tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_http_background_request.html (4376B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 <head>
      4  <title>Bug 1663396: Test HTTPS-Only-Mode top-level background request not leaking sensitive info</title>
      5  <script src="/tests/SimpleTest/SimpleTest.js"></script>
      6  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
      7 </head>
      8 <body>
      9 
     10 <script class="testbody" type="text/javascript">
     11 
     12 /*
     13 * Description of the test:
     14 * Send a top-level request and make sure that the the top-level https-only background request
     15 * (a) does only use pre-path information
     16 * (b) does not happen if the pref is set to false
     17 */
     18 
     19 SimpleTest.waitForExplicitFinish();
     20 SimpleTest.requestFlakyTimeout("have to test that https-only mode background request does not happen");
     21 SimpleTest.requestLongerTimeout(8);
     22 
     23 const SJS_PATH = "tests/dom/security/test/https-only/file_http_background_request.sjs?sensitive";
     24 
     25 const EXPECTED_KICK_OFF_REQUEST = "http://example.com/" + SJS_PATH;
     26 const EXPECTED_KICK_OFF_REQUEST_LOCAL = "http://localhost:8/" + SJS_PATH;
     27 const EXPECTED_UPGRADE_REQUEST = EXPECTED_KICK_OFF_REQUEST.replace("http://", "https://");
     28 let expectedBackgroundRequest = "";
     29 let requestCounter = 0;
     30 
     31 function examiner() {
     32  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
     33 }
     34 examiner.prototype  = {
     35  observe(subject, topic, data) {
     36    if (topic !== "specialpowers-http-notify-request") {
     37      return;
     38    }
     39    // On Android we have other requests appear here as well. Let's make
     40    // sure we only evaluate requests triggered by the test.
     41    if (!data.startsWith("http://example.com") &&
     42        !data.startsWith("https://example.com") &&
     43        !data.startsWith("http://localhost:8") &&
     44        !data.startsWith("https://localhost:8")) {
     45      return;
     46    }
     47    ++requestCounter;
     48    if (requestCounter == 1) {
     49      ok(
     50        data === EXPECTED_KICK_OFF_REQUEST || data === EXPECTED_KICK_OFF_REQUEST_LOCAL,
     51        "kick off request needs to be http"
     52      );
     53      return;
     54    }
     55    if (requestCounter == 2) {
     56      is(data, EXPECTED_UPGRADE_REQUEST, "upgraded request needs to be https");
     57      return;
     58    }
     59    if (requestCounter == 3) {
     60      is(data, expectedBackgroundRequest, "background request needs to be http and no sensitive info like path");
     61       return;
     62    }
     63    ok(false, "we should never get here, but just in case");
     64  },
     65  remove() {
     66    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
     67  }
     68 }
     69 window.BackgroundRequestExaminer = new examiner();
     70 
     71 // https-only top-level background request occurs after 3 seconds, hence
     72 // we use 4 seconds to make sure the background request did not happen.
     73 function resolveAfter4Seconds() { 
     74  return new Promise(resolve => {
     75    setTimeout(() => {
     76      resolve();
     77    }, 4000);
     78  });
     79 }
     80 
     81 async function runTests() {
     82  // (a) Test http background request to only use prePath information
     83  expectedBackgroundRequest = "http://example.com/";
     84  requestCounter = 0;
     85  await SpecialPowers.pushPrefEnv({ set: [
     86    ["dom.security.https_only_mode", true],
     87    ["dom.security.https_only_mode_send_http_background_request", true],
     88    ["dom.security.https_only_mode_error_page_user_suggestions", false],
     89  ]});
     90  let testWin = window.open(EXPECTED_KICK_OFF_REQUEST, "_blank");
     91  await resolveAfter4Seconds();
     92  is(requestCounter, 3, "three requests total (kickoff, upgraded, background)");
     93  testWin.close();
     94 
     95  // (x) Test no http background request happens when localhost
     96  expectedBackgroundRequest = "";
     97  requestCounter = 0;
     98  testWin = window.open(EXPECTED_KICK_OFF_REQUEST_LOCAL, "_blank");
     99  await resolveAfter4Seconds();
    100  is(requestCounter, 1, "one requests total (kickoff, no upgraded, no background)");
    101  testWin.close();
    102 
    103  // (b) Test no http background request happens if pref is set to false
    104  expectedBackgroundRequest = "";
    105  requestCounter = 0;
    106  await SpecialPowers.pushPrefEnv({ set: [
    107    ["dom.security.https_only_mode", true],
    108    ["dom.security.https_only_mode_send_http_background_request", false],
    109    ["dom.security.https_only_mode_error_page_user_suggestions", false],
    110  ]});
    111  testWin = window.open(EXPECTED_KICK_OFF_REQUEST, "_blank");
    112  await resolveAfter4Seconds();
    113  is(requestCounter, 2, "two requests total (kickoff, upgraded, no background)");
    114  testWin.close();
    115 
    116  // clean up and finish tests
    117  window.BackgroundRequestExaminer.remove();
    118  SimpleTest.finish();
    119 }
    120 
    121 runTests();
    122 
    123 </script>
    124 </body>
    125 </html>