Bug 1139297 - Implement CSP upgrade-insecure-requests directive - reports (r=sstamm)

--HG-- extra : rebase_source : 55ff799deb95a3d66cfb7d37bf6892891913d5b3
2015-07-10 09:16:46 -07:00 · 2015-07-10 09:16:46 -07:00 · ab68e4a840
--- a/dom/security/test/csp/file_upgrade_insecure_reporting.html
+++ b/dom/security/test/csp/file_upgrade_insecure_reporting.html
@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+</head>
+<body>
+
+  <!-- upgrade img from http:// to https:// -->
+  <img id="testimage" src="http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs?img"></img>
+
+  <script type="application/javascript">
+    var myImg = document.getElementById("testimage");
+    myImg.onload = function(e) {
+      window.parent.postMessage({result: "img-ok"}, "*");
+    };
+    myImg.onerror = function(e) {
+      window.parent.postMessage({result: "img-error"}, "*");
+    };
+  </script>
+
+</body>
+</html>
--- a/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs
+++ b/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs
@ -0,0 +1,80 @@
+// Custom *.sjs specifically for the needs of Bug
+// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
+
+Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+// small red image
+const IMG_BYTES = atob(
+  "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
+  "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
+
+const REPORT_URI = "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs?report";
+const POLICY = "upgrade-insecure-requests; default-src https: 'unsafe-inline'";
+const POLICY_RO = "default-src https: 'unsafe-inline'; report-uri " + REPORT_URI;
+
+function loadHTMLFromFile(path) {
+  // Load the HTML to return in the response from file.
+  // Since it's relative to the cwd of the test runner, we start there and
+  // append to get to the actual path of the file.
+  var testHTMLFile =
+    Components.classes["@mozilla.org/file/directory_service;1"].
+    getService(Components.interfaces.nsIProperties).
+    get("CurWorkD", Components.interfaces.nsILocalFile);
+  var dirs = path.split("/");
+  for (var i = 0; i < dirs.length; i++) {
+    testHTMLFile.append(dirs[i]);
+  }
+  var testHTMLFileStream =
+    Components.classes["@mozilla.org/network/file-input-stream;1"].
+    createInstance(Components.interfaces.nsIFileInputStream);
+  testHTMLFileStream.init(testHTMLFile, -1, 0, 0);
+  var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available());
+  return testHTML;
+}
+
+
+function handleRequest(request, response)
+{
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // (1) Store the query that will report back whether the violation report was received
+  if (request.queryString == "queryresult") {
+    response.processAsync();
+    setObjectState("queryResult", response);
+    return;
+  }
+
+  // (2) We load a page using a CSP and a report only CSP
+  if (request.queryString == "toplevel") {
+    response.setHeader("Content-Security-Policy", POLICY, false);
+    response.setHeader("Content-Security-Policy-Report-Only", POLICY_RO, false);
+    response.setHeader("Content-Type", "text/html", false);
+    response.write(loadHTMLFromFile("tests/dom/security/test/csp/file_upgrade_insecure_reporting.html"));
+  	return;
+  }
+
+  // (3) Return the image back to the client
+  if (request.queryString == "img") {
+    response.setHeader("Content-Type", "image/png");
+    response.write(IMG_BYTES);
+    return;
+  }
+
+  // (4) Finally we receive the report, let's return the request from (1)
+  // signaling that we received the report correctly
+  if (request.queryString == "report") {
+    getObjectState("queryResult", function(queryResponse) {
+      if (!queryResponse) {
+        return;
+      }
+      queryResponse.write("report-ok");
+      queryResponse.finish();
+    });
+    return;
+  }
+
+  // we should never get here, but just in case ...
+  response.setHeader("Content-Type", "text/plain");
+  response.write("doh!");
+}
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -123,6 +123,8 @@ support-files =
  file_upgrade_insecure.html
  file_upgrade_insecure_server.sjs
  file_upgrade_insecure_wsh.py
+  file_upgrade_insecure_reporting.html
+  file_upgrade_insecure_reporting_server.sjs

 [test_base-uri.html]
 [test_blob_data_schemes.html]
@ -181,3 +183,5 @@ skip-if = buildapp == 'b2g' #no ssl support
 [test_upgrade_insecure.html]
 # no ssl support as well as websocket tests do not work (see test_websocket.html)
 skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
+[test_upgrade_insecure_reporting.html]
+skip-if = buildapp == 'b2g' || buildapp == 'mulet' || toolkit == 'gonk' || toolkit == 'android'
--- a/dom/security/test/csp/test_upgrade_insecure_reporting.html
+++ b/dom/security/test/csp/test_upgrade_insecure_reporting.html
@ -0,0 +1,69 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * We load an https page which includes an http image. We make sure that
+ * the image request gets upgraded to https but also make sure that a report
+ * is sent when a CSP report only is used which only allows https requests.
+ */
+
+var expectedResults = 2;
+
+function finishTest() {
+  // let's wait till the image was loaded and the report was received
+  if (--expectedResults > 0) {
+    return;
+  }
+  window.removeEventListener("message", receiveMessage, false);
+  SimpleTest.finish();
+}
+
+function runTest() {
+  // (1) Lets send off an XHR request which will return once the server receives
+  // the violation report from the report only policy.
+  var myXHR = new XMLHttpRequest();
+  myXHR.open("GET", "file_upgrade_insecure_reporting_server.sjs?queryresult");
+  myXHR.onload = function(e) {
+    is(myXHR.responseText, "report-ok", "csp-report was sent correctly");
+    finishTest();
+  }
+  myXHR.onerror = function(e) {
+    ok(false, "could not query result for csp-report from server (" + e.message + ")");
+    finishTest();
+  }
+  myXHR.send();
+
+  // (2) We load a page that is served using a CSP and a CSP report only which loads
+  // an image over http.
+  SimpleTest.executeSoon(function() {
+    document.getElementById("testframe").src =
+      "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs?toplevel";
+  });
+}
+
+// a postMessage handler that is used by sandboxed iframes without
+// 'allow-same-origin' to bubble up results back to this main page.
+window.addEventListener("message", receiveMessage, false);
+function receiveMessage(event) {
+  // (3) make sure the image was correctly loaded
+  is(event.data.result, "img-ok", "upgraded insecure image load from http -> https");
+  finishTest();
+}
+
+SimpleTest.waitForExplicitFinish();
+runTest();
+
+</script>
+</body>
+</html>