File: test_upgrade_insecure_cors.html

package info (click to toggle)

firefox-esr 128.14.0esr-1~deb12u1

links: PTS, VCS
area: main
in suites: bookworm
size: 4,230,248 kB
sloc: cpp: 7,104,262; javascript: 6,088,450; ansic: 3,654,017; python: 1,212,326; xml: 594,604; asm: 420,654; java: 182,969; sh: 71,124; makefile: 20,739; perl: 13,449; objc: 12,399; yacc: 4,583; cs: 3,846; pascal: 2,973; lex: 1,720; ruby: 1,194; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10

file content (86 lines) | stat: -rw-r--r-- 3,010 bytes

parent folder | download | duplicates (28)

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:
 * We load a page serving two XHR requests (including being redirected);
 * one that should not require CORS and one that should require cors, in particular:
 *
 * Test 1:
 *   Main page:   https://test1.example.com
 *   XHR request: http://test1.example.com
 *   Redirect to: http://test1.example.com
 *   Description: Upgrade insecure should upgrade from http to https and also
 *                surpress CORS for that case.
 *
 * Test 2:
 *   Main page:   https://test1.example.com
 *   XHR request: http://test1.example.com
 *   Redirect to: http://test1.example.com:443
 *   Description: Upgrade insecure should upgrade from http to https and also
 *                prevent CORS for that case.
 *   Note: If redirecting to a different port, then CORS *should* be enforced (unless
 *         it's port 443). Unfortunately we can't test that because of the setup of our
 *         *.sjs files; they only are able to listen to port 443, see:
 *         http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98
 *
 * Test 3:
 *   Main page:   https://test1.example.com
 *   XHR request: http://test2.example.com
 *   Redirect to: http://test1.example.com
 *   Description: Upgrade insecure should *not* prevent CORS since
 *                the page performs a cross origin xhr.
 *
 */

const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
var tests = 3;

function loadTest() {
  var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
  // append the file that should be served
  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")
  // append the CSP that should be used to serve the file
  src += "&csp=" + escape(CSP_POLICY);
  document.getElementById("testframe").src = src;
}

function checkResult(result) {
  if (result === "test1-no-cors-ok" ||
      result === "test2-no-cors-diffport-ok" ||
      result === "test3-cors-ok") {
    ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
  }
  else {
    ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
  }
  if (--tests > 0) {
    return;
  }
  window.removeEventListener("message", receiveMessage);
  SimpleTest.finish();
}

// a postMessage handler that is used to bubble up results from
// within the iframe.
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
  checkResult(event.data);
}

SimpleTest.waitForExplicitFinish();
loadTest();

</script>
</body>
</html>