Bug 1405971 - Test that Webextension UUID doesn't leak via XHR/Fetch requests. r=mixedpuppy

Differential Revision: https://phabricator.services.mozilla.com/D40854

--HG--
extra : moz-landing-system : lando

toolkit/components/extensions/test/mochitest/mochitest-common.ini

@@ -50,6 +50,7 @@ support-files =
   redirect_auto.sjs
   redirection.sjs
   return_headers.sjs
+  return_headers_cors.sjs
   slow_response.sjs
   webrequest_worker.js
   !/dom/tests/mochitest/geolocation/network_geolocation.sjs
@@ -163,3 +164,4 @@ skip-if = os == 'android' # Currently fails in emulator tests
 [test_ext_webrequest_urlClassification.html]
 [test_ext_window_postMessage.html]
 [test_ext_webrequest_redirect_bypass_cors.html]
+[test_ext_fetch_origin.html]

toolkit/components/extensions/test/mochitest/return_headers_cors.sjs

@@ -0,0 +1,24 @@
+/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set ft=javascript sts=2 sw=2 et tw=80: */
+"use strict";
+
+/* exported handleRequest */
+
+function handleRequest(request, response) {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "text/json", false);
+  response.setHeader("Access-Control-Allow-Credentials", "true", false);
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+
+
+  let headers = {};
+  // Why on earth is this a nsISimpleEnumerator...
+  let enumerator = request.headers;
+  while (enumerator.hasMoreElements()) {
+    let header = enumerator.getNext().data;
+    headers[header.toLowerCase()] = request.getHeader(header);
+  }
+
+  response.write(JSON.stringify(headers));
+}
+

toolkit/components/extensions/test/mochitest/test_ext_fetch_origin.html

@@ -0,0 +1,60 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for simple WebExtension</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="/tests/SimpleTest/ExtensionTestUtils.js"></script>
+  <script type="text/javascript" src="head.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+
+<script type="text/javascript">
+"use strict";
+
+add_task(async function test_fetch_origin() {
+  let extension = ExtensionTestUtils.loadExtension({
+    manifest: {
+      permissions: [
+        // We purposefully don't add any host permission for example.org
+        // (or all_urls). This ensures the requests below use CORS,
+        // which would normally send an Origin header with a moz-extension:
+        // scheme.
+      ],
+    },
+    async background() {
+      const PATH = "https://example.org/tests/toolkit/components/extensions/test/mochitest/return_headers_cors.sjs";
+
+      let response = await fetch(PATH);
+      let headers = await response.json();
+
+      browser.test.assertEq(headers.host, "example.org", "right host");
+      browser.test.assertFalse("origin" in headers, "no Origin header")
+
+      headers = await new Promise((resolve, reject) => {
+        /* eslint-disable mozilla/balanced-listeners */
+        let xhr = new XMLHttpRequest();
+        xhr.open("GET", PATH);
+        xhr.addEventListener("load", () => {
+          resolve(JSON.parse(xhr.response));
+        })
+        xhr.addEventListener("error", reject)
+        xhr.send();
+      })
+
+      browser.test.assertEq(headers.host, "example.org", "right host");
+      browser.test.assertFalse("origin" in headers, "no Origin header");
+
+      browser.test.sendMessage("finished");
+    },
+  });
+
+  await extension.startup();
+  await extension.awaitMessage("finished");
+  await extension.unload();
+});
+
+</script>
+
+</body>
+</html>