From 263f055dd1eecb8954d6bf31b1506f8503a00402 Mon Sep 17 00:00:00 2001
From: Andrea Marchesini <amarchesini@mozilla.com>
Date: Tue, 4 Aug 2020 09:45:40 +0000
Subject: [PATCH] Bug 1635828 - Isolate HSTS per first-party when
 privacy.partition.network_state is set to true - part 2 - tests, r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D74078
---
 .../test_sts_privatebrowsing_perwindowpb.html |  1 +
 .../antitracking/test/browser/browser.ini     |  2 +
 .../browser/browser_staticPartition_HSTS.js   | 73 +++++++++++++++++++
 .../browser/browser_staticPartition_HSTS.sjs  | 12 +++
 4 files changed, 88 insertions(+)
 create mode 100644 toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js
 create mode 100644 toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs

diff --git a/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html b/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
index 64dfc48ce8c2..f042169e8075 100644
--- a/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
+++ b/security/manager/ssl/tests/mochitest/stricttransportsecurity/test_sts_privatebrowsing_perwindowpb.html
@@ -31,6 +31,7 @@
   var mainWindow = window.browsingContext.topChromeWindow;
 
   SpecialPowers.Services.prefs.setIntPref("browser.startup.page", 0);
+  SpecialPowers.Services.prefs.setBoolPref("privacy.partition.network_state", false);
 
   var testframes = {
     samedom: {
diff --git a/toolkit/components/antitracking/test/browser/browser.ini b/toolkit/components/antitracking/test/browser/browser.ini
index 32e11d246edc..8f75ea09c87e 100644
--- a/toolkit/components/antitracking/test/browser/browser.ini
+++ b/toolkit/components/antitracking/test/browser/browser.ini
@@ -155,3 +155,5 @@ support-files =
   !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.xhr.html
   !/browser/components/originattributes/test/browser/file_thirdPartyChild.xhr.html
 [browser_staticPartition_network.js]
+[browser_staticPartition_HSTS.js]
+support-files = browser_staticPartition_HSTS.sjs
diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js
new file mode 100644
index 000000000000..e87a09892744
--- /dev/null
+++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.js
@@ -0,0 +1,73 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+var unsecureEmptyURL =
+  "http://example.org/browser/toolkit/components/antitracking/test/browser/empty.html";
+var secureURL =
+  "https://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs";
+var unsecureURL =
+  "http://example.com/browser/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs";
+
+function cleanupHSTS() {
+  // Ensure to remove example.com from the HSTS list.
+  let sss = Cc["@mozilla.org/ssservice;1"].getService(
+    Ci.nsISiteSecurityService
+  );
+  sss.resetState(
+    Ci.nsISiteSecurityService.HEADER_HSTS,
+    NetUtil.newURI("http://example.com/"),
+    0
+  );
+}
+
+function promiseTabLoadEvent(aTab, aURL, aFinalURL) {
+  info("Wait for load tab event");
+  BrowserTestUtils.loadURI(aTab.linkedBrowser, aURL);
+  return BrowserTestUtils.browserLoaded(aTab.linkedBrowser, false, aFinalURL);
+}
+
+add_task(async function() {
+  for (let prefValue of [true, false]) {
+    await SpecialPowers.pushPrefEnv({
+      set: [["privacy.partition.network_state", prefValue]],
+    });
+
+    let tab = (gBrowser.selectedTab = BrowserTestUtils.addTab(gBrowser));
+
+    // Let's load the secureURL as first-party in order to activate HSTS.
+    await promiseTabLoadEvent(tab, secureURL, secureURL);
+
+    // Let's test HSTS: unsecure -> secure.
+    await promiseTabLoadEvent(tab, unsecureURL, secureURL);
+    ok(true, "unsecure -> secure, first-party works!");
+
+    // Let's load a first-party.
+    await promiseTabLoadEvent(tab, unsecureEmptyURL, unsecureEmptyURL);
+
+    let finalURL = await SpecialPowers.spawn(
+      tab.linkedBrowser,
+      [unsecureURL],
+      async url => {
+        return new content.Promise(resolve => {
+          let ifr = content.document.createElement("iframe");
+          ifr.onload = _ => {
+            resolve(ifr.contentWindow.location.href);
+          };
+
+          content.document.body.appendChild(ifr);
+          ifr.src = url;
+        });
+      }
+    );
+
+    if (prefValue) {
+      is(finalURL, unsecureURL, "HSTS doesn't work for 3rd parties");
+    } else {
+      is(finalURL, secureURL, "HSTS works for 3rd parties");
+    }
+
+    gBrowser.removeCurrentTab();
+    cleanupHSTS();
+  }
+});
diff --git a/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs
new file mode 100644
index 000000000000..64c4235288c3
--- /dev/null
+++ b/toolkit/components/antitracking/test/browser/browser_staticPartition_HSTS.sjs
@@ -0,0 +1,12 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+function handleRequest(request, response) {
+  let page = "<!DOCTYPE html><html><body><p>HSTS page</p></body></html>";
+  response.setStatusLine(request.httpVersion, "200", "OK");
+  response.setHeader("Strict-Transport-Security", "max-age=60");
+  response.setHeader("Content-Type", "text/html", false);
+  response.setHeader("Content-Length", page.length + "", false);
+  response.write(page);
+}