Bug 1432137 - Add test to verify insecure redirects to data: URIs are blocked for script modules. r=jonco

dom/security/test/general/file_block_subresource_redir_to_data.sjs

@@ -10,13 +10,13 @@ function handleRequest(request, response)
   response.setHeader("Cache-Control", "no-cache", false);
   response.setStatusLine("1.1", 302, "Found");
 
-  if (query === "script") {
+  if (query === "script" || query === "modulescript") {
-    response.setHeader("Location", "data:text/html," + escape(SCRIPT_DATA), false);
+    response.setHeader("Location", "data:text/javascript," + escape(SCRIPT_DATA), false);
     return;
   }
 
   if (query === "worker") {
-    response.setHeader("Location", "data:text/html," + escape(WORKER_DATA), false);
+    response.setHeader("Location", "data:text/javascript," + escape(WORKER_DATA), false);
     return;
   }
 

dom/security/test/general/test_block_subresource_redir_to_data.html

@@ -8,11 +8,12 @@
 <body>
 
 <script id="testScriptRedirectToData"></script>
+<script id="testModuleScriptRedirectToData" type="module"></script>
 
 <script class="testbody" type="text/javascript">
 
 SimpleTest.waitForExplicitFinish();
-const NUM_TESTS = 2;
+const NUM_TESTS = 3;
 
 var testCounter = 0;
 function checkFinish() {
@@ -48,6 +49,20 @@ worker.onmessage = function() {
 };
 worker.postMessage("dummy");
 
+// --- test script modules
+SpecialPowers.pushPrefEnv({set: [["dom.moduleScripts.enabled", true]]}, function() {
+  let testModuleScriptRedirectToData = document.getElementById("testModuleScriptRedirectToData");
+  testModuleScriptRedirectToData.onerror = function() {
+    ok(true, "module script that redirects to data: URI should not load");
+    checkFinish();
+  }
+  testModuleScriptRedirectToData.onload = function() {
+    ok(false, "module script that redirects to data: URI should not load");
+    checkFinish();
+  }
+  testModuleScriptRedirectToData.src = "file_block_subresource_redir_to_data.sjs?modulescript";
+});
+
 </script>
 </body>
 </html>