Bug 1247733 part 3: Add mochitest to ensure that SVG <use> is rendered correctly in documents that have been upgraded using HSTS. r=valentin

2016-02-17 19:24:40 -08:00 · 2016-02-17 19:24:40 -08:00 · 79530e185f
--- a/dom/svg/test/mochitest.ini
+++ b/dom/svg/test/mochitest.ini
@ -98,6 +98,8 @@ skip-if = buildapp == 'mulet' || buildapp == 'b2g' # b2g(Mouse selection not wor
 [test_text_update.html]
 [test_transform.xhtml]
 [test_transformParsing.html]
+[test_use_with_hsts.html]
+support-files = use-with-hsts-helper.html use-with-hsts-helper.html^headers^
 [test_valueAsString.xhtml]
 [test_valueLeaks.xhtml]
 [test_viewport.html]
--- a/dom/svg/test/test_use_with_hsts.html
+++ b/dom/svg/test/test_use_with_hsts.html
@ -0,0 +1,139 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1247733
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1247733</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/WindowSnapshot.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>
+<p id="display">
+  <iframe id="myIframe"></iframe>
+</p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test"></pre>
+<script type="application/javascript">
+  /** Test for Bug 1247733 **/
+
+  /**
+   * This test ensures that we render the SVG 'use' element correctly, in
+   * pages that have been upgraded from HTTP to HTTPS using strict transport
+   * security (HSTS)
+   *
+   * Specifically:
+   *  (1) We load a file using HTTPS, in an iframe. The file gets sent
+   *      with a Strict-Transport-Security flag.
+   *  (2) We load the same file again, but now over HTTP (which should get
+   *      upgraded to HTTPS, since we received the Strict-Transport-Security
+   *      flag during the first load).
+   *  (3) After each of the above loads, we take a snapshot of the iframe
+   *      and ensure that it renders as fully lime (which the 'use' element
+   *      is responsible for). If the 'use' element fails to render, the iframe
+   *      will be fully red, and we'll fail an "assertSnapshots" check.
+   */
+  SimpleTest.waitForExplicitFinish();
+
+  const iframe = document.getElementById("myIframe");
+  const iframeWin = iframe.contentWindow;
+
+  // URI for our testcase with 'use' element, via HTTP and HTTPS:
+  const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
+  const secureURI   = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
+
+  // Snapshots that we'll populate below:
+  var blankSnapshot;  // Snapshot of blank iframe.
+  var refSnapshot;    // Snapshot of lime reference rendering in iframe.
+  var secureSnapshot; // Snapshot of testcase using HTTPS.
+  var upgradedSnapshot; // Snapshot of testcase using HTTP-upgraded-to-HTTPS.
+
+  // Bookkeeping to be sure receiveMessage is called as many times as we expect:
+  var numPostMessageCalls = 0;
+  const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)
+
+  // Helper function, called via postMessage, to check iframe's actual location:
+  function receiveMessage(event) {
+    is(event.data, secureURI, "iframe should end up viewing secure URI");
+    numPostMessageCalls++;
+  }
+
+  // TEST CODE BEGINS HERE.
+  // Execution basically proceeds top-to-bottom through the functions
+  // from this point on, via a chain of iframe onload-callbacks.
+  function runTest() {
+    // Capture a snapshot with nothing in the iframe, so we can do a
+    // sanity-check not-equal comparison against our reference case, to be
+    // sure we're rendering anything at all:
+    blankSnapshot = snapshotWindow(iframeWin);
+
+    // Point iframe at a reference case:
+    iframe.onload = captureRefSnapshot;
+    iframe.src = "data:text/html,<body style='background:lime'>";
+  }
+
+  function captureRefSnapshot() {
+    // Capture the reference screenshot:
+    refSnapshot = snapshotWindow(iframeWin);
+
+    // Ensure reference-case looks different from blank snapshot:
+    assertSnapshots(refSnapshot, blankSnapshot,
+                    false /*not equal*/, null /*no fuzz*/,
+                    "refSnapshot", "blankSnapshot");
+
+    // OK, assuming we've got a valid refSnapshot, we can now proceed to
+    // capture test screenshots.
+
+    // Register a postMessage handler, so that iframe can report its location:
+    window.addEventListener("message", receiveMessage, false);
+
+    // Point iframe at secure (HTTPS) version of testcase, & wait for callback:
+    iframe.onload = captureSecureSnapshot;
+    iframe.src = secureURI;
+  }
+
+  function captureSecureSnapshot() {
+    // Capture snapshot of iframe showing always-HTTPS version of testcase:
+    secureSnapshot = snapshotWindow(iframeWin);
+    assertSnapshots(secureSnapshot, refSnapshot,
+                    true /*equal*/, null /*no fuzz*/,
+                    "secureSnapshot", "refSnapshot");
+
+    // Point iframe at insecure (HTTP) version of testcase (which should get
+    // automatically upgraded to secure (HTTPS) under the hood), & wait for
+    // callback:
+    iframe.onload = captureUpgradedSnapshot;
+    iframe.src = insecureURI;
+  }
+
+  function captureUpgradedSnapshot() {
+    // Double-check that iframe is really pointed at insecure URI, to be sure
+    // we're actually exercising HSTS. (Note that receiveMessage() will make
+    // sure it's been upgraded to a secure HTTPS URI under the hood.)
+    is(iframe.src, insecureURI,
+       "test should've attempted to load insecure HTTP URI, to exercise HSTS");
+
+    // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:
+    upgradedSnapshot = snapshotWindow(iframeWin);
+    assertSnapshots(upgradedSnapshot, refSnapshot,
+                    true /*equal*/, null /*no fuzz*/,
+                    "upgradedSnapshot", "refSnapshot");
+    cleanupAndFinish();
+  }
+
+  function cleanupAndFinish() {
+    is(numPostMessageCalls, expectedNumPostMessageCalls,
+      "didn't receive as many messages from child iframe as expected");
+    SpecialPowers.cleanUpSTSData("http://example.com");
+    SimpleTest.finish();
+  }
+
+  runTest();
+</script>
+</body>
+</html>
--- a/dom/svg/test/use-with-hsts-helper.html
+++ b/dom/svg/test/use-with-hsts-helper.html
@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script>
+    // Notify parent of our final URI:
+    window.parent.postMessage(window.location.href, "*");
+  </script>
+  <style>
+    html, body {
+      margin: 0;
+      height: 100%;
+    }
+    svg {
+      display: block;
+      height: 100%;
+    }
+  </style>
+</head>
+<body>
+  <svg xmlns="http://www.w3.org/2000/svg"
+       xmlns:xlink="http://www.w3.org/1999/xlink"
+       version="1.1">
+    <defs>
+      <rect id="limeRect" width="100%" height="100%" fill="lime"/>
+    </defs>
+    <rect width="100%" height="100%" fill="red"/>
+    <use xlink:href="#limeRect"/>
+  </svg>
+</body>
+</html>
--- a/dom/svg/test/use-with-hsts-helper.html^headers^
+++ b/dom/svg/test/use-with-hsts-helper.html^headers^
@ -0,0 +1,2 @@
+Cache-Control: no-cache
+Strict-Transport-Security: max-age=60