Bug 1661423 - dont apply upgrade-insecure-requests to localhost form submissions r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D88577

dom/html/HTMLFormElement.cpp

@@ -1693,9 +1693,13 @@ nsresult HTMLFormElement::GetActionURL(nsIURI** aActionURL,
 
   // Potentially the page uses the CSP directive 'upgrade-insecure-requests'. In
   // such a case we have to upgrade the action url from http:// to https://.
-  // If the actionURL is not http, then there is nothing to do.
-  bool isHttpScheme = actionURL->SchemeIs("http");
-  if (isHttpScheme && document->GetUpgradeInsecureRequests(false)) {
+  // The upgrade is only required if the actionURL is http and not a potentially
+  // trustworthy loopback URI.
+  bool needsUpgrade =
+      actionURL->SchemeIs("http") &&
+      !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(actionURL) &&
+      document->GetUpgradeInsecureRequests(false);
+  if (needsUpgrade) {
     // let's use the old specification before the upgrade for logging
     AutoTArray<nsString, 2> params;
     nsAutoCString spec;

dom/security/test/csp/file_upgrade_insecure_loopback_form.html

@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1661423 - don't apply upgrade-insecure-requests on form submissions to localhost</title>
+</head>
+<body>
+
+<form id="form" action="http://127.0.0.1/bug-1661423-dont-upgrade-localhost">
+  <input type="submit">
+</form>>
+<script type="text/javascript">
+
+    form.submit();
+</script>
+</body>
+</html>

dom/security/test/csp/mochitest.ini

@@ -145,6 +145,7 @@ support-files =
   file_upgrade_insecure_cors.html
   file_upgrade_insecure_cors_server.sjs
   file_upgrade_insecure_loopback.html
+  file_upgrade_insecure_loopback_form.html
   file_upgrade_insecure_loopback_server.sjs
   file_report_for_import.css
   file_report_for_import.html

dom/security/test/csp/test_upgrade_insecure_loopback.html

@@ -23,25 +23,48 @@
  */
 
 const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";
-let tests = 1;
+let testFiles = ["tests/dom/security/test/csp/file_upgrade_insecure_loopback.html",
+                 "tests/dom/security/test/csp/file_upgrade_insecure_loopback_form.html"];
+
+function examiner() {
+  SpecialPowers.addObserver(this, "specialpowers-http-notify-request");
+}
+examiner.prototype = {
+  observe(subject, topic, data) {
+    if (topic === "specialpowers-http-notify-request") {
+      // we skip looking at other requests that might be observed accidentally
+      // e.g., we saw kinto requests when running this test locally
+      if (data.includes("bug-1661423-dont-upgrade-localhost")) {
+        let urlObj = new URL(data);
+        is(urlObj.protocol, "http:", "Didn't upgrade localhost URL");
+        loadTest();
+      }
+    }
+  },
+  remove() {
+    SpecialPowers.removeObserver(this, "specialpowers-http-notify-request");
+  }
+};
+
+window.examiner = new examiner();
+
 
 function loadTest() {
+  if (testFiles.length == 0) {
+    removeAndFinish();
+    return;
+  }
   var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";
   // append the file that should be served
-  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_loopback.html")
+  src += escape(testFiles.shift())
   // append the CSP that should be used to serve the file
   src += "&csp=" + escape(CSP_POLICY);
   document.getElementById("testframe").src = src;
 }
 
-function checkResult(result) {
-  if (result === "request-not-https") {
-    ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
-  }
-  if (--tests > 0) {
-    return;
-  }
+function removeAndFinish() {
   window.removeEventListener("message", receiveMessage);
+  window.examiner.remove();
   SimpleTest.finish();
 }
 
@@ -49,7 +72,10 @@ function checkResult(result) {
 // within the iframe.
 window.addEventListener("message", receiveMessage);
 function receiveMessage(event) {
-  checkResult(event.data);
+  if (event.data === "request-not-https") {
+    ok(true, "Didn't upgrade 127.0.0.1:8080 to https://");
+    loadTest();
+  }
 }
 
 SimpleTest.waitForExplicitFinish();