browser_cors_mixedcontent.js (3573B)
1 // Bug 1659505 - Https-Only: CORS and MixedContent tests 2 // https://bugzilla.mozilla.org/bug/1659505 3 "use strict"; 4 5 // > How does this test work? 6 // We open a page, that makes two fetch-requests to example.com (same-origin) 7 // and example.org (cross-origin). When both fetch-calls have either failed or 8 // succeeded, the site dispatches an event with the results. 9 10 add_task(async function () { 11 // HTTPS-Only Mode disabled 12 await runTest({ 13 description: "Load site with HTTP and HOM disabled", 14 topLevelScheme: "http", 15 16 expectedSameOrigin: "success", // ok 17 expectedCrossOrigin: "error", // CORS 18 }); 19 await runTest({ 20 description: "Load site with HTTPS and HOM disabled", 21 topLevelScheme: "https", 22 23 expectedSameOrigin: "error", // Mixed Content 24 expectedCrossOrigin: "error", // Mixed Content 25 }); 26 27 // HTTPS-Only Mode disabled and MixedContent blocker disabled 28 await SpecialPowers.pushPrefEnv({ 29 set: [["security.mixed_content.block_active_content", false]], 30 }); 31 await runTest({ 32 description: "Load site with HTTPS; HOM and MixedContent blocker disabled", 33 topLevelScheme: "https", 34 35 expectedSameOrigin: "error", // CORS 36 expectedCrossOrigin: "error", // CORS 37 }); 38 await SpecialPowers.popPrefEnv(); 39 40 // HTTPS-Only Mode enabled, no exception 41 await SpecialPowers.pushPrefEnv({ 42 set: [["dom.security.https_only_mode", true]], 43 }); 44 await runTest({ 45 description: "Load site with HTTP and HOM enabled", 46 topLevelScheme: "http", 47 48 expectedSameOrigin: "success", // ok 49 expectedCrossOrigin: "error", // CORS 50 }); 51 52 // HTTPS-Only enabled, with exception 53 await SpecialPowers.pushPermissions([ 54 { 55 type: "https-only-load-insecure", 56 allow: true, 57 context: "http://example.com", 58 }, 59 ]); 60 61 await runTest({ 62 description: "Load site with HTTP, HOM enabled but site exempt", 63 topLevelScheme: "http", 64 65 expectedSameOrigin: "success", // ok 66 expectedCrossOrigin: "error", // CORS 67 }); 68 69 await SpecialPowers.popPermissions(); 70 await SpecialPowers.pushPermissions([ 71 { 72 type: "https-only-load-insecure", 73 allow: true, 74 context: "https://example.com", 75 }, 76 ]); 77 await runTest({ 78 description: "Load site with HTTPS, HOM enabled but site exempt", 79 topLevelScheme: "https", 80 81 expectedSameOrigin: "error", // Mixed Content 82 expectedCrossOrigin: "error", // Mixed Content 83 }); 84 85 // Remove permission again (has to be done manually for some reason?) 86 await SpecialPowers.popPermissions(); 87 }); 88 89 const SERVER_URL = scheme => 90 `${scheme}://example.com/browser/dom/security/test/https-only/file_cors_mixedcontent.html`; 91 92 async function runTest(test) { 93 await BrowserTestUtils.withNewTab("about:blank", async function (browser) { 94 let loaded = BrowserTestUtils.browserLoaded(browser); 95 96 BrowserTestUtils.startLoadingURIString( 97 browser, 98 SERVER_URL(test.topLevelScheme) 99 ); 100 101 await loaded; 102 103 // eslint-disable-next-line no-shadow 104 await SpecialPowers.spawn(browser, [test], async function (test) { 105 const promise = new Promise(resolve => { 106 content.addEventListener("FetchEnded", resolve, { 107 once: true, 108 }); 109 }); 110 111 content.dispatchEvent(new content.Event("StartFetch")); 112 113 const { detail } = await promise; 114 115 is( 116 detail.comResult, 117 test.expectedSameOrigin, 118 `${test.description} (same-origin)` 119 ); 120 is( 121 detail.orgResult, 122 test.expectedCrossOrigin, 123 `${test.description} (cross-origin)` 124 ); 125 }); 126 }); 127 }