Bug 1428793: Test block insecure redirects to data: URIs. r=smaug

dom/security/test/general/file_block_subresource_redir_to_data.sjs

@@ -0,0 +1,25 @@
+"use strict";
+
+let SCRIPT_DATA = "alert('this alert should be blocked');";
+let WORKER_DATA = "onmessage = function(event) { postMessage('worker-loaded'); }";
+
+function handleRequest(request, response)
+{
+  const query = request.queryString;
+
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setStatusLine("1.1", 302, "Found");
+
+  if (query === "script") {
+    response.setHeader("Location", "data:text/html," + escape(SCRIPT_DATA), false);
+    return;
+  }
+
+  if (query === "worker") {
+    response.setHeader("Location", "data:text/html," + escape(WORKER_DATA), false);
+    return;
+  }
+
+  // we should never get here; just in case return something unexpected
+  response.write("do'h");
+}

dom/security/test/general/mochitest.ini

@@ -7,6 +7,7 @@ support-files =
   file_block_toplevel_data_navigation2.html
   file_block_toplevel_data_navigation3.html
   file_block_toplevel_data_redirect.sjs
+  file_block_subresource_redir_to_data.sjs
 
 [test_contentpolicytype_targeted_link_iframe.html]
 [test_nosniff.html]
@@ -19,3 +20,4 @@ skip-if = toolkit == 'android' # intermittent failure
 skip-if = toolkit == 'android'
 [test_allow_opening_data_json.html]
 skip-if = toolkit == 'android'
+[test_block_subresource_redir_to_data.html]

dom/security/test/general/test_block_subresource_redir_to_data.html

@@ -0,0 +1,53 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1428793: Block insecure redirects to data: URIs</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<script id="testScriptRedirectToData"></script>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+const NUM_TESTS = 2;
+
+var testCounter = 0;
+function checkFinish() {
+  testCounter++;
+  if (testCounter === NUM_TESTS) {
+    SimpleTest.finish();
+  }
+}
+
+// --- test regular scripts
+let testScriptRedirectToData = document.getElementById("testScriptRedirectToData");
+testScriptRedirectToData.onerror = function() {
+  ok(true, "script that redirects to data: URI should not load");
+  checkFinish();
+}
+testScriptRedirectToData.onload = function() {
+  ok(false, "script that redirects to data: URI should not load");
+  checkFinish();
+}
+testScriptRedirectToData.src = "file_block_subresource_redir_to_data.sjs?script";
+
+// --- test workers
+let worker = new Worker("file_block_subresource_redir_to_data.sjs?worker");
+worker.onerror = function() {
+  // please note that workers need to be same origin, hence the data: URI
+  // redirect is blocked by worker code and not the content security manager!
+  ok(true, "worker script that redirects to data: URI should not load");
+  checkFinish();
+}
+worker.onmessage = function() {
+  ok(false, "worker script that redirects to data: URI should not load");
+  checkFinish();
+};
+worker.postMessage("dummy");
+
+</script>
+</body>
+</html>