tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

browser_upgrade_exceptions.js (2640B)

      1 // Bug 1625448 - HTTPS Only Mode - Exceptions for loopback and local IP addresses
      2 // https://bugzilla.mozilla.org/show_bug.cgi?id=1631384
      3 // This test ensures that various configurable upgrade exceptions work
      4 "use strict";
      5 
      6 add_task(async function () {
      7  requestLongerTimeout(2);
      8 
      9  await SpecialPowers.pushPrefEnv({
     10    set: [["dom.security.https_only_mode", true]],
     11  });
     12 
     13  // Loopback test
     14  await runTest(
     15    "Loopback IP addresses should always be exempt from upgrades (localhost)",
     16    "http://localhost",
     17    "http://"
     18  );
     19  await runTest(
     20    "Loopback IP addresses should always be exempt from upgrades (127.0.0.1)",
     21    "http://127.0.0.1",
     22    "http://"
     23  );
     24  // Default local-IP and onion tests
     25  await runTest(
     26    "Local IP addresses should be exempt from upgrades by default",
     27    "http://10.0.250.250",
     28    "http://"
     29  );
     30  await runTest(
     31    "Hosts ending with .onion should be be exempt from HTTPS-Only upgrades by default",
     32    "http://grocery.shopping.for.one.onion",
     33    "http://"
     34  );
     35 
     36  await SpecialPowers.pushPrefEnv({
     37    set: [
     38      ["dom.security.https_only_mode.upgrade_local", true],
     39      ["dom.security.https_only_mode.upgrade_onion", true],
     40    ],
     41  });
     42 
     43  // Local-IP and onion tests with upgrade enabled
     44  await runTest(
     45    "Local IP addresses should get upgraded when 'dom.security.https_only_mode.upgrade_local' is set to true",
     46    "http://10.0.250.250",
     47    "https://"
     48  );
     49  await runTest(
     50    "Hosts ending with .onion should get upgraded when 'dom.security.https_only_mode.upgrade_onion' is set to true",
     51    "http://grocery.shopping.for.one.onion",
     52    "https://"
     53  );
     54  // Local-IP request with HTTPS_ONLY_EXEMPT flag
     55  await runTest(
     56    "The HTTPS_ONLY_EXEMPT flag should overrule upgrade-prefs",
     57    "http://10.0.250.250",
     58    "http://",
     59    true
     60  );
     61 });
     62 
     63 async function runTest(desc, url, startsWith, exempt = false) {
     64  const responseURL = await new Promise(resolve => {
     65    let xhr = new XMLHttpRequest();
     66    xhr.timeout = 1200;
     67    xhr.open("GET", url);
     68    if (exempt) {
     69      xhr.channel.loadInfo.httpsOnlyStatus |= Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
     70    }
     71    xhr.onreadystatechange = () => {
     72      // We don't care about the result and it's possible that
     73      // the requests might even succeed in some testing environments
     74      if (
     75        xhr.readyState !== XMLHttpRequest.OPENED ||
     76        xhr.readyState !== XMLHttpRequest.UNSENT
     77      ) {
     78        // Let's make sure this function doesn't get caled anymore
     79        xhr.onreadystatechange = undefined;
     80        resolve(xhr.responseURL);
     81      }
     82    };
     83    xhr.send();
     84  });
     85  ok(responseURL.startsWith(startsWith), desc);
     86 }