Bug 1725646 - HTTPS-First endless loop with http redirection. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D123421

dom/security/nsHTTPSOnlyUtils.cpp

@@ -324,7 +324,9 @@ bool nsHTTPSOnlyUtils::IsUpgradeDowngradeEndlessLoop(
   // then we are dealing with an upgrade downgrade scenario and we have to break
   // the cycle.
   nsCOMPtr<nsIPrincipal> triggeringPrincipal = aLoadInfo->TriggeringPrincipal();
-  if (!triggeringPrincipal->SchemeIs("https")) {
+  // Since https-first also accepts http sites, endless loops can also be
+  // triggered by http sites
+  if (!triggeringPrincipal->SchemeIs("https") && !enforceForHTTPSFirstMode) {
     return false;
   }
 

dom/security/test/https-first/file_endless_loop_http_redirection.sjs

@@ -0,0 +1,40 @@
+const RELAOD_HTTP = `
+<html class="no-js">
+  <head>
+    <title>HTTPS not supported - Bureau of Meteorology</title>
+    <script language="Javascript">
+      var home_page = 'http://example.com/tests/dom/security/test/https-first/file_endless_loop_http_redirection.sjs' ;
+      window.location = home_page;
+    </script>
+</hmtl>
+`;
+const RESPONSE_SUCCESS = `
+  <html>
+    <body>
+      send message, downgraded
+    <script type="application/javascript">
+      window.opener.postMessage({result: 'downgraded', scheme: 'http'}, '*');
+    </script>
+    </body>
+  </html>`;
+
+const REDIRECT_307 =
+  "http://example.com/tests/dom/security/test/https-first/file_endless_loop_http_redirection.sjs?start";
+
+function handleRequest(request, response) {
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+  // Every https request gets redirected
+  if (request.scheme === "https") {
+    response.setStatusLine("1.1", 307, "Temporary Redirect");
+    response.setHeader("Location", REDIRECT_307, true);
+    return;
+  }
+  // If a 307 redirection took place redirect to same site without query
+  if (request.queryString === "start") {
+    response.write(RELAOD_HTTP);
+    return;
+  }
+  // we should get here
+  response.write(RESPONSE_SUCCESS);
+}

dom/security/test/https-first/mochitest.ini

@@ -39,3 +39,5 @@ support-files =
   file_bad_cert.sjs
 [test_downgrade_request_upgrade_request.html]
 support-files= file_downgrade_request_upgrade_request.sjs
+[test_endless_loop_http_redirection.html]
+support-files= file_endless_loop_http_redirection.sjs

dom/security/test/https-first/test_endless_loop_http_redirection.html

@@ -0,0 +1,54 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title> Bug 1725646: HTTPS-First endless loop with http redirection</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<script class="testbody" type="text/javascript">
+"use strict";
+/*
+ * Description of the test:
+ *  1. We request http://example.com which HTTPS-First upgrades to https://example.com.
+ *  2. The request https://example.com receives a 307 redirection to http://example.com?start.
+ *  3. HTTPS-First upgrades http://example.com?start to https://example.com?start.
+ *  4. The request https://example.com?start receives a 307 redirection to http://example.com?start.
+ *  5. HTTPS-First detects an endless loop and breaks it (downgrades to http).
+ *  6. The request http://example.com?start, that gets JS redirected to http://example.com.
+ *  7. We start again at (1) and are in an endless loop
+ *
+ * Expected Result: HTTPS-First breaks the endless loop at (7) and reachs http://example.com
+ *
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+const REQUEST_URL =
+  "http://example.com/tests/dom/security/test/https-first/file_endless_loop_http_redirection.sjs";
+
+let testWin;
+window.addEventListener("message", receiveMessage);
+
+// Receive message and verify that it is from an http site.
+async function receiveMessage(event) {
+  let data = event.data;
+  ok(data.result === "downgraded", "Broke endless loop");
+  is(data.scheme,"http", "scheme is 'http'");
+  testWin.close();
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+async function runTest() {
+  testWin = window.open(REQUEST_URL, "_blank");
+}
+
+SpecialPowers.pushPrefEnv({ set: [
+    ["dom.security.https_first", true]
+  ]}, runTest);
+
+</script>
+</body>
+</html>