Bug 1721410 - HTTPS-First: Add test for HSTS redirection. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D120361

dom/security/test/https-first/file_multiple_redirection.sjs

@@ -0,0 +1,87 @@
+"use strict";
+
+// redirection uri
+const REDIRECT_URI =
+  "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?redirect";
+const REDIRECT_URI_HTTP =
+  "http://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify";
+const REDIRECT_URI_HTTPS =
+  "https://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?verify";
+
+const RESPONSE_ERROR = "unexpected-query";
+
+// An onload postmessage to window opener
+const RESPONSE_HTTPS_SCHEME = `
+  <html>
+  <body>
+  <script type="application/javascript">
+    window.opener.postMessage({result: 'scheme-https'}, '*');
+  </script>
+  </body>
+  </html>`;
+
+const RESPONSE_HTTP_SCHEME = `
+  <html>
+  <body>
+  <script type="application/javascript">
+    window.opener.postMessage({result: 'scheme-http'}, '*');
+  </script>
+  </body>
+  </html>`;
+
+function sendRedirection(query, response) {
+  // send a redirection to an http uri
+  if (query.includes("test1")) {
+    response.setHeader("Location", REDIRECT_URI_HTTP, false);
+    return;
+  }
+  // send a redirection to an https uri
+  if (query.includes("test2")) {
+    response.setHeader("Location", REDIRECT_URI_HTTPS, false);
+    return;
+  }
+  // send a redirection to an http uri with hsts header
+  if (query.includes("test3")) {
+    response.setHeader("Strict-Transport-Security", "max-age=60");
+    response.setHeader("Location", REDIRECT_URI_HTTP, false);
+  }
+}
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+  const query = request.queryString;
+
+  // if the query contains a test query start first test
+  if (query.startsWith("test")) {
+    // send a 302 redirection
+    response.setStatusLine(request.httpVersion, 302, "Found");
+    response.setHeader("Location", REDIRECT_URI + query, false);
+    return;
+  }
+  // Send a redirection
+  if (query.includes("redirect")) {
+    response.setStatusLine(request.httpVersion, 302, "Found");
+    sendRedirection(query, response);
+    return;
+  }
+  // Reset the HSTS policy, prevent influencing other tests
+  if (request.queryString === "reset") {
+    response.setHeader("Strict-Transport-Security", "max-age=0");
+    let response_content =
+      request.scheme === "https" ? RESPONSE_HTTPS_SCHEME : RESPONSE_HTTP_SCHEME;
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.write(response_content);
+  }
+  // Check if scheme is http:// or https://
+  if (query == "verify") {
+    let response_content =
+      request.scheme === "https" ? RESPONSE_HTTPS_SCHEME : RESPONSE_HTTP_SCHEME;
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.write(response_content);
+    return;
+  }
+
+  // We should never get here, but just in case ...
+  response.setStatusLine(request.httpVersion, 500, "OK");
+  response.write("unexepcted query");
+}

dom/security/test/https-first/mochitest.ini

@@ -26,6 +26,9 @@ support-files= file_referrer_policy.sjs
 [test_break_endless_upgrade_downgrade_loop.html]
 support-files =
   file_break_endless_upgrade_downgrade_loop.sjs
+[test_multiple_redirection.html]
+support-files =
+  file_multiple_redirection.sjs
 [test_form_submission.html]
 support-files =
   file_form_submission.sjs

dom/security/test/https-first/test_multiple_redirection.html

@@ -0,0 +1,76 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1721410
+Test multiple redirects using https-first and ensure the entire redirect chain is using https
+-->
+
+<head>
+  <title>HTTPS-First-Mode - Test for multiple redirections</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  SimpleTest.waitForExplicitFinish();
+
+  const testCase = [
+    // test 1: https-first upgrades http://example.com/test1 -> https://example.com/test1
+    //         that's redirect to https://example.com/.../redirect which then redirects
+    //         to http://example.com/../verify. Since the last redirect is http, and the
+    //         the redirection chain contains already example.com we expect https-first
+    //         to downgrade the request.
+    {name: "test last redirect HTTP", result: "scheme-http", query: "test1" },
+    // test 2: https-first upgrades http://example.com/test2 -> https://example.com/test2
+    //         that's redirect to https://example.com/.../redirect which then redirects
+    //         to https://example.com/../verify. Since the last redirect is https, we
+    //         expect to reach an https website.
+    {name: "test last redirect HTTPS", result: "scheme-https", query: "test2"},
+    // test 3: https-first upgrades http://example.com/test3 -> https://example.com/test3
+    //         that's redirect to https://example.com/.../hsts which then sets an hsts header
+    //         and redirects to http://example.com/../verify. Since an hsts header was set
+    //         we expect that to reach an https site
+    {name: "test last redirect HSTS", result: "scheme-https", query: "test3"},
+    // reset: reset hsts header for example.com
+    {name: "reset HSTS header", result: "scheme-https", query: "reset"},
+  ]
+  let currentTest = 0;
+  let testWin;
+  window.addEventListener("message", receiveMessage);
+
+  // receive message from loaded site verifying the scheme of
+  // the loaded document.
+  async function receiveMessage(event) {
+    let test = testCase[currentTest];
+      is(event.data.result,
+       test.result,
+       "same-origin redirect results in " + test.name
+    );
+    testWin.close();
+    if (++currentTest < testCase.length) {
+      startTest();
+      return;
+    }
+    window.removeEventListener("message", receiveMessage);
+    SimpleTest.finish();
+  }
+
+  async function startTest() {
+    const test = testCase[currentTest];
+    // Load an http:// window which gets upgraded to https://
+    let uri =
+      `http://example.com/tests/dom/security/test/https-first/file_multiple_redirection.sjs?${test.query}`;
+    testWin = window.open(uri);
+  }
+
+  // Set preference and start test
+  SpecialPowers.pushPrefEnv({ set: [
+    ["dom.security.https_first", true],
+  ]}, startTest);
+  </script>
+</body>
+</html>