From d8e2caf90a13c6831121a9bd1089f97566c620e4 Mon Sep 17 00:00:00 2001
From: Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Date: Tue, 23 Jan 2018 09:58:06 +0100
Subject: [PATCH] Bug 1428793: Test block insecure redirects to data: URIs.
 r=smaug

---
 .../file_block_subresource_redir_to_data.sjs  | 25 +++++++++
 dom/security/test/general/mochitest.ini       |  2 +
 .../test_block_subresource_redir_to_data.html | 53 +++++++++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 dom/security/test/general/file_block_subresource_redir_to_data.sjs
 create mode 100644 dom/security/test/general/test_block_subresource_redir_to_data.html

diff --git a/dom/security/test/general/file_block_subresource_redir_to_data.sjs b/dom/security/test/general/file_block_subresource_redir_to_data.sjs
new file mode 100644
index 000000000000..e2c27f6f0fa8
--- /dev/null
+++ b/dom/security/test/general/file_block_subresource_redir_to_data.sjs
@@ -0,0 +1,25 @@
+"use strict";
+
+let SCRIPT_DATA = "alert('this alert should be blocked');";
+let WORKER_DATA = "onmessage = function(event) { postMessage('worker-loaded'); }";
+
+function handleRequest(request, response)
+{
+  const query = request.queryString;
+
+  response.setHeader("Cache-Control", "no-cache", false);
+  response.setStatusLine("1.1", 302, "Found");
+
+  if (query === "script") {
+    response.setHeader("Location", "data:text/html," + escape(SCRIPT_DATA), false);
+    return;
+  }
+
+  if (query === "worker") {
+    response.setHeader("Location", "data:text/html," + escape(WORKER_DATA), false);
+    return;
+  }
+
+  // we should never get here; just in case return something unexpected
+  response.write("do'h");
+}
diff --git a/dom/security/test/general/mochitest.ini b/dom/security/test/general/mochitest.ini
index 764067a532cb..2562dd2f8393 100644
--- a/dom/security/test/general/mochitest.ini
+++ b/dom/security/test/general/mochitest.ini
@@ -7,6 +7,7 @@ support-files =
   file_block_toplevel_data_navigation2.html
   file_block_toplevel_data_navigation3.html
   file_block_toplevel_data_redirect.sjs
+  file_block_subresource_redir_to_data.sjs
 
 [test_contentpolicytype_targeted_link_iframe.html]
 [test_nosniff.html]
@@ -19,3 +20,4 @@ skip-if = toolkit == 'android' # intermittent failure
 skip-if = toolkit == 'android'
 [test_allow_opening_data_json.html]
 skip-if = toolkit == 'android'
+[test_block_subresource_redir_to_data.html]
diff --git a/dom/security/test/general/test_block_subresource_redir_to_data.html b/dom/security/test/general/test_block_subresource_redir_to_data.html
new file mode 100644
index 000000000000..6f6ade2351bf
--- /dev/null
+++ b/dom/security/test/general/test_block_subresource_redir_to_data.html
@@ -0,0 +1,53 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1428793: Block insecure redirects to data: URIs</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+<script id="testScriptRedirectToData"></script>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+const NUM_TESTS = 2;
+
+var testCounter = 0;
+function checkFinish() {
+  testCounter++;
+  if (testCounter === NUM_TESTS) {
+    SimpleTest.finish();
+  }
+}
+
+// --- test regular scripts
+let testScriptRedirectToData = document.getElementById("testScriptRedirectToData");
+testScriptRedirectToData.onerror = function() {
+  ok(true, "script that redirects to data: URI should not load");
+  checkFinish();
+}
+testScriptRedirectToData.onload = function() {
+  ok(false, "script that redirects to data: URI should not load");
+  checkFinish();
+}
+testScriptRedirectToData.src = "file_block_subresource_redir_to_data.sjs?script";
+
+// --- test workers
+let worker = new Worker("file_block_subresource_redir_to_data.sjs?worker");
+worker.onerror = function() {
+  // please note that workers need to be same origin, hence the data: URI
+  // redirect is blocked by worker code and not the content security manager!
+  ok(true, "worker script that redirects to data: URI should not load");
+  checkFinish();
+}
+worker.onmessage = function() {
+  ok(false, "worker script that redirects to data: URI should not load");
+  checkFinish();
+};
+worker.postMessage("dummy");
+
+</script>
+</body>
+</html>