Bug 1139297 - Implement CSP upgrade-insecure-requests directive - cors tests (r=smaug)

--HG-- extra : rebase_source : 59ab74d90890d6756de82b64808ff35a947f0c2c
2015-07-10 09:17:17 -07:00 · 2015-07-10 09:17:17 -07:00 · 69eba2fa6a
--- a/dom/security/test/csp/file_upgrade_insecure_cors.html
+++ b/dom/security/test/csp/file_upgrade_insecure_cors.html
@ -0,0 +1,49 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+</head>
+<body>
+
+<script type="text/javascript">
+  // === TEST 1
+  var url1 = "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test1";
+  var xhr1 = new XMLHttpRequest();
+  xhr1.open("GET", url1, true);
+  xhr1.onload = function() {
+  	window.parent.postMessage(xhr1.response, "*");
+  };
+  xhr1.onerror = function() {
+  	window.parent.postMessage("test1-failed", "*");
+  };
+  xhr1.send();
+
+  // === TEST 2
+  var url2 = "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test2";
+  var xhr2 = new XMLHttpRequest();
+  xhr2.open("GET", url2, true);
+  xhr2.onload = function() {
+    window.parent.postMessage(xhr2.response, "*");
+  };
+  xhr2.onerror = function() {
+    window.parent.postMessage("test2-failed", "*");
+  };
+  xhr2.send();
+
+  // === TEST 3
+  var url3 = "http://test2.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?test3";
+  var xhr3 = new XMLHttpRequest();
+  xhr3.open("GET", url3, true);
+  xhr3.onload = function() {
+  	window.parent.postMessage(xhr3.response, "*");
+  };
+  xhr3.onerror = function() {
+  	window.parent.postMessage("test3-failed", "*");
+  };
+  xhr3.send();
+
+</script>
+
+</body>
+</html>
--- a/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs
+++ b/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs
@ -0,0 +1,62 @@
+// Custom *.sjs file specifically for the needs of Bug:
+// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // perform sanity check and make sure that all requests get upgraded to use https
+  if (request.scheme !== "https") {
+    response.write("request not https");
+    return;
+  }
+
+  var queryString = request.queryString;
+
+  // TEST 1
+  if (queryString === "test1") {
+    var newLocation =
+      "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test1";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test1") {
+    response.write("test1-no-cors-ok");
+    return;
+  }
+
+  // TEST 2
+  if (queryString === "test2") {
+    var newLocation =
+      "http://test1.example.com:443/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test2";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test2") {
+    response.write("test2-no-cors-diffport-ok");
+    return;
+  }
+
+  // TEST 3
+  response.setHeader("Access-Control-Allow-Headers", "content-type", false);
+  response.setHeader("Access-Control-Allow-Methods", "POST, GET", false);
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+
+  if (queryString === "test3") {
+    var newLocation =
+      "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test3";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test3") {
+    response.write("test3-cors-ok");
+    return;
+  }
+
+  // we should not get here, but just in case return something unexpected
+  response.write("d'oh");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -127,6 +127,8 @@ support-files =
  file_upgrade_insecure_reporting_server.sjs
  file_upgrade_insecure_referrer.html
  file_upgrade_insecure_referrer_server.sjs
+  file_upgrade_insecure_cors.html
+  file_upgrade_insecure_cors_server.sjs

 [test_base-uri.html]
 [test_blob_data_schemes.html]
@ -189,3 +191,5 @@ skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolk
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
 [test_upgrade_insecure_referrer.html]
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
+[test_upgrade_insecure_cors.html]
+skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
--- a/dom/security/test/csp/test_upgrade_insecure_cors.html
+++ b/dom/security/test/csp/test_upgrade_insecure_cors.html
@ -0,0 +1,86 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load a page serving two XHR requests (including being redirected);
+ * one that should not require CORS and one that should require cors, in particular:
+ *
+ * Test 1:
+ *   Main page:   https://test1.example.com
+ *   XHR request: http://test1.example.com
+ *   Redirect to: http://test1.example.com
+ *   Description: Upgrade insecure should upgrade from http to https and also
+ *                surpress CORS for that case.
+ *
+ * Test 2:
+ *   Main page:   https://test1.example.com
+ *   XHR request: http://test1.example.com
+ *   Redirect to: http://test1.example.com:443
+ *   Description: Upgrade insecure should upgrade from http to https and also
+ *                prevent CORS for that case.
+ *   Note: If redirecting to a different port, then CORS *should* be enforced (unless
+ *         it's port 443). Unfortunately we can't test that because of the setup of our
+ *         *.sjs files; they only are able to listen to port 443, see:
+ *         http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98
+ *
+ * Test 3:
+ *   Main page:   https://test1.example.com
+ *   XHR request: http://test2.example.com
+ *   Redirect to: http://test1.example.com
+ *   Description: Upgrade insecure should *not* prevent CORS since
+ *                the page performs a cross origin xhr.
+ *
+ */
+
+const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
+var tests = 3;
+
+function loadTest() {
+  var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
+  // append the file that should be served
+  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")
+  // append the CSP that should be used to serve the file
+  src += "&csp=" + escape(CSP_POLICY);
+  document.getElementById("testframe").src = src;
+}
+
+function checkResult(result) {
+  if (result === "test1-no-cors-ok" ||
+      result === "test2-no-cors-diffport-ok" ||
+      result === "test3-cors-ok") {
+    ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
+  }
+  else {
+    ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");
+  }
+  if (--tests > 0) {
+    return;
+  }
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
+}
+
+// a postMessage handler that is used to bubble up results from
+// within the iframe.
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  checkResult(event.data);
+}
+
+SimpleTest.waitForExplicitFinish();
+loadTest();
+
+</script>
+</body>
+</html>