Bug 452401 - Create tests for mixed content, r=kaie

--HG--
rename : security/manager/ssl/tests/mochitest/test_bug413909.html => security/manager/ssl/tests/mochitest/bugs/test_bug413909.html

build/automation.py.in

@@ -241,9 +241,11 @@ user_pref("javascript.options.jit.content", true);
 user_pref("gfx.color_management.force_srgb", true);
 user_pref("network.manage-offline-status", false);
 user_pref("security.default_personal_cert", "Select Automatically"); // Need to client auth test be w/o any dialogs
+user_pref("security.warn_viewing_mixed", false);
 
 user_pref("camino.warn_when_closing", false); // Camino-only, harmless to others
-"""
+""" % { "downloadDir": (os.path.join(profileDir, "downloads")) }
+  
   prefs.append(part)
 
   # Increase the max script run time 10-fold for debug builds

security/manager/ssl/tests/mochitest/Makefile.in

@@ -40,14 +40,11 @@ DEPTH		= ../../../../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
-relativesrcdir	= security/ssl
 
-include $(DEPTH)/config/autoconf.mk
+MODULE		= pipnss
+DIRS = \
+  bugs \
+  mixedcontent \
+  $(NULL)
+
 include $(topsrcdir)/config/rules.mk
-
- _CHROME_FILES	= \
-	test_bug413909.html \
-	$(NULL)
-
- libs:: $(_CHROME_FILES)
-	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)

security/manager/ssl/tests/mochitest/bugs/Makefile.in

@@ -0,0 +1,53 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is mozilla.org code.
+#
+# The Initial Developer of the Original Code is
+# Mozilla Foundation.
+# Portions created by the Initial Developer are Copyright (C) 2007
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Jan Bambas <honzab@firemni.cz>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either of the GNU General Public License Version 2 or later (the "GPL"),
+# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH		= ../../../../../..
+topsrcdir	= @top_srcdir@
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+relativesrcdir	= security/ssl
+
+include $(DEPTH)/config/autoconf.mk
+include $(topsrcdir)/config/rules.mk
+
+ _CHROME_FILES	= \
+	test_bug413909.html \
+	$(NULL)
+
+ libs:: $(_CHROME_FILES)
+	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)

security/manager/ssl/tests/mochitest/mixedcontent/Makefile.in

@@ -0,0 +1,106 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is mozilla.org code.
+#
+# The Initial Developer of the Original Code is
+# Mozilla Foundation.
+# Portions created by the Initial Developer are Copyright (C) 2007
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Jan Bambas <honzab@firemni.cz>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either of the GNU General Public License Version 2 or later (the "GPL"),
+# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH		= ../../../../../..
+topsrcdir	= @top_srcdir@
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+relativesrcdir	= security/ssl/mixedcontent
+
+include $(DEPTH)/config/autoconf.mk
+include $(topsrcdir)/config/rules.mk
+
+_TEST_FILES = \
+        alloworigin.sjs \
+        backward.html \
+        bug329869.js \
+        bug383369step2.html \
+        bug383369step3.html \
+        download.auto \
+        download.auto^headers^ \
+        emptyimage.sjs \
+        hugebmp.sjs \
+        iframe.html \
+        iframe2.html \
+        iframeMetaRedirect.html \
+        iframesecredirect.sjs \
+        iframeunsecredirect.sjs \
+        imgsecredirect.sjs \
+        imgunsecredirect.sjs \
+        mixedContentTest.js \
+        moonsurface.jpg \
+        redirecttoemptyimage.sjs \
+        somestyle.css \
+        test_bug383369.html \
+        test_bug455367.html \
+        test_bug472986.html \
+        test_cssBefore1.html \
+        test_cssContent1.html \
+        test_cssContent2.html \
+        test_documentWrite1.html \
+        test_documentWrite2.html \
+        test_dynDelayedUnsecurePicture.html \
+        test_dynDelayedUnsecureXHR.html \
+        test_dynUnsecureBackground.html \
+        test_dynUnsecureIframeRedirect.html \
+        test_dynUnsecurePicture.html \
+        test_dynUnsecurePicturePreload.html \
+        test_dynUnsecureRedirect.html \
+        test_innerHtmlDelayedUnsecurePicture.html \
+        test_innerHtmlUnsecurePicture.html \
+        test_secureAll.html \
+        test_securePicture.html \
+        test_unsecureBackground.html \
+        test_unsecureCSS.html \
+        test_unsecureIframe.html \
+        test_unsecureIframe2.html \
+        test_unsecureIframeMetaRedirect.html \
+        test_unsecureIframeRedirect.html \
+        test_unsecurePicture.html \
+        test_unsecurePictureDup.html \
+        test_unsecurePictureInIframe.html \
+        test_unsecureRedirect.html \
+        unsecureIframe.html \
+        unsecurePictureDup.html \
+        $(NULL)
+
+#        test_bug329869.html \  leaks, bug 452401
+
+
+libs:: $(_TEST_FILES)
+	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)

security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs

@@ -0,0 +1,6 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Access-Control-Allow-Origin", "*");
+  response.write("<html><body>hello!</body></html>");
+}

security/manager/ssl/tests/mochitest/mixedcontent/backward.html

@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <script type="text/javascript">
+
+  window.onload = function()
+  {
+    window.setTimeout(function()
+    {
+      netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+
+      window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
+        .getInterface(Components.interfaces.nsIWebNavigation)
+        .goBack();
+    }, 100);
+  }
+  
+  </script>
+</head>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js

@@ -0,0 +1,3 @@
+document.write("This is insecure XSS script " + document.cookie);
+todoSecurityState("broken", "security broken after document write from unsecure script");
+finish();

security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test, step 2</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/does_not_exist.css">
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  window.onload = function runTest()
+  {
+    window.setTimeout(function () 
+    {
+      window.location = 
+        "https://example.com/tests/security/ssl/mixedcontent/bug383369step3.html?runtest";
+    }, 0);
+  }
+
+  function afterNavigationTest()
+  {
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html

@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test, final step</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure", "secure page after insecure download and insecure subcontent still secure");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "still secure after back/forward");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/download.auto

@@ -0,0 +1 @@
+Temporary file for security/mixedconent tests

security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^

@@ -0,0 +1,2 @@
+Content-disposition: "attachment"
+Content-type: application/x-auto-download

security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  //response.setHeader("Content-type", "image/gif");
+}

security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs

@@ -0,0 +1,13 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-type", "image/bitmap");
+  
+  let bmpheader = "\x42\x4D\x36\x10\x0E\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\xE0\x01\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x00\x10\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+  let bmpdatapiece = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+  response.bodyOutputStream.write(bmpheader, 54);
+  // Fill 640*480*3 nulls
+  for (let i = 0; i < (640 * 480 * 3) / 64; ++i)
+    response.bodyOutputStream.write(bmpdatapiece, 64);
+}

security/manager/ssl/tests/mochitest/mixedcontent/iframe.html

@@ -0,0 +1,12 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  This is frame 1: 
+  <script>
+    document.write(location.href);
+  </script>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html

@@ -0,0 +1,13 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  This is frame 2: 
+  <script>
+    document.write(location.href);
+  </script>
+  <iframe src="http://example.com/tests/security/ssl/mixedcontent/iframe.html"></iframe>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html

@@ -0,0 +1,8 @@
+<!DOCTYPE HTML>
+<META http-equiv="Refresh"
+      Content="0; URL=http://example.com/tests/security/ssl/mixedcontent/iframe.html">
+<html>
+  <body>
+    Redirecting by meta tag...
+  </body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader("Location", "https://example.com/tests/security/ssl/mixedcontent/iframe.html");
+}

security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader("Location", "http://example.com/tests/security/ssl/mixedcontent/iframe.html");
+}

security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader("Location", "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg");
+}

security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader("Location", "http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg");
+}

security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js

@@ -0,0 +1,210 @@
+/**
+ * Helper script for mixed content testing. It opens a new top-level window
+ * from a secure origin and '?runtest' query. That tells us to run the test
+ * body, function runTest(). Then we wait for call of finish(). On its first
+ * call it loads helper page 'backward.html' that immediately navigates
+ * back to the test secure test. This checks the bfcache. We got second call
+ * to onload and this time we call afterNavigationTest() function to let the
+ * test check security state after re-navigation back. Then we again wait for
+ * finish() call, that this time finishes completelly the test.
+ */
+
+// Tells the framework if to load the test in an insecure page (http://)
+var loadAsInsecure = false;
+// Set true to bypass the navigation forward/back test
+var bypassNavigationTest = false;
+// Set true to do forward/back navigation over an http:// page, test state leaks
+var navigateToInsecure = false;
+// Open the test in two separate windows, test requests sharing among windows
+var openTwoWindows = false;
+// Override the name of the test page to load, useful e.g. to prevent load
+// of images or other content before the test starts; this is actually
+// a 'redirect' to a different test page.
+var testPage = "";
+// Assign a function to this variable to have a clean up at the end
+var testCleanUp = null;
+
+
+// Internal variables
+var _windowCount = 0;
+
+window.onload = function onLoad()
+{
+  if (location.search == "?runtest")
+  {
+    try
+    {
+      if (history.length == 1)
+        runTest();
+      else
+        afterNavigationTest();
+    }
+    catch (ex)
+    {
+      ok(false, "Exception thrown during test: " + ex);
+      finish();
+    }
+  }
+  else
+  {
+    window.addEventListener("message", onMessageReceived, false);
+
+    var secureTestLocation;
+    if (loadAsInsecure)
+      secureTestLocation = "http://example.com";
+    else
+      secureTestLocation = "https://example.com";
+    secureTestLocation += location.pathname
+    if (testPage != "")
+    {
+      array = secureTestLocation.split("/");
+      array.pop();
+      array.push(testPage);
+      secureTestLocation = array.join("/");
+    }
+    secureTestLocation += "?runtest";
+
+    if (openTwoWindows)
+    {
+      _windowCount = 2;
+      window.open(secureTestLocation, "_new1", "");
+      window.open(secureTestLocation, "_new2", "");
+    }
+    else
+    {
+      _windowCount = 1;
+      window.open(secureTestLocation);
+    }
+  }
+}
+
+function onMessageReceived(event)
+{
+  switch (event.data)
+  {
+    // Indication of all test parts finish (from any of the frames)
+    case "done":
+      if (--_windowCount == 0)
+      {
+        if (testCleanUp)
+          testCleanUp();
+          
+        SimpleTest.finish();
+      }
+      break;
+
+    // Any other message indicates error or succes message of a test
+    default:
+      var failureRegExp = new RegExp("^FAILURE");
+      var todoRegExp = new RegExp("^TODO");
+      if (event.data.match(todoRegExp))
+        SimpleTest.todo(false, event.data);
+      else
+        SimpleTest.ok(!event.data.match(failureRegExp), event.data);
+      break;
+  }
+}
+
+function postMsg(message)
+{
+  opener.postMessage(message, "http://localhost:8888");
+}
+
+function finish()
+{
+  if (history.length == 1 && !bypassNavigationTest)
+  {
+    window.setTimeout(function()
+    {
+      window.location.assign(navigateToInsecure ?
+        "http://example.com/tests/security/ssl/mixedcontent/backward.html" :
+        "https://example.com/tests/security/ssl/mixedcontent/backward.html");
+    }, 0);
+  }
+  else
+  {
+    postMsg("done");
+    window.close();
+  }
+}
+
+function ok(a, message)
+{
+  if (!a)
+    postMsg("FAILURE: " + message);
+  else
+    postMsg(message);
+}
+
+function is(a, b, message)
+{
+  if (a != b)
+    postMsg("FAILURE: " + message + ", expected "+b+" got "+a);
+  else
+    postMsg(message + ", expected "+b+" got "+a);
+}
+
+function todo(a, message)
+{
+  if (a)
+    postMsg("FAILURE: TODO works? " + message);
+  else
+    postMsg("TODO: " + message);
+}
+
+function todoSecurityState(expectedState, message)
+{
+  isSecurityState(expectedState, message, todo);
+}
+
+function isSecurityState(expectedState, message, test)
+{
+  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+  
+  if (!test)
+    test = ok;
+
+  // Quit nasty but working :)
+  var ui = window
+    .QueryInterface(Components.interfaces.nsIInterfaceRequestor)
+    .getInterface(Components.interfaces.nsIWebNavigation)
+    .QueryInterface(Components.interfaces.nsIDocShell)
+    .securityUI;
+
+  var isInsecure = !ui ||
+    (ui.state & Components.interfaces.nsIWebProgressListener.STATE_IS_INSECURE);
+  var isBroken = ui &&
+    (ui.state & Components.interfaces.nsIWebProgressListener.STATE_IS_BROKEN);
+  var isEV = ui &&
+    (ui.state & Components.interfaces.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL);
+
+  var gotState;
+  if (isInsecure)
+    gotState = "insecure";
+  else if (isBroken)
+    gotState = "broken";
+  else if (isEV)
+    gotState = "EV";
+  else
+    gotState = "secure";
+
+  test(gotState == expectedState, (message || "") + ", " + "expected " + expectedState + " got " + gotState);
+
+  switch (expectedState)
+  {
+    case "insecure":
+      test(isInsecure && !isBroken && !isEV, "for 'insecure' excpected flags [1,0,0], " + (message || ""));
+      break;
+    case "broken":
+      test(ui && !isInsecure && isBroken && !isEV, "for 'broken' expected  flags [0,1,0], " + (message || ""));
+      break;
+    case "secure":
+      test(ui && !isInsecure && !isBroken && !isEV, "for 'secure' expected flags [0,0,0], " + (message || ""));
+      break;
+    case "EV":
+      test(ui && !isInsecure && !isBroken && isEV, "for 'EV' expected flags [0,0,1], " + (message || ""));
+      break;
+    default:
+      throw "Invalid isSecurityState state";
+  }
+}

security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs

@@ -0,0 +1,5 @@
+function handleRequest(request, response)
+{
+  response.setStatusLine(request.httpVersion, 307, "Moved temporarly");
+  response.setHeader("Location", "http://example.com/tests/security/ssl/mixedcontent/emptyimage.sjs");
+}

security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css

@@ -0,0 +1,4 @@
+body
+{
+  background-color: lightBlue;
+}

security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html

@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>dymanic script load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    window.setTimeout(function() 
+    {
+      var newElement = document.createElement("script");
+      newElement.src= "http://example.org/tests/security/ssl/mixedcontent/bug329869.js";
+      document.body.appendChild(newElement);
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html

@@ -0,0 +1,91 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 383369 test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // We want to start this test from an insecure context
+  loadAsInsecure = true;
+  // We don't want to go through the navigation back/forward test
+  bypassNavigationTest = true;
+
+  function runTest()
+  {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+  
+    // Force download to be w/o user assistance for our testing mime type
+    const mimeSvc = Components.classes["@mozilla.org/mime;1"]
+      .getService(Components.interfaces.nsIMIMEService);
+    var handlerInfo = mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+    handlerInfo.preferredAction = Components.interfaces.nsIHandlerInfo.saveToDisk;
+    handlerInfo.alwaysAskBeforeHandling = false;
+    handlerInfo.preferredApplicationHandler = null;
+    
+    const handlerSvc = Components.classes["@mozilla.org/uriloader/handler-service;1"]
+      .getService(Components.interfaces.nsIHandlerService);
+    handlerSvc.store(handlerInfo);
+    
+    var dirProvider = Components.classes["@mozilla.org/file/directory_service;1"]
+      .getService(Components.interfaces.nsIProperties);
+    var profileDir = dirProvider.get("ProfDS", Components.interfaces.nsIFile);
+    profileDir.append("downloads");
+    
+    var prefs = Components.classes["@mozilla.org/preferences-service;1"]
+      .getService(Components.interfaces.nsIPrefService);
+    prefs = prefs.getBranch("browser.download.");
+        
+    prefs.setCharPref("dir", profileDir.path);
+    prefs.setIntPref("folderList", 2);
+    prefs.setBoolPref("manager.closeWhenDone", true);
+    prefs.setBoolPref("manager.showWhenStarting", false);
+  
+    var downloadManager = Components.classes["@mozilla.org/download-manager;1"]
+      .getService(Components.interfaces.nsIDownloadManager);
+    var theWindow = window;
+    window.setTimeout(function()
+    {
+      netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+      downloadManager.cleanUp();
+      theWindow.location = "bug383369step2.html";
+    }, 3000);
+  
+    window.location = "download.auto";
+  }
+
+  function afterNavigationTest()
+  {
+  }
+  
+  testCleanUp = function cleanup()
+  {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+
+    const mimeSvc = Components.classes["@mozilla.org/mime;1"]
+      .getService(Components.interfaces.nsIMIMEService);
+    var handlerInfo = mimeSvc.getFromTypeAndExtension("application/x-auto-download", "auto");
+    
+    const handlerSvc = Components.classes["@mozilla.org/uriloader/handler-service;1"]
+      .getService(Components.interfaces.nsIHandlerService);
+    handlerSvc.remove(handlerInfo);
+    
+    var prefs = Components.classes["@mozilla.org/preferences-service;1"]
+      .getService(Components.interfaces.nsIPrefService);
+    prefs = prefs.getBranch("browser.download.");
+
+    prefs.setCharPref("dir", "");
+    prefs.setIntPref("folderList", 0);
+    prefs.setBoolPref("manager.closeWhenDone", false);
+    prefs.setBoolPref("manager.showWhenStarting", true);
+  }
+  
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>No content image doesn't break security</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure", "secure");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "secure after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/ssl/mixedcontent/redirecttoemptyimage.sjs" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html

@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src replace</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // Clear the default onload assigned to test start because we must
+  // wait for replaced image to load and only after that test the security state
+  var onLoadFunction = window.onload;
+  window.onload = function()
+  {
+    window.setTimeout(onLoadFunction, 500);
+  }
+
+  function runTest()
+  {
+    isSecurityState("secure", "secure");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "secure after navigation");
+    finish();
+  }
+  
+  </script>
+</head>
+
+<body>
+  <img id="img1" src="https://example.com/tests/security/ssl/mixedcontent/hugebmp.sjs" />
+  <script type="text/javascript">
+    var img1 = document.getElementById("img1");
+    img1.src = "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg";
+  </script>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS :before styling 1</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+  <style type="text/css">
+    p:before
+    {
+      content: url(http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg);
+    }
+  </style>
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure content added by :before styling breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p>
+    There is a moon surface left to this text
+  </p>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html

@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS conent styling 1</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <style type="text/css">
+    p
+    {
+      content: url(http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg);
+    }
+  </style>
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure content added by :before styling breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p></p>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html

@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>CSS conent styling 2</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    document.getElementById("para").style.content =
+      "url('http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg')";
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "insecure content added by styling breaks security");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("para").style.content, "");
+    isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <p id="para"></p>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html

@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>document.write('<img src="http://">')</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> written dynamically breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <script class="testbody" type="text/javascript">
+  document.write(
+    "<img src='http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg' />");
+  </script>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html

@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>document.write('<iframe src="http://">')</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure iframe written dynamically breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <script class="testbody" type="text/javascript">
+  document.write(
+    "<iframe src='http://example.com/tests/security/ssl/mixedcontent/iframe.html'></iframe>");
+  </script>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html

@@ -0,0 +1,42 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    window.setTimeout(function() {
+      // Don't do this synchronously from onload handler
+      document.getElementById("image1").src =
+        "http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg";
+    }, 0);
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "src='http://...' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html

@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>unsecure XHR test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    window.setTimeout(function()
+    {
+      try
+      {
+        var req = new XMLHttpRequest();
+        req.open("GET", "http://example.com/tests/security/ssl/mixedcontent/alloworigin.sjs", false);
+        req.send(null);
+
+        // Change should be immediate, the request was sent synchronously
+        todoSecurityState("broken", "security broken after insecure XHR");
+      }
+      catch (ex)
+      {
+        ok(false, ex);
+      }
+
+      finish();
+    }, 0);
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html

@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>body.background changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    document.body.background =
+      "http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg";
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "document.body.background='http://...' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.body.background,
+      "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg",
+      "document backround secure again");
+    isSecurityState("secure", "secure after re-navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body background="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg">
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>iframe.src changes to unsecure redirect test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    var self = window;
+    var iframe = document.getElementById("iframe1");
+    iframe.onload = function() {
+      self.isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+      self.finish();
+    }
+    
+    iframe.src =
+      "https://example.com/tests/security/ssl/mixedcontent/iframeunsecredirect.sjs";
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe id="iframe1" src="https://example.com/tests/security/ssl/mixedcontent/iframe.html"></iframe>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html

@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    document.getElementById("image1").src =
+      "http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg";
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "src='http://...' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html

@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  (new Image()).src =
+    "http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg";
+
+  function runTest()
+  {
+    isSecurityState("broken", "(new Image()).src='http://...' changed to broken");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html

@@ -0,0 +1,39 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>img.src changes to unsecure redirect test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    document.getElementById("image1").src =
+      "https://example.com/tests/security/ssl/mixedcontent/imgunsecredirect.sjs";
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "src='redirect to unsecure' changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("image1").src,
+      "https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg",
+      "img.src secure again");
+    isSecurityState("secure", "security full after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img id="image1" src="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html

@@ -0,0 +1,40 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>innerHTML changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    
+    window.setTimeout(function() 
+    {
+      document.getElementById("buddy").innerHTML =
+        "<img id='image1' src='http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg' />";
+    }, 1);
+
+    window.setTimeout(function() 
+    {
+      isSecurityState("broken", "innerHTML loading insecure changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("buddy").innerHTML, "", "innerHTML back to previous");
+    isSecurityState("secure");
+    finish();    
+  }
+
+  </script>
+</head>
+
+<body id="buddy"></body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html

@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>innerHTML changes to unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("secure");
+    
+    document.getElementById("buddy").innerHTML =
+      "<img id='image1' src='http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg' />";
+
+    window.setTimeout(function() {
+      isSecurityState("broken", "innerHTML loading insecure changed to broken");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    is(document.getElementById("buddy").innerHTML, "", "innerHTML back to previous");
+    isSecurityState("secure");
+    finish();    
+  }
+
+  </script>
+</head>
+
+<body id="buddy"></body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>All secure anti-regression check</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <link rel="stylesheet" type="text/css" 
+    href="https://example.com/tests/security/ssl/mixedcontent/somestyle.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // Navigation test goes over an insecure page, test state leak
+  navigateToInsecure = true;
+
+  function runTest()
+  {
+    isSecurityState("secure", "insecure <img> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("secure", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+  <img src="https://example.com/tests/security/ssl/mixedcontent/imgsecredirect.sjs" />
+  <iframe src="https://example.com/tests/security/ssl/mixedcontent/iframesecredirect.sjs" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html

@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Secure img load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  loadAsInsecure = true;
+
+  function runTest()
+  {
+    isSecurityState("insecure", "left insecure");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("insecure", "left insecure after renavigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html

@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>background unsecure test</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  // This test, as is, equals to https://kuix.de/misc/test17/358438.php
+
+  function runTest()
+  {
+    isSecurityState("broken", "security broken");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body background="http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg">
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html

@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure css load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+  
+  <link rel="stylesheet" type="text/css" 
+    href="http://example.com/tests/security/ssl/mixedcontent/somestyle.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure iframe load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="http://example.com/tests/security/ssl/mixedcontent/iframe.html"></iframe>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure iframe load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/ssl/mixedcontent/iframe2.html"></iframe>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html

@@ -0,0 +1,37 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure redirect iframe load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    window.setTimeout(function()
+    {
+      isSecurityState("broken", "insecure meta-tag <iframe> load breaks security");
+      finish();
+    }, 500);
+  }
+
+  function afterNavigationTest()
+  {
+    window.setTimeout(function()
+    {
+      isSecurityState("broken", "security still broken after navigation");
+      finish();
+    }, 500);
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/ssl/mixedcontent/iframeMetaRedirect.html"></iframe>
+</body>
+</html>
+ 

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html

@@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure redirect iframe load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <iframe> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="https://example.com/tests/security/ssl/mixedcontent/iframeunsecredirect.sjs"></iframe>
+</body>
+</html>
+ 

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html

@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load in two windows</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+    
+  openTwoWindows = true;
+  testPage = "unsecurePictureDup.html";
+
+  </script>
+</head>
+
+<body>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img in iframe load</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> in an <iframe> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <iframe src="http://example.com/tests/security/ssl/mixedcontent/unsecureIframe.html"></iframe>
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Redirect from secure to unsecure img</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="https://example.com/tests/security/ssl/mixedcontent/imgunsecredirect.sjs" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html

@@ -0,0 +1,9 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/ssl/mixedcontent/moonsurface.jpg" />
+</body>
+</html>

security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html

@@ -0,0 +1,30 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Unsecure img load in two windows</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="mixedContentTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+
+  <script class="testbody" type="text/javascript">
+    
+  function runTest()
+  {
+    isSecurityState("broken", "insecure <img> load breaks security");
+    finish();
+  }
+
+  function afterNavigationTest()
+  {
+    isSecurityState("broken", "security still broken after navigation");
+    finish();
+  }
+
+  </script>
+</head>
+
+<body>
+  <img src="http://example.com/tests/security/ssl/mixedcontent/hugebmp.sjs" />
+</body>
+</html>