зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1801501 - Check if rootDoc is secure context for web compat; r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D175134
This commit is contained in:
june wilde
Родитель
f9be6e64d4
Коммит
73968652cc
|
|
@ -829,11 +829,11 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
|
|||
bool rootHasSecureConnection = topWC->GetIsSecure();
|
||||
bool allowMixedContent = topWC->GetAllowMixedContent();
|
||||
|
||||
// When navigating an iframe, the iframe may be https
|
||||
// but its parents may not be. Check the parents to see if any of them are
|
||||
// https. If none of the parents are https, allow the load.
|
||||
// When navigating an iframe, the iframe may be https but its parents may not
|
||||
// be. Check the parents to see if any of them are https. If none of the
|
||||
// parents are https, allow the load.
|
||||
if (contentType == ExtContentPolicyType::TYPE_SUBDOCUMENT &&
|
||||
!rootHasSecureConnection) {
|
||||
!rootHasSecureConnection && !parentIsHttps) {
|
||||
bool httpsParentExists = false;
|
||||
|
||||
RefPtr<WindowContext> curWindow = requestingWindow;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test mixed content load in iframe via window.open</title>
|
||||
</head>
|
||||
<body>
|
||||
I'm in an iframe!
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -20,6 +20,7 @@ support-files =
|
|||
file_redirect.html
|
||||
file_redirect_handler.sjs
|
||||
file_bug1551886.html
|
||||
file_windowOpen.html
|
||||
|
||||
[test_main.html]
|
||||
skip-if =
|
||||
|
|
@ -40,3 +41,5 @@ skip-if =
|
|||
skip-if =
|
||||
http3
|
||||
http2
|
||||
[test_windowOpen.html]
|
||||
scheme = https
|
||||
|
|
|
|||
|
|
@ -0,0 +1,70 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Tests for Mixed Content Navigation with window.open</title>
|
||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
let testsCompleted = 0;
|
||||
const numberOfTestCases = 2;
|
||||
|
||||
function markTestCaseComplete() {
|
||||
testsCompleted++;
|
||||
|
||||
if (testsCompleted == numberOfTestCases) {
|
||||
SimpleTest.finish();
|
||||
}
|
||||
}
|
||||
|
||||
window.onmessage = function(event) {
|
||||
if (event.data.src.includes("test1")) {
|
||||
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
||||
is(event.data.errorTarget, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
|
||||
is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
|
||||
is(event.data.method, "http", "messages from test1 iframe should be http.");
|
||||
markTestCaseComplete();
|
||||
}
|
||||
else if (event.data.src.includes("test2")) {
|
||||
is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
|
||||
is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
|
||||
is(event.data.method, "https", "messages from test2 iframe should be https");
|
||||
markTestCaseComplete();
|
||||
}
|
||||
};
|
||||
|
||||
function testURLInOpenedWindow(testURL) {
|
||||
let openedWindow = window.open("javascript:''","_blank");
|
||||
openedWindow.onload = function() {
|
||||
openedWindow.document.body.innerHTML = `<iframe id="testframe" src=\"${testURL}\">`
|
||||
|
||||
let testframe = openedWindow.document.getElementById("testframe");
|
||||
|
||||
testframe.onload = function() {
|
||||
let triggeringPrincipal = SpecialPowers.wrap(testframe.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
|
||||
openedWindow.opener.postMessage({outcome: 'loaded', method: testframe.src.split(":")[0], src: testframe.src, triggeringPrincipal}, 'https://example.com');
|
||||
openedWindow.close();
|
||||
}
|
||||
testframe.onerror = function(error) {
|
||||
let errorTarget = error.target.src;
|
||||
openedWindow.opener.postMessage({outcome: 'blocked', method: testframe.src.split(":")[0], src: testframe.src, errorTarget}, 'https://example.com');
|
||||
openedWindow.close();
|
||||
}
|
||||
};
|
||||
};
|
||||
|
||||
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
||||
testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
||||
testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
Загрузка…
Ссылка в новой задаче