Bug 722037. Correctly ignore javascript: images in security UI. r=kaie

--HG-- rename : security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html => security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
2012-02-21 18:01:41 -05:00 · 2012-02-21 18:01:41 -05:00 · 6566b23698
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
@ -795,18 +795,23 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,

  nsCOMPtr<nsIURI> uri;
  nsCOMPtr<nsIChannel> channel(do_QueryInterface(aRequest));
-  if (channel)
-  {
+  if (channel) {
    channel->GetURI(getter_AddRefs(uri));
-    if (uri)
-    {
-      bool vs;
-      if (NS_SUCCEEDED(uri->SchemeIs("javascript", &vs)) && vs)
-      {
-        // We ignore the progress events for javascript URLs.
-        // If a document loading gets triggered, we will see more events.
-        return NS_OK;
-      }
+  }
+
+  nsCOMPtr<imgIRequest> imgRequest(do_QueryInterface(aRequest));
+  if (imgRequest) {
+    NS_ASSERTION(!channel, "How did that happen, exactly?");
+    // for image requests, we get the URI from here
+    imgRequest->GetURI(getter_AddRefs(uri));
+  }
+  
+  if (uri) {
+    bool vs;
+    if (NS_SUCCEEDED(uri->SchemeIs("javascript", &vs)) && vs) {
+      // We ignore the progress events for javascript URLs.
+      // If a document loading gets triggered, we will see more events.
+      return NS_OK;
    }
  }

@ -842,11 +847,7 @@ nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress* aWebProgress,
  bool isSubDocumentRelevant = true;

  // We are only interested in requests that load in the browser window...
-  nsCOMPtr<imgIRequest> imgRequest(do_QueryInterface(aRequest));
-  if (imgRequest) {
-    // for image requests, we get the URI from here
-    imgRequest->GetURI(getter_AddRefs(uri));
-  } else { // is not imgRequest
+  if (!imgRequest) { // is not imgRequest
    nsCOMPtr<nsIHttpChannel> httpRequest(do_QueryInterface(aRequest));
    if (!httpRequest) {
      nsCOMPtr<nsIFileChannel> fileRequest(do_QueryInterface(aRequest));
--- a/security/manager/ssl/tests/mochitest/mixedcontent/Makefile.in
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/Makefile.in
@ -86,6 +86,7 @@ _TEST_FILES = \
        test_dynUnsecurePicturePreload.html \
        test_innerHtmlDelayedUnsecurePicture.html \
        test_innerHtmlUnsecurePicture.html \
+        test_javascriptPicture.html \
        test_secureAll.html \
        test_securePicture.html \
        test_unsecureBackground.html \
--- a/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
+++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html
@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Secure img load</title>
+  <script type="text/javascript" src="/MochiKit/Base.js"></script>
+  <script type="text/javascript" src="/MochiKit/DOM.js"></script>
+  <script type="text/javascript" src="/MochiKit/Style.js"></script>
+  <script type="text/javascript" src="/MochiKit/Signal.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure", "javascript: <img> should not break security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "Still secure after renavigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="javascript:'Random data'" />
+</body>
+</html>