File: upgrade-insecure-requests-reporting.https.html

package info (click to toggle)

thunderbird 1%3A140.5.0esr-1

links: PTS, VCS
area: main
in suites: forky, sid
size: 4,609,032 kB
sloc: cpp: 7,672,739; javascript: 5,901,898; ansic: 3,898,899; python: 1,413,347; xml: 653,997; asm: 462,284; java: 180,927; sh: 113,491; makefile: 20,460; perl: 14,288; objc: 13,059; yacc: 4,583; pascal: 3,352; lex: 1,720; ruby: 1,222; exp: 762; sql: 715; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10

file content (100 lines) | stat: -rw-r--r-- 3,282 bytes

parent folder | download | duplicates (26)

<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/security-features/resources/common.sub.js"></script>
<body></body>
<script>
    function waitForViolation(el, effective_directive) {
      return new Promise(resolve => {
        el.addEventListener('securitypolicyviolation', e => {
          if (e.effectiveDirective == effective_directive)
            resolve(e);
        });
      });
    }

    async_test(t => {
      var url = getRequestURLs("img-tag",
                               "same-http-downgrade",
                               "no-redirect").testUrl;
      var i = document.createElement('img');
      var loaded = false;
      var reported = false;
      waitForViolation(window, "img-src")
        .then(t.step_func(e => {
           reported = true;
           if (loaded)
             t.done();
      }));
      i.onload = t.step_func(_ => {
        loaded = true;
        if (reported)
          t.done();
      });
      i.onerror = t.unreached_func(url + " should load successfully.");
      i.src = url;
      document.body.appendChild(i);
    }, "Upgraded image is reported");

    async_test(t => {
      var url = getRequestURLs("iframe-tag",
                               "same-http-downgrade",
                               "no-redirect").testUrl;
      var i = document.createElement('iframe');
      var loaded = false;
      var reported = false;
      waitForViolation(window, "frame-src")
        .then(t.step_func(e => {
           reported = true;
           if (loaded)
             t.done();
      }));
      window.addEventListener("message", t.step_func(e => {
        if (e.source == i.contentWindow) {
          i.remove();
          loaded = true;
          if (reported)
            t.done();
        }
      }));
      i.src = url;
      document.body.appendChild(i);
    }, "Upgraded iframe is reported");

    async_test(t => {
      // Load an HTTPS iframe, then navigate it to an HTTP URL and check that the HTTP URL is both upgraded and reported.
      var url = getRequestURLs("iframe-tag",
                               "same-https",
                               "no-redirect").testUrl;
      var navigate_to = getRequestURLs("iframe-tag",
                                       "cross-http-downgrade",
                                       "no-redirect").testUrl;
      var upgraded = new URL(navigate_to);
      upgraded.protocol = "https";

      var i = document.createElement('iframe');
      var loaded = false;
      var reported = false;

      window.addEventListener("message", t.step_func(e => {
        if (e.source == i.contentWindow) {
          if (e.data.location == url) {
            waitForViolation(window, "frame-src")
              .then(t.step_func(e => {
                reported = true;
                if (loaded)
                  t.done();
            }));
            i.contentWindow.location.href = navigate_to;
          } else if (e.data.location == upgraded) {
            loaded = true;
            if (reported)
              t.done();
          }
        }
      }));
      i.src = url;
      document.body.appendChild(i);
    }, "Navigated iframe is upgraded and reported");
</script>
</html>