tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ocsp_no_hsts_upgrade.js (2287B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 "use strict";
      6 
      7 // Test that if an OCSP request is made to a domain that (erroneously)
      8 // has HSTS status, the request is not upgraded from HTTP to HTTPS.
      9 
     10 function run_test() {
     11  do_get_profile();
     12  // OCSP required means this test will only pass if the request succeeds.
     13  Services.prefs.setBoolPref("security.OCSP.require", true);
     14 
     15  // We don't actually make use of stapling in this test. This is just how we
     16  // get a TLS connection.
     17  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
     18 
     19  let args = [["good", "default-ee", "unused", 0]];
     20  let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
     21  let goodOCSPResponse = ocspResponses[0];
     22 
     23  let ocspResponder = new HttpServer();
     24  ocspResponder.registerPrefixHandler("/", function (request, response) {
     25    response.setStatusLine(request.httpVersion, 200, "OK");
     26    response.setHeader("Content-Type", "application/ocsp-response");
     27    response.write(goodOCSPResponse);
     28  });
     29  ocspResponder.start(8888);
     30 
     31  // ocsp-stapling-none.example.com does not staple an OCSP response in the
     32  // handshake, so the revocation checking code will attempt to fetch one.
     33  // Since the domain of the certificate's OCSP AIA URI is an HSTS host
     34  // (as added in the setup of this test, below), a buggy implementation would
     35  // upgrade the OCSP request to HTTPS. We specifically prevent this. This
     36  // test demonstrates that our implementation is correct in this regard.
     37  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
     38  add_test(function () {
     39    run_next_test();
     40  });
     41 
     42  add_test(function () {
     43    ocspResponder.stop(run_next_test);
     44  });
     45 
     46  let SSService = Cc["@mozilla.org/ssservice;1"].getService(
     47    Ci.nsISiteSecurityService
     48  );
     49  let uri = Services.io.newURI("http://localhost");
     50  SSService.processHeader(uri, "max-age=10000");
     51  ok(
     52    SSService.isSecureURI(uri),
     53    "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" +
     54      " we wouldn't be testing what we think we're testing"
     55  );
     56 
     57  run_next_test();
     58 }