зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1781772 - Test redirect tainting with Https-only mode, r=tschuster
Differential Revision: https://phabricator.services.mozilla.com/D163695
This commit is contained in:
Родитель
c033fd8a8b
Коммит
a9525237b0
|
@ -33,3 +33,5 @@ skip-if = (toolkit == 'android') # WebSocket tests are not supported on Android
|
||||||
support-files =
|
support-files =
|
||||||
file_websocket_exceptions.html
|
file_websocket_exceptions.html
|
||||||
file_websocket_exceptions_iframe.html
|
file_websocket_exceptions_iframe.html
|
||||||
|
[browser_redirect_tainting.js]
|
||||||
|
support-files = file_redirect_tainting.sjs
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||||
|
|
||||||
|
// Test steps:
|
||||||
|
// 1. Load file_redirect_tainting.sjs?html.
|
||||||
|
// 2. The server returns an html which loads an image at http://example.net.
|
||||||
|
// 3. The image request will be upgraded to HTTPS since HTTPS-only mode is on.
|
||||||
|
// 4. In file_redirect_tainting.sjs, we set "Access-Control-Allow-Origin" to
|
||||||
|
// the value of the Origin header.
|
||||||
|
// 5. If the vlaue does not match, the image won't be loaded.
|
||||||
|
async function do_test() {
|
||||||
|
let requestUrl = `https://example.com/browser/dom/security/test/https-only/file_redirect_tainting.sjs?html`;
|
||||||
|
|
||||||
|
await BrowserTestUtils.withNewTab(
|
||||||
|
{
|
||||||
|
gBrowser,
|
||||||
|
url: requestUrl,
|
||||||
|
waitForLoad: true,
|
||||||
|
},
|
||||||
|
async function(browser) {
|
||||||
|
let imageLoaded = await SpecialPowers.spawn(browser, [], function() {
|
||||||
|
let image = content.document.getElementById("test_image");
|
||||||
|
return image && image.complete && image.naturalHeight !== 0;
|
||||||
|
});
|
||||||
|
await Assert.ok(imageLoaded, "test_image should be loaded");
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
add_task(async function test_https_only_redirect_tainting() {
|
||||||
|
await SpecialPowers.pushPrefEnv({
|
||||||
|
set: [["dom.security.https_only_mode", true]],
|
||||||
|
});
|
||||||
|
|
||||||
|
await do_test();
|
||||||
|
|
||||||
|
await SpecialPowers.popPrefEnv();
|
||||||
|
});
|
|
@ -0,0 +1,39 @@
|
||||||
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||||
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||||
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||||
|
|
||||||
|
// small red image
|
||||||
|
const IMG_BYTES = atob(
|
||||||
|
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
|
||||||
|
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="
|
||||||
|
);
|
||||||
|
|
||||||
|
const body = `<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<body>
|
||||||
|
<script>
|
||||||
|
let image = new Image();
|
||||||
|
image.crossOrigin = "anonymous";
|
||||||
|
image.src = "http://example.net/browser/dom/security/test/https-only/file_redirect_tainting.sjs?img";
|
||||||
|
image.id = "test_image";
|
||||||
|
document.body.appendChild(image);
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>`;
|
||||||
|
|
||||||
|
function handleRequest(request, response) {
|
||||||
|
if (request.queryString === "html") {
|
||||||
|
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||||
|
response.setHeader("Content-Type", "text/html");
|
||||||
|
response.write(body);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||||
|
response.setHeader("Content-Type", "image/png");
|
||||||
|
let origin = request.getHeader("Origin");
|
||||||
|
response.setHeader("Access-Control-Allow-Origin", origin);
|
||||||
|
response.write(IMG_BYTES);
|
||||||
|
}
|
Загрузка…
Ссылка в новой задаче