test_origin_header.html (13967B)
1 <!DOCTYPE HTML> 2 <!-- Any copyright is dedicated to the Public Domain. 3 - http://creativecommons.org/publicdomain/zero/1.0/ --> 4 <html> 5 <head> 6 <title> Bug 446344 - Test Origin Header</title> 7 <script src="/tests/SimpleTest/SimpleTest.js"></script> 8 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"> 9 </head> 10 <body> 11 12 <p><a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=446344">Mozilla Bug 446344</a></p> 13 14 <p id="display"></p> 15 <pre id="test"> 16 <script class="testbody" type="text/javascript"> 17 const EMPTY_ORIGIN = "Origin: "; 18 19 let testsToRun = [ 20 { 21 name: "sendOriginHeader=0 (never)", 22 prefs: [ 23 ["network.http.sendOriginHeader", 0], 24 ], 25 results: { 26 framePost: EMPTY_ORIGIN, 27 framePostXOrigin: EMPTY_ORIGIN, 28 frameGet: EMPTY_ORIGIN, 29 framePostNonSandboxed: EMPTY_ORIGIN, 30 framePostNonSandboxedXOrigin: EMPTY_ORIGIN, 31 framePostSandboxed: EMPTY_ORIGIN, 32 framePostSrcDoc: EMPTY_ORIGIN, 33 framePostSrcDocXOrigin: EMPTY_ORIGIN, 34 framePostDataURI: EMPTY_ORIGIN, 35 framePostSameOriginToXOrigin: EMPTY_ORIGIN, 36 framePostXOriginToSameOrigin: EMPTY_ORIGIN, 37 framePostXOriginToXOrigin: EMPTY_ORIGIN, 38 }, 39 }, 40 { 41 name: "sendOriginHeader=1 (same-origin)", 42 prefs: [ 43 ["network.http.sendOriginHeader", 1], 44 ], 45 results: { 46 framePost: "Origin: http://mochi.test:8888", 47 framePostXOrigin: "Origin: null", 48 frameGet: EMPTY_ORIGIN, 49 framePostNonSandboxed: "Origin: http://mochi.test:8888", 50 framePostNonSandboxedXOrigin: "Origin: null", 51 framePostSandboxed: "Origin: null", 52 framePostSrcDoc: "Origin: http://mochi.test:8888", 53 framePostSrcDocXOrigin: "Origin: null", 54 framePostDataURI: "Origin: null", 55 framePostSameOriginToXOrigin: "Origin: null", 56 framePostXOriginToSameOrigin: "Origin: null", 57 framePostXOriginToXOrigin: "Origin: null", 58 }, 59 }, 60 { 61 name: "sendOriginHeader=2 (always)", 62 prefs: [ 63 ["network.http.sendOriginHeader", 2], 64 ], 65 results: { 66 framePost: "Origin: http://mochi.test:8888", 67 framePostXOrigin: "Origin: http://mochi.test:8888", 68 frameGet: EMPTY_ORIGIN, 69 framePostNonSandboxed: "Origin: http://mochi.test:8888", 70 framePostNonSandboxedXOrigin: "Origin: http://mochi.test:8888", 71 framePostSandboxed: "Origin: null", 72 framePostSrcDoc: "Origin: http://mochi.test:8888", 73 framePostSrcDocXOrigin: "Origin: http://mochi.test:8888", 74 framePostDataURI: "Origin: null", 75 framePostSameOriginToXOrigin: "Origin: http://mochi.test:8888", 76 framePostXOriginToSameOrigin: "Origin: null", 77 framePostXOriginToXOrigin: "Origin: http://mochi.test:8888", 78 }, 79 }, 80 { 81 name: "sendRefererHeader=0 (never)", 82 prefs: [ 83 ["network.http.sendRefererHeader", 0], 84 ], 85 results: { 86 framePost: "Origin: http://mochi.test:8888", 87 framePostXOrigin: "Origin: http://mochi.test:8888", 88 frameGet: EMPTY_ORIGIN, 89 framePostNonSandboxed: "Origin: http://mochi.test:8888", 90 framePostNonSandboxedXOrigin: "Origin: http://mochi.test:8888", 91 framePostSandboxed: "Origin: null", 92 framePostSrcDoc: "Origin: http://mochi.test:8888", 93 framePostSrcDocXOrigin: "Origin: http://mochi.test:8888", 94 framePostDataURI: "Origin: null", 95 framePostSameOriginToXOrigin: "Origin: http://mochi.test:8888", 96 framePostXOriginToSameOrigin: "Origin: null", 97 framePostXOriginToXOrigin: "Origin: http://mochi.test:8888", 98 }, 99 }, 100 { 101 name: "userControlPolicy=0 (no-referrer)", 102 prefs: [ 103 ["network.http.sendRefererHeader", 2], 104 ["network.http.referer.defaultPolicy", 0], 105 ], 106 results: { 107 framePost: "Origin: null", 108 framePostXOrigin: "Origin: null", 109 frameGet: EMPTY_ORIGIN, 110 framePostNonSandboxed: "Origin: null", 111 framePostNonSandboxedXOrigin: "Origin: null", 112 framePostSandboxed: "Origin: null", 113 framePostSrcDoc: "Origin: null", 114 framePostSrcDocXOrigin: "Origin: null", 115 framePostDataURI: "Origin: null", 116 framePostSameOriginToXOrigin: "Origin: null", 117 framePostXOriginToSameOrigin: "Origin: null", 118 framePostXOriginToXOrigin: "Origin: null", 119 }, 120 }, 121 ]; 122 123 let checksToRun = [ 124 { 125 name: "POST", 126 frameID: "framePost", 127 formID: "formPost", 128 }, 129 { 130 name: "cross-origin POST", 131 frameID: "framePostXOrigin", 132 formID: "formPostXOrigin", 133 }, 134 { 135 name: "GET", 136 frameID: "frameGet", 137 formID: "formGet", 138 }, 139 { 140 name: "POST inside iframe", 141 frameID: "framePostNonSandboxed", 142 frameSrc: "HTTP://mochi.test:8888/tests/netwerk/test/mochitests/origin_header_form_post.html", 143 }, 144 { 145 name: "cross-origin POST inside iframe", 146 frameID: "framePostNonSandboxedXOrigin", 147 frameSrc: "Http://mochi.test:8888/tests/netwerk/test/mochitests/origin_header_form_post_xorigin.html", 148 }, 149 { 150 name: "POST inside sandboxed iframe", 151 frameID: "framePostSandboxed", 152 frameSrc: "http://mochi.test:8888/tests/netwerk/test/mochitests/origin_header_form_post.html", 153 }, 154 { 155 name: "POST inside a srcdoc iframe", 156 frameID: "framePostSrcDoc", 157 srcdoc: "origin_header_form_post.html", 158 }, 159 { 160 name: "cross-origin POST inside a srcdoc iframe", 161 frameID: "framePostSrcDocXOrigin", 162 srcdoc: "origin_header_form_post_xorigin.html", 163 }, 164 { 165 name: "POST inside a data: iframe", 166 frameID: "framePostDataURI", 167 dataURI: "origin_header_form_post.html", 168 }, 169 { 170 name: "same-origin POST redirected to cross-origin", 171 frameID: "framePostSameOriginToXOrigin", 172 formID: "formPostSameOriginToXOrigin", 173 }, 174 { 175 name: "cross-origin POST redirected to same-origin", 176 frameID: "framePostXOriginToSameOrigin", 177 formID: "formPostXOriginToSameOrigin", 178 }, 179 { 180 name: "cross-origin POST redirected to cross-origin", 181 frameID: "framePostXOriginToXOrigin", 182 formID: "formPostXOriginToXOrigin", 183 }, 184 ]; 185 186 function frameLoaded(test, check) 187 { 188 let frame = window.document.getElementById(check.frameID); 189 frame.onload = null; 190 let result = SpecialPowers.wrap(frame).contentDocument.documentElement.textContent; 191 is(result, test.results[check.frameID], check.name + " with " + test.name); 192 } 193 194 function submitForm(test, check) 195 { 196 return new Promise((resolve) => { 197 document.getElementById(check.frameID).onload = () => { 198 frameLoaded(test, check); 199 resolve(); 200 }; 201 document.getElementById(check.formID).submit(); 202 }); 203 } 204 205 function loadIframe(test, check) 206 { 207 return new Promise((resolve) => { 208 let frame = SpecialPowers.wrap(window.document.getElementById(check.frameID)); 209 frame.onload = function () { 210 // Ignore the first load and wait for the submitted form instead. 211 let location = frame.contentWindow.location + ""; 212 if (location.endsWith("origin_header.sjs")) { 213 frameLoaded(test, check); 214 resolve(); 215 } 216 } 217 frame.src = check.frameSrc; 218 }); 219 } 220 221 function loadSrcDocFrame(test, check) 222 { 223 return new Promise((resolve) => { 224 let frame = SpecialPowers.wrap(window.document.getElementById(check.frameID)); 225 frame.onload = function () { 226 // Ignore the first load and wait for the submitted form instead. 227 let location = frame.contentWindow.location + ""; 228 if (location.endsWith("origin_header.sjs")) { 229 frameLoaded(test, check); 230 resolve(); 231 } 232 } 233 fetch(check.srcdoc).then((response) => { 234 response.text().then((body) => { 235 frame.srcdoc = body; 236 });; 237 }); 238 }); 239 } 240 241 function loadDataURIFrame(test, check) 242 { 243 return new Promise((resolve) => { 244 let frame = SpecialPowers.wrap(window.document.getElementById(check.frameID)); 245 frame.onload = function () { 246 // Ignore the first load and wait for the submitted form instead. 247 let location = frame.contentWindow.location + ""; 248 if (location.endsWith("origin_header.sjs")) { 249 frameLoaded(test, check); 250 resolve(); 251 } 252 } 253 fetch(check.dataURI).then((response) => { 254 response.text().then((body) => { 255 frame.src = "data:text/html," + encodeURIComponent(body); 256 });; 257 }); 258 }); 259 } 260 261 async function resetFrames() 262 { 263 let checkPromises = []; 264 for (let check of checksToRun) { 265 checkPromises.push(new Promise((resolve) => { 266 let frame = document.getElementById(check.frameID); 267 frame.onload = () => resolve(); 268 if (check.srcdoc) { 269 frame.srcdoc = ""; 270 } else { 271 frame.src = "about:blank"; 272 } 273 })); 274 } 275 await Promise.all(checkPromises); 276 } 277 278 async function runTests() 279 { 280 for (let test of testsToRun) { 281 await resetFrames(); 282 await SpecialPowers.pushPrefEnv({"set": test.prefs}); 283 284 let checkPromises = []; 285 for (let check of checksToRun) { 286 if (check.formID) { 287 checkPromises.push(submitForm(test, check)); 288 } else if (check.frameSrc) { 289 checkPromises.push(loadIframe(test, check)); 290 } else if (check.srcdoc) { 291 checkPromises.push(loadSrcDocFrame(test, check)); 292 } else if (check.dataURI) { 293 checkPromises.push(loadDataURIFrame(test, check)); 294 } else { 295 ok(false, "Unsupported check"); 296 break; 297 } 298 } 299 await Promise.all(checkPromises); 300 }; 301 SimpleTest.finish(); 302 } 303 304 SimpleTest.waitForExplicitFinish(); 305 SimpleTest.requestLongerTimeout(5); // work around Android timeouts 306 addLoadEvent(runTests); 307 308 </script> 309 </pre> 310 <table> 311 <tr> 312 <td> 313 <iframe src="about:blank" name="framePost" id="framePost"></iframe> 314 <form action="origin_header.sjs" 315 method="POST" 316 id="formPost" 317 target="framePost"> 318 <input type="submit" value="Submit POST"> 319 </form> 320 </td> 321 <td> 322 <iframe src="about:blank" name="framePostXOrigin" id="framePostXOrigin"></iframe> 323 <form action="http://test1.mochi.test:8888/tests/netwerk/test/mochitests/origin_header.sjs" 324 method="POST" 325 id="formPostXOrigin" 326 target="framePostXOrigin"> 327 <input type="submit" value="Submit XOrigin POST"> 328 </form> 329 </td> 330 <td> 331 <iframe src="about:blank" name="frameGet" id="frameGet"></iframe> 332 <form action="origin_header.sjs" 333 method="GET" 334 id="formGet" 335 target="frameGet"> 336 <input type="submit" value="Submit GET"> 337 </form> 338 </td> 339 <td> 340 <iframe src="about:blank" name="framePostSameOriginToXOrigin" id="framePostSameOriginToXOrigin"></iframe> 341 <form action="redirect_to.sjs?http://test1.mochi.test:8888/tests/netwerk/test/mochitests/origin_header.sjs" 342 method="POST" 343 id="formPostSameOriginToXOrigin" 344 target="framePostSameOriginToXOrigin"> 345 <input type="Submit" value="Submit SameOrigin POST redirected to XOrigin"> 346 </form> 347 </td> 348 <td> 349 <iframe src="about:blank" name="framePostXOriginToSameOrigin" id="framePostXOriginToSameOrigin"></iframe> 350 <form action="http://test1.mochi.test:8888/tests/netwerk/test/mochitests/redirect_to.sjs?http://mochi.test:8888/tests/netwerk/test/mochitests/origin_header.sjs" 351 method="POST" 352 id="formPostXOriginToSameOrigin" 353 target="framePostXOriginToSameOrigin"> 354 <input type="Submit" value="Submit XOrigin POST redirected to SameOrigin"> 355 </form> 356 </td> 357 <td> 358 <iframe src="about:blank" name="framePostXOriginToXOrigin" id="framePostXOriginToXOrigin"></iframe> 359 <form action="http://test1.mochi.test:8888/tests/netwerk/test/mochitests/redirect_to.sjs?/tests/netwerk/test/mochitests/origin_header.sjs" 360 method="POST" 361 id="formPostXOriginToXOrigin" 362 target="framePostXOriginToXOrigin"> 363 <input type="Submit" value="Submit XOrigin POST redirected to XOrigin"> 364 </form> 365 </td> 366 </tr> 367 <tr> 368 <td> 369 <iframe src="about:blank" id="framePostNonSandboxed"></iframe> 370 <div>Non-sandboxed iframe</div> 371 </td> 372 <td> 373 <iframe src="about:blank" id="framePostNonSandboxedXOrigin"></iframe> 374 <div>Non-sandboxed cross-origin iframe</div> 375 </td> 376 <td> 377 <iframe src="about:blank" id="framePostSandboxed" sandbox="allow-forms allow-scripts"></iframe> 378 <div>Sandboxed iframe</div> 379 </td> 380 </tr> 381 <tr> 382 <td> 383 <iframe id="framePostSrcDoc" src="about:blank"></iframe> 384 <div>Srcdoc iframe</div> 385 </td> 386 <td> 387 <iframe id="framePostSrcDocXOrigin" src="about:blank"></iframe> 388 <div>Srcdoc cross-origin iframe</div> 389 </td> 390 <td> 391 <iframe id="framePostDataURI" src="about:blank"></iframe> 392 <div>data: URI iframe</div> 393 </td> 394 </tr> 395 </table> 396 397 </body> 398 </html>