зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1781772 - Test redirect tainting with Https-only mode, r=tschuster
Differential Revision: https://phabricator.services.mozilla.com/D163695
This commit is contained in:
Родитель
c033fd8a8b
Коммит
a9525237b0
|
@ -33,3 +33,5 @@ skip-if = (toolkit == 'android') # WebSocket tests are not supported on Android
|
|||
support-files =
|
||||
file_websocket_exceptions.html
|
||||
file_websocket_exceptions_iframe.html
|
||||
[browser_redirect_tainting.js]
|
||||
support-files = file_redirect_tainting.sjs
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
// Test steps:
|
||||
// 1. Load file_redirect_tainting.sjs?html.
|
||||
// 2. The server returns an html which loads an image at http://example.net.
|
||||
// 3. The image request will be upgraded to HTTPS since HTTPS-only mode is on.
|
||||
// 4. In file_redirect_tainting.sjs, we set "Access-Control-Allow-Origin" to
|
||||
// the value of the Origin header.
|
||||
// 5. If the vlaue does not match, the image won't be loaded.
|
||||
async function do_test() {
|
||||
let requestUrl = `https://example.com/browser/dom/security/test/https-only/file_redirect_tainting.sjs?html`;
|
||||
|
||||
await BrowserTestUtils.withNewTab(
|
||||
{
|
||||
gBrowser,
|
||||
url: requestUrl,
|
||||
waitForLoad: true,
|
||||
},
|
||||
async function(browser) {
|
||||
let imageLoaded = await SpecialPowers.spawn(browser, [], function() {
|
||||
let image = content.document.getElementById("test_image");
|
||||
return image && image.complete && image.naturalHeight !== 0;
|
||||
});
|
||||
await Assert.ok(imageLoaded, "test_image should be loaded");
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
add_task(async function test_https_only_redirect_tainting() {
|
||||
await SpecialPowers.pushPrefEnv({
|
||||
set: [["dom.security.https_only_mode", true]],
|
||||
});
|
||||
|
||||
await do_test();
|
||||
|
||||
await SpecialPowers.popPrefEnv();
|
||||
});
|
|
@ -0,0 +1,39 @@
|
|||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
// small red image
|
||||
const IMG_BYTES = atob(
|
||||
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
|
||||
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="
|
||||
);
|
||||
|
||||
const body = `<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<body>
|
||||
<script>
|
||||
let image = new Image();
|
||||
image.crossOrigin = "anonymous";
|
||||
image.src = "http://example.net/browser/dom/security/test/https-only/file_redirect_tainting.sjs?img";
|
||||
image.id = "test_image";
|
||||
document.body.appendChild(image);
|
||||
</script>
|
||||
</body>
|
||||
</html>`;
|
||||
|
||||
function handleRequest(request, response) {
|
||||
if (request.queryString === "html") {
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "text/html");
|
||||
response.write(body);
|
||||
return;
|
||||
}
|
||||
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
let origin = request.getHeader("Origin");
|
||||
response.setHeader("Access-Control-Allow-Origin", origin);
|
||||
response.write(IMG_BYTES);
|
||||
}
|
Загрузка…
Ссылка в новой задаче