test_referrer_policy.html (11436B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1716706 : Write referrer-policy tests for https-first </title> 5 <script src="/tests/SimpleTest/SimpleTest.js"></script> 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 7 </head> 8 <body> 9 10 <script class="testbody" type="text/javascript"> 11 "use strict"; 12 /* 13 * Description of the test: 14 * We perform each test with 8 different settings. 15 * The first is a same origin request from an http site to an https site. 16 * The second is a same origin request from an https -> https. 17 * The third is a cross-origin request from an http -> https. 18 * The fourth is a cross-origin request from an https -> https. 19 * The fifth is a same origin request from an http -> http site. 20 * The sixth is a same origin request from an https -> http. 21 * The seventh is a cross-origin request from an http -> http. 22 * The last is a cross-origin request from an https -> http. 23 */ 24 25 SimpleTest.waitForExplicitFinish(); 26 // This test performs a lot of requests and checks (64 requests). 27 // So to prevent to get a timeout before executing all test request longer timeout. 28 SimpleTest.requestLongerTimeout(2); 29 const SAME_ORIGIN = 30 "http://example.com/tests/dom/security/test/https-first/file_referrer_policy.sjs?"; 31 // SAME ORIGIN with "https" instead of "http" 32 const SAME_ORIGIN_HTTPS = SAME_ORIGIN.replace("http", "https"); 33 34 const CROSS_ORIGIN = 35 "http://example.org/tests/dom/security/test/https-first/file_referrer_policy.sjs?"; 36 // CROSS ORIGIN with "https" instead of "http" 37 const CROSS_ORIGIN_HTTPS = CROSS_ORIGIN.replace("http", "https"); 38 39 // Define test cases. Query equals the test case referrer policy. 40 // We will set in the final request the url parameters such that 'rp=' equals the referrer policy 41 //and 'upgrade=' equals '1' if the request should be https. 42 // For a 'upgrade=0' url parameter the server lead to a timeout such that https-first downgrades 43 // the request to http. 44 const testCases = [ 45 { 46 query: "no-referrer", 47 expectedResultSameOriginDownUp: "", 48 expectedResultSameOriginUpUp: "", 49 expectedResultCrossOriginDownUp:"", 50 expectedResultCrossOriginUpUp:"", 51 expectedResultSameOriginDownDown: "", 52 expectedResultSameOriginUpDown: "", 53 expectedResultCrossOriginDownDown:"", 54 expectedResultCrossOriginUpDown: "", 55 }, 56 { 57 query: "no-referrer-when-downgrade", 58 expectedResultSameOriginDownUp: SAME_ORIGIN + "rp=no-referrer-when-downgrade&upgrade=http-https", 59 expectedResultSameOriginUpUp: SAME_ORIGIN_HTTPS + "rp=no-referrer-when-downgrade&upgrade=https-https", 60 expectedResultCrossOriginDownUp: CROSS_ORIGIN + "rp=no-referrer-when-downgrade&upgrade=http-https", 61 expectedResultCrossOriginUpUp: CROSS_ORIGIN_HTTPS + "rp=no-referrer-when-downgrade&upgrade=https-https", 62 expectedResultSameOriginDownDown: SAME_ORIGIN + "rp=no-referrer-when-downgrade&upgrade=http-http", 63 expectedResultSameOriginUpDown: "", 64 expectedResultCrossOriginDownDown: CROSS_ORIGIN + "rp=no-referrer-when-downgrade&upgrade=http-http", 65 expectedResultCrossOriginUpDown:"", 66 }, 67 { 68 query: "origin", 69 expectedResultSameOriginDownUp: "http://example.com/", 70 expectedResultSameOriginUpUp: "https://example.com/", 71 expectedResultCrossOriginDownUp:"http://example.org/", 72 expectedResultCrossOriginUpUp:"https://example.org/", 73 expectedResultSameOriginDownDown: "http://example.com/", 74 expectedResultSameOriginUpDown: "https://example.com/", 75 expectedResultCrossOriginDownDown:"http://example.org/", 76 expectedResultCrossOriginUpDown:"https://example.org/", 77 }, 78 { 79 query: "origin-when-cross-origin", 80 expectedResultSameOriginDownUp: "http://example.com/", 81 expectedResultSameOriginUpUp: SAME_ORIGIN_HTTPS + "rp=origin-when-cross-origin&upgrade=https-https", 82 expectedResultCrossOriginDownUp:"http://example.org/", 83 expectedResultCrossOriginUpUp:"https://example.org/", 84 expectedResultSameOriginDownDown: SAME_ORIGIN + "rp=origin-when-cross-origin&upgrade=http-http", 85 expectedResultSameOriginUpDown: "https://example.com/", 86 expectedResultCrossOriginDownDown:"http://example.org/", 87 expectedResultCrossOriginUpDown:"https://example.org/", 88 }, 89 { 90 query: "same-origin", 91 expectedResultSameOriginDownUp: "", 92 expectedResultSameOriginUpUp: SAME_ORIGIN_HTTPS + "rp=same-origin&upgrade=https-https", 93 expectedResultCrossOriginDownUp:"", 94 expectedResultCrossOriginUpUp:"", 95 expectedResultSameOriginDownDown: SAME_ORIGIN + "rp=same-origin&upgrade=http-http", 96 expectedResultSameOriginUpDown: "", 97 expectedResultCrossOriginDownDown: "", 98 expectedResultCrossOriginUpDown:"", 99 }, 100 { 101 query: "strict-origin", 102 expectedResultSameOriginDownUp: "http://example.com/", 103 expectedResultSameOriginUpUp: "https://example.com/", 104 expectedResultCrossOriginDownUp:"http://example.org/", 105 expectedResultCrossOriginUpUp:"https://example.org/", 106 expectedResultSameOriginDownDown: "http://example.com/", 107 expectedResultSameOriginUpDown: "", 108 expectedResultCrossOriginDownDown:"http://example.org/", 109 expectedResultCrossOriginUpDown:"", 110 }, 111 { 112 query: "strict-origin-when-cross-origin", 113 expectedResultSameOriginDownUp: "http://example.com/", 114 expectedResultSameOriginUpUp: SAME_ORIGIN_HTTPS + "rp=strict-origin-when-cross-origin&upgrade=https-https", 115 expectedResultCrossOriginDownUp:"http://example.org/", 116 expectedResultCrossOriginUpUp:"https://example.org/", 117 expectedResultSameOriginDownDown: SAME_ORIGIN + "rp=strict-origin-when-cross-origin&upgrade=http-http", 118 expectedResultSameOriginUpDown: "", 119 expectedResultCrossOriginDownDown:"http://example.org/", 120 expectedResultCrossOriginUpDown:"", 121 }, 122 { 123 query: "unsafe-url", 124 expectedResultSameOriginDownUp: SAME_ORIGIN + "rp=unsafe-url&upgrade=http-https", 125 expectedResultSameOriginUpUp: SAME_ORIGIN_HTTPS + "rp=unsafe-url&upgrade=https-https", 126 expectedResultCrossOriginDownUp: CROSS_ORIGIN + "rp=unsafe-url&upgrade=http-https", 127 expectedResultCrossOriginUpUp: CROSS_ORIGIN_HTTPS + "rp=unsafe-url&upgrade=https-https", 128 expectedResultSameOriginDownDown: SAME_ORIGIN + "rp=unsafe-url&upgrade=http-http", 129 expectedResultSameOriginUpDown: SAME_ORIGIN_HTTPS + "rp=unsafe-url&upgrade=https-http", 130 expectedResultCrossOriginDownDown:CROSS_ORIGIN + "rp=unsafe-url&upgrade=http-http", 131 expectedResultCrossOriginUpDown:CROSS_ORIGIN_HTTPS + "rp=unsafe-url&upgrade=https-http", 132 }, 133 ]; 134 135 136 let currentTest = 0; 137 let sameOriginRequest = true; 138 let testWin; 139 let currentQuery; 140 window.addEventListener("message", receiveMessage); 141 let currentRun = 0; 142 // All combinations, HTTP -> HTTPS, HTTPS -> HTTPS, HTTP -> HTTP, HTTPS -> HTTP 143 const ALL_COMB = ["http-https", "https-https" ,"http-http", "https-http"]; 144 145 // Receive message and verify that we receive the expected referrer header 146 async function receiveMessage(event) { 147 let data = event.data; 148 currentQuery = testCases[currentTest].query; 149 let currentComb = ALL_COMB[currentRun]; 150 // if request was http -> https 151 if (currentComb === "http-https") { 152 if (sameOriginRequest){ 153 is(data.result, testCases[currentTest].expectedResultSameOriginDownUp , 154 "We received for the downgraded same site request with referrer policy: " + currentQuery + " the correct referrer"); 155 is(data.location, SAME_ORIGIN_HTTPS + "sendMe","Opened correct location"); 156 } else { 157 is(data.result, testCases[currentTest].expectedResultCrossOriginDownUp , 158 "We received for the downgraded cross site request with referrer policy: " + currentQuery + " the correct referrer"); 159 is(data.location, SAME_ORIGIN_HTTPS + "sendMe", "Opened correct location"); 160 } 161 // if request was https -> https 162 } else if (currentComb === "https-https") { 163 if (sameOriginRequest){ 164 is(data.result, testCases[currentTest].expectedResultSameOriginUpUp , 165 "We received for the upgraded same site request with referrer policy: " + currentQuery + " the correct referrer"); 166 is(data.location, SAME_ORIGIN_HTTPS + "sendMe", "Opened correct location"); 167 } else { 168 is(data.result, testCases[currentTest].expectedResultCrossOriginUpUp, 169 "We received for the upgraded cross site request with referrer policy: " + currentQuery + " the correct referrer"); 170 is(data.location, SAME_ORIGIN_HTTPS + "sendMe", "Opened correct location"); 171 } 172 } else if (currentComb === "http-http") { 173 if (sameOriginRequest){ 174 is(data.result, testCases[currentTest].expectedResultSameOriginDownDown , 175 "We received for the upgraded same site request with referrer policy: " + currentQuery + " the correct referrer"); 176 is(data.location, SAME_ORIGIN + "sendMe2","Opened correct location for" + currentQuery + currentComb); 177 } else { 178 is(data.result, testCases[currentTest].expectedResultCrossOriginDownDown, 179 "We received for the upgraded cross site request with referrer policy: " + currentQuery + " the correct referrer"); 180 is(data.location, SAME_ORIGIN + "sendMe2", "Opened correct location " + currentQuery + currentComb); 181 } 182 } else if (currentComb === "https-http") { 183 if (sameOriginRequest){ 184 is(data.result, testCases[currentTest].expectedResultSameOriginUpDown , 185 "We received for the upgraded same site request with referrer policy: " + currentQuery + " the correct referrer"); 186 is(data.location, SAME_ORIGIN + "sendMe2","Opened correct location " + currentQuery + currentComb); 187 } else { 188 is(data.result, testCases[currentTest].expectedResultCrossOriginUpDown, 189 "We received for the upgraded cross site request with referrer policy: " + currentQuery + " the correct referrer"); 190 is(data.location, SAME_ORIGIN + "sendMe2", "Opened correct location " + currentQuery + currentComb); 191 } 192 } 193 testWin.close(); 194 currentRun++; 195 if (currentTest >= testCases.length -1 && currentRun === ALL_COMB.length && !sameOriginRequest) { 196 window.removeEventListener("message", receiveMessage); 197 SimpleTest.finish(); 198 return; 199 } 200 runTest(); 201 } 202 203 async function runTest() { 204 currentQuery = testCases[currentTest].query; 205 // send same origin request 206 if (sameOriginRequest && currentRun < ALL_COMB.length) { 207 // if upgrade = 0 downgrade request, else upgrade 208 testWin = window.open(SAME_ORIGIN + "rp=" +currentQuery + "&upgrade=" + ALL_COMB[currentRun], "_blank"); 209 } else { 210 // if same origin isn't set, check if we need to send cross origin requests 211 // eslint-disable-next-line no-lonely-if 212 if (!sameOriginRequest && currentRun < ALL_COMB.length ) { 213 // if upgrade = 0 downgrade request, else upgrade 214 testWin = window.open(CROSS_ORIGIN + "rp=" +currentQuery + "&upgrade=" + ALL_COMB[currentRun], "_blank"); 215 } // else we completed all test case of the current query for the current origin. Prepare and call next test 216 else { 217 // reset currentRun and go to next query 218 currentRun = 0; 219 if(!sameOriginRequest){ 220 currentTest++; 221 } 222 // run same test again for crossOrigin or start new test with sameOrigin 223 sameOriginRequest = !sameOriginRequest; 224 currentQuery = testCases[currentTest].query; 225 runTest(); 226 } 227 } 228 } 229 230 SpecialPowers.pushPrefEnv({ set: [ 231 ["dom.security.https_first", true], 232 ["dom.security.https_first_add_exception_on_failure", false], 233 ["network.http.referer.disallowCrossSiteRelaxingDefault", false], 234 ]}, runTest); 235 236 </script> 237 </body> 238 </html>