File: only-top-level-navigation-hsts-upgrade.tentative.sub.html

package info (click to toggle)
firefox-esr 140.5.0esr-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,538,920 kB
  • sloc: cpp: 7,381,527; javascript: 6,388,905; ansic: 3,710,087; python: 1,393,776; xml: 628,165; asm: 426,916; java: 184,004; sh: 65,744; makefile: 19,302; objc: 13,059; perl: 12,912; yacc: 4,583; cs: 3,846; pascal: 3,352; lex: 1,720; ruby: 1,226; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10
file content (76 lines) | stat: -rw-r--r-- 2,827 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
<!DOCTYPE html>
<meta charset=utf-8>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script type="module">
  // Check HSTS upgrades only apply to top-level (outermost) frame navigations.
  // Note that this test must be run on an insecure origin because it relies on
  // insecure iframes being loadable. If it's instead run on a secure origin
  // then mixed content blocking will prevent HSTS from working.

  // 0) Confirm that insecure iframes can be loaded.
  // 1) Pin the alt hostname to the HSTS via hsts.html
  // 2) Attempt to load an iframe via http. This should fail because
  //    http://{{hosts[alt][]}}:{{ports[https][0]}} is an invalid origin *and*
  //    HSTS should not upgrade the iframe navigation to https.
  // 3) Open a new window and navigate it to the same http origin. This should
  //    successfully be upgraded to https, load, and then postMessage its origin.

  promise_test(async() => {

    function onMessageWithTimeout(name) {
      return new Promise((resolve, reject) => {

      const timeoutID = step_timeout(() => {
        reject(new Error("Timeout: Didn't receive message for " + name));
        onmessage = null;
      }, 3000);

      onmessage = (event) => {
        clearTimeout(timeoutID);
        resolve(event);
      };
    });
    };

    // Step 0.
    const iframeLoadable = document.createElement('iframe');
    const iframeLoadablePromise = onMessageWithTimeout("Step 0");

    iframeLoadable.src = "http://{{hosts[][]}}:{{ports[http][0]}}/hsts/resources/hsts.html";
    document.body.appendChild(iframeLoadable);
    await iframeLoadablePromise;

    // Step 1.
    // Add HSTS pin for domain.
    await fetch("https://{{hosts[alt][]}}:{{ports[https][0]}}/hsts/resources/hsts.html?as-fetch");

    // Step 2.
    // Note: HTTP, not HTTPS:
    const hstsIframe = document.createElement('iframe');
    const hstsIframePromise = onMessageWithTimeout("Step 2")
    .then(resolve => assert_false(true, "HSTS iframe unexpectedly loaded"),
                                  reject => {/*frame didn't load, as expected */});

    hstsIframe.src = "http://{{hosts[alt][]}}:{{ports[https][0]}}/hsts/resources/hsts.html";
    document.body.appendChild(hstsIframe);
    await hstsIframePromise;

    // Step 3.
    const hstsWindowPromise = onMessageWithTimeout("Step 3")
    .then((event) =>
      assert_equals(event.data.origin,
                    "https://{{hosts[alt][]}}:{{ports[https][0]}}"));

    const w = window.open("http://{{hosts[alt][]}}:{{ports[https][0]}}/hsts/resources/post-origin-to-opener.html", "_blank");
    if(!w) {
      assert_false(true, "Window didn't open. Is there a popup blocker?");
    }

    await hstsWindowPromise;
}, "HSTS only navigates top-level");

</script>
</body>
</html>