Bug 1801501 - Check if rootDoc is secure context for web compat; r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D175134
2023-09-27 18:19:23 +00:00 · 2023-09-27 18:19:23 +00:00 · 73f8201f4f
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@ -902,6 +902,9 @@ skip-if =
 [test_mutationobservers.html]
 [test_named_frames.html]
 [test_navigator_cookieEnabled.html]
+skip-if =
+  http3
+  http2
 [test_navigator_hardwareConcurrency.html]
 [test_navigator_language.html]
 [test_navigatorPrefOverride.html]
@ -918,7 +921,7 @@ tags = openwindow
 [test_pasting_svg_image.html]
 skip-if = headless # Bug 1669923.
 [test_pdf_print.html]
-skip-if = 
+skip-if =
  toolkit == 'android' # We don't ship pdf.js on Android
  win11_2009 && condprof # Bug 1843710
 [test_plugin_freezing.html]
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -829,11 +829,11 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
  bool rootHasSecureConnection = topWC->GetIsSecure();
  bool allowMixedContent = topWC->GetAllowMixedContent();

-  // When navigating an iframe, the iframe may be https
-  // but its parents may not be.  Check the parents to see if any of them are
-  // https. If none of the parents are https, allow the load.
+  // When navigating an iframe, the iframe may be https but its parents may not
+  // be. Check the parents to see if any of them are https. If none of the
+  // parents are https, allow the load.
  if (contentType == ExtContentPolicyType::TYPE_SUBDOCUMENT &&
-      !rootHasSecureConnection) {
+      !rootHasSecureConnection && !parentIsHttps) {
    bool httpsParentExists = false;

    RefPtr<WindowContext> curWindow = requestingWindow;
--- a/dom/security/test/mixedcontentblocker/file_windowOpen.html
+++ b/dom/security/test/mixedcontentblocker/file_windowOpen.html
@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+    <title>Test mixed content load in iframe via window.open</title>
+  </head>
+  <body>
+    I'm in an iframe!
+  </body>
+</html>
--- a/dom/security/test/mixedcontentblocker/mochitest.ini
+++ b/dom/security/test/mixedcontentblocker/mochitest.ini
@ -20,6 +20,7 @@ support-files =
  file_redirect.html
  file_redirect_handler.sjs
  file_bug1551886.html
+  file_windowOpen.html

 [test_main.html]
 skip-if =
@ -40,3 +41,7 @@ skip-if =
 skip-if =
  http3
  http2
+[test_windowOpen.html]
+skip-if =
+  xorigin # JavaScript error: http://mochi.xorigin-test:8888/tests/SimpleTest/TestRunner.js, line 157: SecurityError: Permission denied to access property "docShell" on cross-origin object
+scheme = https
--- a/dom/security/test/mixedcontentblocker/test_windowOpen.html
+++ b/dom/security/test/mixedcontentblocker/test_windowOpen.html
@ -0,0 +1,70 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Tests for Mixed Content Navigation with window.open</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+let testsCompleted = 0;
+const numberOfTestCases = 2;
+
+function markTestCaseComplete() {
+  testsCompleted++;
+
+  if (testsCompleted == numberOfTestCases) {
+    SimpleTest.finish();
+  }
+}
+
+window.onmessage = function(event) {
+  if (event.data.src.includes("test1")) {
+    // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+    is(event.data.errorTarget, "http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html", "error thrown for failed iframe load should be from test1's iframe.");
+    is(event.data.outcome, "blocked", "http iframe should be blocked from loading in child https window.");
+    is(event.data.method, "http", "messages from test1 iframe should be http.");
+    markTestCaseComplete();
+  }
+  else if (event.data.src.includes("test2")) {
+    is(event.data.triggeringPrincipal, "https://example.com/tests/dom/security/test/mixedcontentblocker/test_windowOpen.html", "triggeringPrincipal for successfully loaded https iframe should be the original test file.");
+    is(event.data.outcome, "loaded", "https iframe should be allowed to load in child https window.");
+    is(event.data.method, "https", "messages from test2 iframe should be https");
+    markTestCaseComplete();
+  }
+};
+
+function testURLInOpenedWindow(testURL) {
+  let openedWindow = window.open("javascript:''","_blank");
+  openedWindow.onload = function() {
+    openedWindow.document.body.innerHTML = `<iframe id="testframe" src=\"${testURL}\">`
+
+    let testframe = openedWindow.document.getElementById("testframe");
+
+    testframe.onload = function() {
+      let triggeringPrincipal = SpecialPowers.wrap(testframe.contentWindow).docShell.currentDocumentChannel.loadInfo.triggeringPrincipal.asciiSpec;
+      openedWindow.opener.postMessage({outcome: 'loaded', method: testframe.src.split(":")[0], src: testframe.src, triggeringPrincipal}, 'https://example.com');
+      openedWindow.close();
+    }
+    testframe.onerror = function(error) {
+      let errorTarget = error.target.src;
+      openedWindow.opener.postMessage({outcome: 'blocked', method: testframe.src.split(":")[0], src: testframe.src, errorTarget}, 'https://example.com');
+      openedWindow.close();
+    }
+  };
+};
+
+// eslint-disable-next-line @microsoft/sdl/no-insecure-url
+testURLInOpenedWindow("http://test1.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
+testURLInOpenedWindow("https://test2.example.com/tests/dom/security/test/mixedcontentblocker/file_windowOpen.html");
+
+</script>
+</body>
+</html>