test_use_with_hsts.html (5540B)
1 <!DOCTYPE HTML> 2 <html> 3 <!-- 4 https://bugzilla.mozilla.org/show_bug.cgi?id=1247733 5 --> 6 <head> 7 <meta charset="utf-8"> 8 <title>Test for Bug 1247733</title> 9 <script src="/tests/SimpleTest/SimpleTest.js"></script> 10 <script src="/tests/SimpleTest/WindowSnapshot.js"></script> 11 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> 12 </head> 13 <body> 14 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a> 15 <p id="display"> 16 <iframe id="myIframe"></iframe> 17 </p> 18 <div id="content" style="display: none"> 19 20 </div> 21 <pre id="test"></pre> 22 <script type="application/javascript"> 23 /** Test for Bug 1247733 */ 24 25 /** 26 * This test ensures that we render the SVG 'use' element correctly, in 27 * pages that have been upgraded from HTTP to HTTPS using strict transport 28 * security (HSTS) 29 * 30 * Specifically: 31 * (1) We load a file using HTTPS, in an iframe. The file gets sent 32 * with a Strict-Transport-Security flag. 33 * (2) We load the same file again, but now over HTTP (which should get 34 * upgraded to HTTPS, since we received the Strict-Transport-Security 35 * flag during the first load). 36 * (3) After each of the above loads, we take a snapshot of the iframe 37 * and ensure that it renders as fully lime (which the 'use' element 38 * is responsible for). If the 'use' element fails to render, the iframe 39 * will be fully red, and we'll fail an "assertSnapshots" check. 40 */ 41 SimpleTest.waitForExplicitFinish(); 42 43 const iframe = document.getElementById("myIframe"); 44 const iframeWin = iframe.contentWindow; 45 46 // URI for our testcase with 'use' element, via HTTP and HTTPS: 47 // eslint-disable-next-line @microsoft/sdl/no-insecure-url 48 const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html"; 49 const secureURI = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html"; 50 51 // Bookkeeping to be sure receiveMessage is called as many times as we expect: 52 var numPostMessageCalls = 0; 53 const expectedNumPostMessageCalls = 2; // (We load the helper file twice.) 54 55 // Helper function, called via postMessage, to check iframe's actual location: 56 function receiveMessage(event) { 57 is(event.data, secureURI, "iframe should end up viewing secure URI"); 58 numPostMessageCalls++; 59 } 60 61 // Convenience helper which makes |iframe| load the given |uri|. Returns 62 // a promise that resolves when the load completes. This makes it handy to 63 // use with 'await', to avoid onload callback hell. 64 async function LoadIframeAsync(uri) { 65 return new Promise(resolve => { 66 iframe.addEventListener("load", resolve, {once: true}); 67 // Kick off the requested load: 68 iframe.src = uri; 69 }); 70 } 71 72 // MAIN TEST CODE BEGINS HERE. 73 async function runTest() { 74 // Capture a snapshot with nothing in the iframe, so we can do a 75 // sanity-check not-equal comparison against our reference case, to be 76 // sure we're rendering anything at all: 77 let blankSnapshot = await snapshotWindow(iframeWin); 78 79 // Load & snapshot a reference case (fully lime): 80 await LoadIframeAsync("data:text/html,<body style='background:lime'>"); 81 let refSnapshot = await snapshotWindow(iframeWin); 82 83 // Ensure reference snapshot looks different from blank snapshot: 84 assertSnapshots(refSnapshot, blankSnapshot, 85 false /* not equal*/, null /* no fuzz*/, 86 "refSnapshot", "blankSnapshot"); 87 88 // OK, assuming we've got a valid refSnapshot, we can now proceed to 89 // capture test screenshots. 90 91 // Register a postMessage handler, so that iframe can report its location: 92 window.addEventListener("message", receiveMessage); 93 94 // Load & snapshot secure (HTTPS) version of testcase, & check against ref: 95 await LoadIframeAsync(secureURI); 96 let secureSnapshot = await snapshotWindow(iframeWin); 97 assertSnapshots(secureSnapshot, refSnapshot, 98 true /* equal*/, null /* no fuzz*/, 99 "secureSnapshot", "refSnapshot"); 100 101 // Load insecure (HTTP) version of testcase (which should get 102 // automatically upgraded to secure (HTTPS) under the hood): 103 await LoadIframeAsync(insecureURI); 104 105 // Double-check that iframe is really pointed at insecure URI, to be sure 106 // we're actually exercising HSTS. (Note that receiveMessage() will make 107 // sure it's been upgraded to a secure HTTPS URI under the hood.) 108 is(iframe.src, insecureURI, 109 "test should've attempted to load insecure HTTP URI, to exercise HSTS"); 110 111 // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase: 112 let upgradedSnapshot = await snapshotWindow(iframeWin); 113 assertSnapshots(upgradedSnapshot, refSnapshot, 114 true /* equal*/, null /* no fuzz*/, 115 "upgradedSnapshot", "refSnapshot"); 116 117 // Check that the iframe did actually invoke our postMessage handler (which 118 // is where we verify that the HSTS upgrade actually happened): 119 is(numPostMessageCalls, expectedNumPostMessageCalls, 120 "didn't receive as many messages from child iframe as expected"); 121 122 // We're done! Clear the STS headers that we set, and finish. 123 // eslint-disable-next-line @microsoft/sdl/no-insecure-url 124 SpecialPowers.cleanUpSTSData("http://example.com"); 125 SimpleTest.finish(); 126 } 127 128 SpecialPowers.pushPrefEnv( 129 { 'set': [["security.mixed_content.block_active_content", false]] }, 130 function() { runTest(); } 131 ); 132 </script> 133 </body> 134 </html>