Bug 1747673 - HTTPS First fallback to http for non-standard 5xx status code responses. r=ckerschb,kershaw

Differential Revision: https://phabricator.services.mozilla.com/D135214
This commit is contained in:
lyavor 2022-01-13 14:28:34 +00:00
Родитель 69a30b6cc7
Коммит f85f79ecf5
4 изменённых файлов: 137 добавлений и 2 удалений

Просмотреть файл

@ -472,7 +472,7 @@ nsHTTPSOnlyUtils::PotentiallyDowngradeHttpsFirstRequest(nsIChannel* aChannel,
// corresponding NS_ERROR_*. // corresponding NS_ERROR_*.
// To do so we convert the response status to an nsresult error // To do so we convert the response status to an nsresult error
// Every NS_OK that is NOT an 4xx or 5xx error code won't get downgraded. // Every NS_OK that is NOT an 4xx or 5xx error code won't get downgraded.
if (responseStatus >= 400 && responseStatus < 512) { if (responseStatus >= 400 && responseStatus < 600) {
// HttpProxyResponseToErrorCode() maps 400 and 404 on // HttpProxyResponseToErrorCode() maps 400 and 404 on
// the same error as a 500 status which would lead to no downgrade // the same error as a 500 status which would lead to no downgrade
// later on. For that reason we explicit filter for 400 and 404 status // later on. For that reason we explicit filter for 400 and 404 status

Просмотреть файл

@ -0,0 +1,70 @@
// Custom *.sjs file specifically for the needs of Bug 1709552
"use strict";
const RESPONSE_SUCCESS = `
<html>
<body>
send message, downgraded
<script type="application/javascript">
let scheme = document.location.protocol;
window.opener.postMessage({result: 'downgraded', scheme: scheme}, '*');
</script>
</body>
</html>`;
const RESPONSE_UNEXPECTED = `
<html>
<body>
send message, error
<script type="application/javascript">
let scheme = document.location.protocol;
window.opener.postMessage({result: 'Error', scheme: scheme}, '*');
</script>
</body>
</html>`;
function handleRequest(request, response) {
// avoid confusing cache behaviour
response.setHeader("Cache-Control", "no-cache", false);
response.setHeader("Content-Type", "text/html", false);
let query = request.queryString;
// if the scheme is not https and it is the initial request
// then we rather fall through and display unexpected content
if (request.scheme === "https") {
if (query === "test1a") {
response.setStatusLine("1.1", 501, "Not Implemented");
response.write("Not Implemented\n");
return;
}
if (query === "test2a") {
response.setStatusLine("1.1", 504, "Gateway Timeout");
response.write("Gateway Timeout\n");
return;
}
if (query === "test3a") {
response.setStatusLine("1.1", 521, "Web Server Is Down");
response.write("Web Server Is Down\n");
return;
}
if (query === "test4a") {
response.setStatusLine("1.1", 530, "Railgun Error");
response.write("Railgun Error\n");
return;
}
if (query === "test5a") {
response.setStatusLine("1.1", 560, "Unauthorized");
response.write("Unauthorized\n");
return;
}
// We should never arrive here, just in case send something unexpected
response.write(RESPONSE_UNEXPECTED);
return;
}
// We should arrive here when the redirection was downraded successful
response.write(RESPONSE_SUCCESS);
}

Просмотреть файл

@ -38,4 +38,6 @@ support-files =
support-files = support-files =
file_bad_cert.sjs file_bad_cert.sjs
[test_downgrade_request_upgrade_request.html] [test_downgrade_request_upgrade_request.html]
support-files= file_downgrade_request_upgrade_request.sjs support-files = file_downgrade_request_upgrade_request.sjs
[test_downgrade_500_responses.html]
support-files = file_downgrade_500_responses.sjs

Просмотреть файл

@ -0,0 +1,63 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1747673 : HTTPS First fallback to http for non-standard 5xx status code responses</title>
<script src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<script class="testbody" type="text/javascript">
"use strict";
/*
* Description of the test:
* Perform five tests where https-first receives an
* 5xx status code (standard and non-standard 5xx status) if request is send to site by https.
* Expected behaviour: https-first fallbacks to http after receiving 5xx error.
* Test 1: 501 Response
* Test 2: 504 Response
* Test 3: 521 Response
* Test 4: 530 Response
* Test 5: 560 Response
*/
SimpleTest.waitForExplicitFinish();
const REQUEST_URL =
"http://example.com/tests/dom/security/test/https-first/file_downgrade_500_responses.sjs";
const redirectQueries = ["?test1a", "?test2a","?test3a", "?test4a", "?test5a"];
let currentTest = 0;
let testWin;
let currentQuery;
window.addEventListener("message", receiveMessage);
// Receive message and verify that it is from an http site.
// When the message is 'downgraded' then it was send by an http site
// and the redirection worked.
async function receiveMessage(event) {
let data = event.data;
currentQuery = redirectQueries[currentTest];
ok(data.result === "downgraded", "Redirected successful to 'http' for " + currentQuery);
is(data.scheme, "http:", "scheme is 'http' for " + currentQuery );
testWin.close();
if (++currentTest < redirectQueries.length) {
runTest();
return;
}
window.removeEventListener("message", receiveMessage);
SimpleTest.finish();
}
async function runTest() {
currentQuery = redirectQueries[currentTest];
testWin = window.open(REQUEST_URL + currentQuery, "_blank");
}
SpecialPowers.pushPrefEnv({ set: [
["dom.security.https_first", true]
]}, runTest);
</script>
</body>
</html>