зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1801501 - Check if rootDoc is secure context for web compat; r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D175134
This commit is contained in:
Родитель
f9be6e64d4
Коммит
73968652cc
|
@ -829,11 +829,11 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
|
||||||
bool rootHasSecureConnection = topWC->GetIsSecure();
|
bool rootHasSecureConnection = topWC->GetIsSecure();
|
||||||
bool allowMixedContent = topWC->GetAllowMixedContent();
|
bool allowMixedContent = topWC->GetAllowMixedContent();
|
||||||
|
|
||||||
// When navigating an iframe, the iframe may be https
|
// When navigating an iframe, the iframe may be https but its parents may not
|
||||||
// but its parents may not be. Check the parents to see if any of them are
|
// be. Check the parents to see if any of them are https. If none of the
|
||||||
// https. If none of the parents are https, allow the load.
|
// parents are https, allow the load.
|
||||||
if (contentType == ExtContentPolicyType::TYPE_SUBDOCUMENT &&
|
if (contentType == ExtContentPolicyType::TYPE_SUBDOCUMENT &&
|
||||||
!rootHasSecureConnection) {
|
!rootHasSecureConnection && !parentIsHttps) {
|
||||||
bool httpsParentExists = false;
|
bool httpsParentExists = false;
|
||||||
|
|
||||||
RefPtr<WindowContext> curWindow = requestingWindow;
|
RefPtr<WindowContext> curWindow = requestingWindow;
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
<!DOCTYPE HTML>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Test mixed content load in iframe via window.open</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
I'm in an iframe!
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -20,6 +20,7 @@ support-files =
|
||||||
file_redirect.html
|
file_redirect.html
|
||||||
file_redirect_handler.sjs
|
file_redirect_handler.sjs
|
||||||
file_bug1551886.html
|
file_bug1551886.html
|
||||||
|
file_windowOpen.html
|
||||||
|
|
||||||
[test_main.html]
|
[test_main.html]
|
||||||
skip-if =
|
skip-if =
|
||||||
|
@ -40,3 +41,5 @@ skip-if =
|
||||||
skip-if =
|
skip-if =
|
||||||
http3
|
http3
|
||||||
http2
|
http2
|
||||||
|
[test_windowOpen.html]
|
||||||
|
scheme = https
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
<!DOCTYPE HTML>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8">
|
||||||
|
<title>Tests for Mixed Content Navigation with window.open</title>
|
||||||
|
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||||
|
|
||||||
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<script class="testbody" type="text/javascript">
|
||||||
|
|
||||||
|
SimpleTest.waitForExplicitFinish();
|
||||||
|
|
||||||
|
let testsCompleted = 0;
|
||||||
|
const numberOfTestCases = 2;
|
||||||
|
|
||||||
|
function markTestCaseComplete() {
|
||||||
|
testsCompleted++;
|
||||||
|
|
||||||
|
if (testsCompleted == numberOfTestCases) {
|
||||||
|
SimpleTest.finish();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
window.onmessage = function(event) {
|
||||||
|
if (event.data.src.includes("test1")) {
|
||||||
|
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
||||||
|
is(event.data.errorTarget, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
|
||||||
|
is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
|
||||||
|
is(event.data.method, "http", "messages from test1 iframe should be http.");
|
||||||
|
markTestCaseComplete();
|
||||||
|
}
|
||||||
|
else if (event.data.src.includes("test2")) {
|
||||||
|
is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
|
||||||
|
is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
|
||||||
|
is(event.data.method, "https", "messages from test2 iframe should be https");
|
||||||
|
markTestCaseComplete();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
function testURLInOpenedWindow(testURL) {
|
||||||
|
let openedWindow = window.open("javascript:''","_blank");
|
||||||
|
openedWindow.onload = function() {
|
||||||
|
openedWindow.document.body.innerHTML = `<iframe id="testframe" src=\"${testURL}\">`
|
||||||
|
|
||||||
|
let testframe = openedWindow.document.getElementById("testframe");
|
||||||
|
|
||||||
|
testframe.onload = function() {
|
||||||
|
let triggeringPrincipal = SpecialPowers.wrap(testframe.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
|
||||||
|
openedWindow.opener.postMessage({outcome: 'loaded', method: testframe.src.split(":")[0], src: testframe.src, triggeringPrincipal}, 'https://example.com');
|
||||||
|
openedWindow.close();
|
||||||
|
}
|
||||||
|
testframe.onerror = function(error) {
|
||||||
|
let errorTarget = error.target.src;
|
||||||
|
openedWindow.opener.postMessage({outcome: 'blocked', method: testframe.src.split(":")[0], src: testframe.src, errorTarget}, 'https://example.com');
|
||||||
|
openedWindow.close();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
|
||||||
|
testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
||||||
|
testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
|
||||||
|
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
Загрузка…
Ссылка в новой задаче