Bug 663570 - Test 3: update upgrade-insecure-requests tests (r=sicking)

2015-11-14 19:30:08 -08:00 · 2015-11-14 19:30:08 -08:00 · 74f7445a35
--- a/dom/security/test/csp/file_upgrade_insecure_meta.html
+++ b/dom/security/test/csp/file_upgrade_insecure_meta.html
@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; default-src https: wss: 'unsafe-inline'; form-action https:;">
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- style -->
+  <link rel='stylesheet' type='text/css' href='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?style' media='screen' />
+
+  <!-- font -->
+  <style>
+    @font-face {
+      font-family: "foofont";
+      src: url('http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?font');
+    }
+    .div_foo { font-family: "foofont"; }
+  </style>
+</head>
+<body>
+
+  <!-- images: -->
+  <img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?img"></img>
+
+  <!-- redirects: upgrade http:// to https:// redirect to http:// and then upgrade to https:// again -->
+  <img src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?redirect-image"></img>
+
+  <!-- script: -->
+  <script src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?script"></script>
+
+  <!-- media: -->
+  <audio src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?media"></audio>
+
+  <!-- objects: -->
+  <object width="10" height="10" data="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?object"></object>
+
+  <!-- font: (apply font loaded in header to div) -->
+  <div class="div_foo">foo</div>
+
+  <!-- iframe: (same origin) -->
+  <iframe src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?iframe">
+    <!-- within that iframe we load an image over http and make sure the requested gets upgraded to https -->
+  </iframe>
+
+  <!-- xhr: -->
+  <script type="application/javascript">
+    var myXHR = new XMLHttpRequest();
+    myXHR.open("GET", "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?xhr");
+    myXHR.send(null);
+  </script>
+
+  <!-- websockets: upgrade ws:// to wss://-->
+  <script type="application/javascript">
+    var mySocket = new WebSocket("ws://example.com/tests/dom/security/test/csp/file_upgrade_insecure");
+    mySocket.onopen = function(e) {
+      if (mySocket.url.includes("wss://")) {
+        window.parent.postMessage({result: "websocket-ok"}, "*");
+      }
+      else {
+        window.parent.postMessage({result: "websocket-error"}, "*");
+      }
+    };
+    mySocket.onerror = function(e) {
+      window.parent.postMessage({result: "websocket-unexpected-error"}, "*");
+    };
+  </script>
+
+  <!-- form action: (upgrade POST from http:// to https://) -->
+  <iframe name='formFrame' id='formFrame'></iframe>
+  <form target="formFrame" action="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?form" method="POST">
+    <input name="foo" value="foo">
+    <input type="submit" id="submitButton" formenctype='multipart/form-data' value="Submit form">
+  </form>
+  <script type="text/javascript">
+    var submitButton = document.getElementById('submitButton');
+    submitButton.click();
+  </script>
+
+</body>
+</html>
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -119,6 +119,7 @@ support-files =
  file_referrerdirective.html
  referrerdirective.sjs
  file_upgrade_insecure.html
+  file_upgrade_insecure_meta.html
  file_upgrade_insecure_server.sjs
  file_upgrade_insecure_wsh.py
  file_upgrade_insecure_reporting.html
--- a/dom/security/test/csp/test_upgrade_insecure.html
+++ b/dom/security/test/csp/test_upgrade_insecure.html
@ -37,7 +37,6 @@ const UPGRADE_POLICY_NO_DEFAULT_SRC =
  "upgrade-insecure-requests;" +               // upgrade all http requests to https
  "script-src 'unsafe-inline' *";              // we have to whitelist the inline scripts
                                               // in the test.
-
 const NO_UPGRADE_POLICY =
  "default-src http: ws: 'unsafe-inline';" +   // allow http:// and ws://
  "form-action http:;";                        // explicit, no fallback to default-src
@ -47,6 +46,7 @@ var tests = [
    policy: UPGRADE_POLICY,
    topLevelScheme: "https://",
    description: "upgrade all requests on toplevel https",
+    deliveryMethod: "header",
    results: [
      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",
      "media-ok", "object-ok", "form-ok", "websocket-ok", "nested-img-ok"
@ -56,6 +56,7 @@ var tests = [
    policy: UPGRADE_POLICY,
    topLevelScheme: "http://",
    description: "upgrade all requests on toplevel http",
+    deliveryMethod: "header",
    results: [
      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",
      "media-ok", "object-ok", "form-ok", "websocket-ok", "nested-img-ok"
@ -66,6 +67,7 @@ var tests = [
    policy: UPGRADE_POLICY_NO_DEFAULT_SRC,
    topLevelScheme: "http://",
    description: "upgrade all requests on toplevel http where default-src is not specified",
+    deliveryMethod: "header",
    results: [
      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",
      "media-ok", "object-ok", "form-ok", "websocket-ok", "nested-img-ok"
@ -75,12 +77,25 @@ var tests = [
    policy: NO_UPGRADE_POLICY,
    topLevelScheme: "http://",
    description: "do not upgrade any requests on toplevel http",
+    deliveryMethod: "header",
    results: [
      "iframe-error", "script-error", "img-error", "img-redir-error", "font-error",
      "xhr-error", "style-error", "media-error", "object-error", "form-error",
      "websocket-error", "nested-img-error"
    ]
  },
+  { // (5) test that all requests within an >> https << page using meta CSP get updated
+    // policy: UPGRADE_POLICY, that test uses UPGRADE_POLICY within
+    //                         file_upgrade_insecure_meta.html
+    //                         no need to define it within that object.
+    topLevelScheme: "https://",
+    description: "upgrade all requests on toplevel https using meta csp",
+    deliveryMethod: "meta",
+    results: [
+      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",
+      "media-ok", "object-ok", "form-ok", "websocket-ok", "nested-img-ok"
+    ]
+  },
 ];

 var counter = 0;
@ -89,10 +104,16 @@ var curTest;
 function loadTestPage() {
  curTest = tests[counter++];
  var src = curTest.topLevelScheme + "example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
-  // append the file that should be served
-  src += escape("tests/dom/security/test/csp/file_upgrade_insecure.html")
-  // append the CSP that should be used to serve the file
-  src += "&csp=" + escape(curTest.policy);
+  if (curTest.deliveryMethod === "header") {
+    // append the file that should be served
+    src += escape("tests/dom/security/test/csp/file_upgrade_insecure.html");
+    // append the CSP that should be used to serve the file
+    src += "&csp=" + escape(curTest.policy);
+  }
+  else {
+    src += escape("tests/dom/security/test/csp/file_upgrade_insecure_meta.html");
+    // no csp here, since it's in the meta element
+  }
  document.getElementById("testframe").src = src;
 }