
     18 * is sent when a CSP report only is used which only allows https requests.
     19 */
     20 
     21 var expectedResults = 2;
     22 
     23 function finishTest() {
     24  // let's wait till the image was loaded and the report was received
     25  if (--expectedResults > 0) {
     26    return;
     27  }
     28  window.removeEventListener("message", receiveMessage);
     29  SimpleTest.finish();
     30 }
     31 
     32 function runTest() {
     33  // (1) Lets send off an XHR request which will return once the server receives
     34  // the violation report from the report only policy.
     35  var myXHR = new XMLHttpRequest();
     36  myXHR.open("GET", "file_upgrade_insecure_reporting_server.sjs?queryresult");
     37  myXHR.onload = function(e) {
     38    is(myXHR.responseText, "report-ok", "csp-report was sent correctly");
     39    finishTest();
     40  }
     41  myXHR.onerror = function(e) {
     42    ok(false, "could not query result for csp-report from server (" + e.message + ")");
     43    finishTest();
     44  }
     45  myXHR.send();
     46 
     47  // (2) We load a page that is served using a CSP and a CSP report only which loads
     48  // an image over http.
     49  SimpleTest.executeSoon(function() {
     50    document.getElementById("testframe").src =
     51      "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs?toplevel";
     52  });
     53 }
     54 
     55 // a postMessage handler that is used by sandboxed iframes without
     56 // 'allow-same-origin' to bubble up results back to this main page.
     57 window.addEventListener("message", receiveMessage);
     58 function receiveMessage(event) {
     59  // (3) make sure the image was correctly loaded
     60  is(event.data.result, "img-ok", "upgraded insecure image load from http -> https");
     61  finishTest();
     62 }
     63 
     64 SimpleTest.waitForExplicitFinish();
     65 runTest();
     66 
     67 </script>
     68 </body>
     69 </html>