Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
/* Any copyright is dedicated to the Public Domain.
// Bug 1714201 - Extension requests should respect HTTPS-Only exceptions.
"use strict";
/* global browser */
add_task(async function test_extension_exemption() {
await SpecialPowers.pushPrefEnv({
set: [["dom.security.https_only_mode", true]],
});
await SpecialPowers.pushPermissions([
{
type: "https-only-load-insecure",
allow: true,
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
context: "http://example.com",
},
]);
let ext = ExtensionTestUtils.loadExtension({
manifest: {},
async background() {
let r1 = await fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
let r2 = await fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
browser.test.sendMessage("results", [r1.url, r2.url]);
},
});
await ext.startup();
let [urlWithoutException, urlWithException] =
await ext.awaitMessage("results");
ok(
urlWithoutException.startsWith("https://"),
`Without exception, request should be upgraded (got: ${urlWithoutException})`
);
ok(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
urlWithException.startsWith("http://"),
`With exception, request should not be upgraded (got: ${urlWithException})`
);
await ext.unload();
await SpecialPowers.popPermissions();
await SpecialPowers.popPrefEnv();
});
add_task(async function test_content_script_not_exempted() {
await SpecialPowers.pushPrefEnv({
set: [["dom.security.https_only_mode", true]],
});
await SpecialPowers.pushPermissions([
{
type: "https-only-load-insecure",
allow: true,
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
context: "http://example.org",
},
]);
let ext = ExtensionTestUtils.loadExtension({
manifest: {
host_permissions: ["<all_urls>"],
content_scripts: [
{
matches: ["https://example.com/*"],
js: ["cs.js"],
},
],
},
files: {
"cs.js": async function () {
// The fetch() call here is allowed due to it running with the expanded
// principal containing the extension principal, which enables requests
// through host_permissions declared above. Notably, CORS from the
// server does not have any effect (bug 1605197).
// But we intentionally do NOT want the extension principal's ability
// to bypass https-only (with "https-only-load-insecure") to
// automatically apply to content scripts, so we expect https-only to
// still apply here.
let r1 = await fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
browser.test.assertTrue(
r1.url.startsWith("https:"),
`fetch() must still be upgraded despite destination exception (got: ${r1.url})`
);
// content.fetch uses the web page's principal.
// This is also the default behavior for MV3 extensions.
let r2 = await content.fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
browser.test.assertTrue(
r2.url.startsWith("https:"),
`content.fetch() must still be upgraded despite destination exception (got: ${r2.url})`
);
browser.test.sendMessage("cs-done");
},
},
});
await ext.startup();
let tab = await BrowserTestUtils.openNewForegroundTab(
gBrowser,
);
await ext.awaitMessage("cs-done");
BrowserTestUtils.removeTab(tab);
await ext.unload();
await SpecialPowers.popPermissions();
await SpecialPowers.popPrefEnv();
});
// Same as above but the page loads as http:// because of the exception.
// The exception principal (http://example.com) matches the triggering principal,
// so subresource exemption propagates to all fetches from the page.
add_task(async function test_content_script_http_page() {
await SpecialPowers.pushPrefEnv({
set: [["dom.security.https_only_mode", true]],
});
await SpecialPowers.pushPermissions([
{
type: "https-only-load-insecure",
allow: true,
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
context: "http://example.com",
},
]);
let ext = ExtensionTestUtils.loadExtension({
manifest: {
host_permissions: ["<all_urls>"],
content_scripts: [
{
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
matches: ["http://example.com/*"],
js: ["cs.js"],
},
],
},
files: {
"cs.js": async function () {
// The page exemption propagates to all subresource fetches.
let r1 = await fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
browser.test.assertTrue(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
r1.url.startsWith("http:"),
`page exception must propagate to subresource fetches (got: ${r1.url})`
);
// content.fetch uses the web page's principal.
// This is also the default behavior for MV3 extensions.
let r2 = await content.fetch(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
browser.test.assertTrue(
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
r2.url.startsWith("http:"),
`page exception must propagate to subresource fetches (got: ${r2.url})`
);
browser.test.sendMessage("cs-done");
},
},
});
await ext.startup();
let tab = await BrowserTestUtils.openNewForegroundTab(
gBrowser,
// eslint-disable-next-line @microsoft/sdl/no-insecure-url
);
await ext.awaitMessage("cs-done");
BrowserTestUtils.removeTab(tab);
await ext.unload();
await SpecialPowers.popPermissions();
await SpecialPowers.popPrefEnv();
});