test_form_submission.html (3637B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <title>Bug 1720103 - Https-first: Do not upgrade form submissions (for now)</title> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 8 </head> 9 <body> 10 <iframe style="width:100%;" id="testframe"></iframe> 11 <script class="testbody" type="text/javascript"> 12 /* 13 * Description of the test: 14 * We test https-first behaviour with forms. 15 * We perform each test once with same origin and the second time 16 * with a cross origin. We perform two GET form requests and two POST 17 * form requests. 18 */ 19 SimpleTest.waitForExplicitFinish(); 20 window.addEventListener("message", receiveMessage); 21 22 const SAME_ORIGIN = "http://example.com/tests/dom/security/test/https-first/file_form_submission.sjs"; 23 const CROSS_ORIGIN = SAME_ORIGIN.replace(".com", ".org"); 24 const Tests = [{ 25 // 1. Test GET, gets upgraded 26 query: "?test=1", 27 scheme: "https:", 28 method: "GET", 29 value: "test=success", 30 }, 31 { 32 // 2. Test GET, gets downgraded again 33 // 2. a) If the second request is same-origin there is an upgrade exception 34 // so no upgrade is performed. 35 // 2. b) If the submmission domain is different, the request is upgraded. 36 query:"?test=2", 37 scheme: "http:", 38 method: "GET", 39 value: "test=success" 40 }, 41 { // 3. Test POST formular, does not get upgraded 42 query: "?test=3", 43 scheme: "http:", 44 method: "POST", 45 value: "test=success" 46 }, 47 { // 4. Test POST formular, does not get upgraded 48 query: "?test=4", 49 scheme: "http:", 50 method: "POST", 51 value: "test=success" 52 }, 53 ]; 54 let currentTest; 55 let counter = 0; 56 let testWin; 57 let sameOrigin = true; 58 59 // Verify that top-level request got the expected scheme and reached the correct location. 60 async function receiveMessage(event){ 61 let data = event.data; 62 let origin = sameOrigin? SAME_ORIGIN : CROSS_ORIGIN 63 let wantedScheme = currentTest.scheme; 64 if (!sameOrigin && counter === 1) { 65 // cross-origin still gets upgraded, same-origin has a stored exception 66 // after the first fail 67 // See 2. a) and 2. b) above. 68 wantedScheme = "https:"; 69 } 70 // Since the form is always sent to example.com we expect it here as location 71 is(data.location.includes(SAME_ORIGIN.replace("http:", wantedScheme)), true, 72 "Reached the correct location for " + currentTest.query ); 73 is(data.scheme, wantedScheme,`${currentTest.query} upgraded or downgraded to ` + wantedScheme); 74 // Check that the form value is correct 75 is(data.form, currentTest.value, "Form was transfered"); 76 testWin.close(); 77 // Flip origin flag 78 sameOrigin ^= true; 79 // Only go to next test if already sent same and cross origin request for current test 80 if (sameOrigin) { 81 counter++; 82 } 83 await SpecialPowers.removePermission( 84 "https-only-load-insecure", 85 origin 86 ); 87 // Check if we have test left, if not finish the testing 88 if (counter >= Tests.length) { 89 window.removeEventListener("message", receiveMessage); 90 SimpleTest.finish(); 91 return; 92 } 93 // If we didn't reached the end yet, run next test 94 runTest(); 95 } 96 97 function runTest() { 98 currentTest = Tests[counter]; 99 // If sameOrigin flag is set make a origin request, else a cross origin request 100 if (sameOrigin) { 101 testWin= window.open(SAME_ORIGIN + currentTest.query, "_blank"); 102 } else { 103 testWin= window.open(CROSS_ORIGIN + currentTest.query, "_blank"); 104 } 105 } 106 107 // Set prefs and start test 108 SpecialPowers.pushPrefEnv({ set: [ 109 ["dom.security.https_first", true], 110 ["security.warn_submit_secure_to_insecure", false] 111 ]}, runTest); 112 113 114 </script> 115 </body> 116 </html>