firefox-main/browser/base/content/test/about/browser_aboutCertError.js (file symbol)

Source code

Revision control

Copy as Markdown

Other Tools

Test Info: Errors

/* Any copyright is dedicated to the Public Domain.
"use strict";
// This is testing the aboutCertError page (Bug 1207107).
const GOOD_PAGE = "https://example.com/";
const GOOD_PAGE_2 = "https://example.org/";
const BAD_CERT = "https://expired.example.com/";
const UNKNOWN_ISSUER = "https://self-signed.example.com";
const BAD_STS_CERT =
const { TabStateFlusher } = ChromeUtils.importESModule(
"resource:///modules/sessionstore/TabStateFlusher.sys.mjs"
);
// Security CertError Felt Privacy set to false & true
// checked in one checkReturnToAboutHome to avoid duplicating code
add_task(async function checkReturnToAboutHome() {
info(
"Loading a bad cert page directly and making sure 'return to previous page' goes to about:home"
);
for (let toggleFeltPrivacy of [
setSecurityCertErrorsFeltPrivacyToFalse,
setSecurityCertErrorsFeltPrivacyToTrue,
]) {
await toggleFeltPrivacy();
for (let useFrame of [false, true]) {
let tab = await openErrorPage(BAD_CERT, useFrame);
let browser = tab.linkedBrowser;
await SpecialPowers.spawn(browser, [], () => {
content.document.notifyUserGestureActivation();
});
is(browser.webNavigation.canGoBack, false, "!webNavigation.canGoBack");
is(
browser.webNavigation.canGoForward,
false,
"!webNavigation.canGoForward"
);
// Populate the shistory entries manually, since it happens asynchronously
// and the following tests will be too soon otherwise.
await TabStateFlusher.flush(browser);
let { entries } = JSON.parse(SessionStore.getTabState(tab));
is(entries.length, 1, "there is one shistory entry");
info("Clicking the go back button on about:certerror");
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let locationChangePromise = BrowserTestUtils.waitForLocationChange(
gBrowser,
"about:home"
);
if (Services.prefs.getBoolPref("security.certerrors.felt-privacy-v1")) {
info("Felt Privacy enabled - using net-error-card");
await SpecialPowers.spawn(bc, [useFrame], async function (subFrame) {
const netErrorCard =
content.document.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
const returnButton = netErrorCard.returnButton;
if (!subFrame) {
if (!Services.focus.focusedElement == returnButton) {
await ContentTaskUtils.waitForEvent(returnButton, "focus");
}
Assert.ok(true, "returnButton has focus");
}
// Note that going back to about:newtab might cause a process flip, if
// the browser is configured to run about:newtab in its own special
// content process.
returnButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(returnButton, {}, content);
});
} else {
info("Felt Privacy disabled - using aboutNetError");
await SpecialPowers.spawn(bc, [useFrame], async function (subFrame) {
let returnButton = content.document.getElementById("returnButton");
if (!subFrame) {
if (!Services.focus.focusedElement == returnButton) {
await ContentTaskUtils.waitForEvent(returnButton, "focus");
}
Assert.ok(true, "returnButton has focus");
}
// Note that going back to about:newtab might cause a process flip, if
// the browser is configured to run about:newtab in its own special
// content process.
returnButton.click();
});
}
await locationChangePromise;
is(browser.webNavigation.canGoBack, true, "webNavigation.canGoBack");
is(
browser.webNavigation.canGoForward,
false,
"!webNavigation.canGoForward"
);
is(gBrowser.currentURI.spec, "about:home", "Went back");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
await SpecialPowers.popPrefEnv();
}
});
// Security CertError Felt Privacy set to false only
add_task(async function checkReturnToPreviousPage_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad cert page and making sure 'return to previous page' goes back"
);
for (let useFrame of [false, true]) {
let tab;
let browser;
if (useFrame) {
tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, GOOD_PAGE);
browser = tab.linkedBrowser;
await SpecialPowers.spawn(browser, [], () => {
content.document.notifyUserGestureActivation();
});
BrowserTestUtils.startLoadingURIString(browser, GOOD_PAGE_2);
await BrowserTestUtils.browserLoaded(browser, false, GOOD_PAGE_2);
await injectErrorPageFrame(tab, BAD_CERT);
} else {
tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, GOOD_PAGE);
browser = gBrowser.selectedBrowser;
await SpecialPowers.spawn(browser, [], () => {
content.document.notifyUserGestureActivation();
});
info("Loading and waiting for the cert error");
let certErrorLoaded = BrowserTestUtils.waitForErrorPage(browser);
BrowserTestUtils.startLoadingURIString(browser, BAD_CERT);
await certErrorLoaded;
}
is(browser.webNavigation.canGoBack, true, "webNavigation.canGoBack");
is(
browser.webNavigation.canGoForward,
false,
"!webNavigation.canGoForward"
);
// Populate the shistory entries manually, since it happens asynchronously
// and the following tests will be too soon otherwise.
await TabStateFlusher.flush(browser);
let { entries } = JSON.parse(SessionStore.getTabState(tab));
is(entries.length, 2, "there are two shistory entries");
info("Clicking the go back button on about:certerror");
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let pageShownPromise = BrowserTestUtils.waitForContentEvent(
browser,
"pageshow",
true
);
await SpecialPowers.spawn(bc, [useFrame], async function () {
let returnButton = content.document.getElementById("returnButton");
returnButton.click();
});
await pageShownPromise;
is(browser.webNavigation.canGoBack, false, "!webNavigation.canGoBack");
is(browser.webNavigation.canGoForward, true, "webNavigation.canGoForward");
is(gBrowser.currentURI.spec, GOOD_PAGE, "Went back");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
// Works for both Security CertError Felt Privacy set to true and false
// This checks that the appinfo.appBuildID starts with a date string,
// which is required for the misconfigured system time check.
add_task(async function checkAppBuildIDIsDate() {
let appBuildID = Services.appinfo.appBuildID;
let year = parseInt(appBuildID.substr(0, 4), 10);
let month = parseInt(appBuildID.substr(4, 2), 10);
let day = parseInt(appBuildID.substr(6, 2), 10);
Assert.ok(year >= 2016 && year <= 2100, "appBuildID contains a valid year");
Assert.ok(month >= 1 && month <= 12, "appBuildID contains a valid month");
Assert.ok(day >= 1 && day <= 31, "appBuildID contains a valid day");
});
add_task(async function checkAdvancedDetails_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad cert page and verifying the main error and advanced details section"
);
for (let useFrame of [false, true]) {
let tab = await openErrorPage(BAD_CERT, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let message = await SpecialPowers.spawn(bc, [], async function () {
let doc = content.document;
const shortDesc = doc.getElementById("errorShortDesc");
const sdArgs = JSON.parse(shortDesc.dataset.l10nArgs);
is(
sdArgs.hostname,
"expired.example.com",
"Should list hostname in error message."
);
Assert.ok(
doc.getElementById("certificateErrorDebugInformation").hidden,
"Debug info is initially hidden"
);
let exceptionButton = doc.getElementById("exceptionDialogButton");
Assert.ok(
!exceptionButton.disabled,
"Exception button is not disabled by default."
);
let advancedButton = doc.getElementById("advancedButton");
advancedButton.click();
// Wait until fluent sets the errorCode inner text.
let errorCode;
await ContentTaskUtils.waitForCondition(() => {
errorCode = doc.getElementById("errorCode");
return errorCode && errorCode.textContent != "";
}, "error code has been set inside the advanced button panel");
return {
textContent: errorCode.textContent,
tagName: errorCode.tagName.toLowerCase(),
};
});
is(
message.textContent,
"SEC_ERROR_EXPIRED_CERTIFICATE",
"Correct error message found"
);
is(message.tagName, "a", "Error message is a link");
message = await SpecialPowers.spawn(bc, [], async function () {
let doc = content.document;
let errorCode = doc.getElementById("errorCode");
errorCode.click();
let div = doc.getElementById("certificateErrorDebugInformation");
let text = doc.getElementById("certificateErrorText");
Assert.notStrictEqual(
content.getComputedStyle(div).display,
"none",
"Debug information is visible"
);
let handshakeCertificates =
content.docShell.failedChannel.securityInfo.handshakeCertificates.map(
cert => cert.getBase64DERString()
);
return {
divDisplay: content.getComputedStyle(div).display,
text: text.textContent,
handshakeCertificates,
};
});
isnot(message.divDisplay, "none", "Debug information is visible");
ok(message.text.includes(BAD_CERT), "Correct URL found");
ok(
message.text.includes("Certificate has expired"),
"Correct error message found"
);
ok(
message.text.includes("HTTP Strict Transport Security: false"),
"Correct HSTS value found"
);
ok(
message.text.includes("HTTP Public Key Pinning: false"),
"Correct HPKP value found"
);
let certChain = getCertChainAsString(message.handshakeCertificates);
ok(message.text.includes(certChain), "Found certificate chain");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkAdvancedDetailsForHSTS_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad STS cert page and verifying the advanced details section"
);
for (let useFrame of [false, true]) {
let tab = await openErrorPage(BAD_STS_CERT, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let message = await SpecialPowers.spawn(bc, [], async function () {
let doc = content.document;
let advancedButton = doc.getElementById("advancedButton");
advancedButton.click();
// Wait until fluent sets the errorCode inner text.
let ec;
await ContentTaskUtils.waitForCondition(() => {
ec = doc.getElementById("errorCode");
return ec.textContent != "";
}, "error code has been set inside the advanced button panel");
let cdl = doc.getElementById("cert_domain_link");
return {
ecTextContent: ec.textContent,
ecTagName: ec.tagName.toLowerCase(),
cdlTextContent: cdl.textContent,
cdlTagName: cdl.tagName.toLowerCase(),
};
});
const badStsUri = Services.io.newURI(BAD_STS_CERT);
is(
message.ecTextContent,
"SSL_ERROR_BAD_CERT_DOMAIN",
"Correct error message found"
);
is(message.ecTagName, "a", "Error message is a link");
const url = badStsUri.prePath.slice(badStsUri.prePath.indexOf(".") + 1);
is(message.cdlTextContent, url, "Correct cert_domain_link contents found");
is(message.cdlTagName, "a", "cert_domain_link is a link");
message = await SpecialPowers.spawn(bc, [], async function () {
let doc = content.document;
let errorCode = doc.getElementById("errorCode");
errorCode.click();
let div = doc.getElementById("certificateErrorDebugInformation");
let text = doc.getElementById("certificateErrorText");
let handshakeCertificates =
content.docShell.failedChannel.securityInfo.handshakeCertificates.map(
cert => cert.getBase64DERString()
);
return {
divDisplay: content.getComputedStyle(div).display,
text: text.textContent,
handshakeCertificates,
};
});
isnot(message.divDisplay, "none", "Debug information is visible");
ok(message.text.includes(badStsUri.spec), "Correct URL found");
ok(
message.text.includes(
"requested domain name does not match the server\u2019s certificate"
),
"Correct error message found"
);
ok(
message.text.includes("HTTP Strict Transport Security: false"),
"Correct HSTS value found"
);
ok(
message.text.includes("HTTP Public Key Pinning: true"),
"Correct HPKP value found"
);
let certChain = getCertChainAsString(message.handshakeCertificates);
ok(message.text.includes(certChain), "Found certificate chain");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkUnknownIssuerLearnMoreLink_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a cert error for self-signed pages and checking the correct link is shown"
);
for (let useFrame of [false, true]) {
let tab = await openErrorPage(UNKNOWN_ISSUER, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let href = await SpecialPowers.spawn(bc, [], async function () {
let learnMoreLink = content.document.getElementById("learnMoreLink");
return learnMoreLink.href;
});
ok(href.endsWith("security-error"), "security-error in the Learn More URL");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkViewCertificate_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info("Loading a cert error and checking that the certificate can be shown.");
for (let useFrame of [true, false]) {
if (useFrame) {
// Bug #1573502
continue;
}
let tab = await openErrorPage(UNKNOWN_ISSUER, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let loaded = BrowserTestUtils.waitForNewTab(gBrowser, null, true);
await SpecialPowers.spawn(bc, [], async function () {
let viewCertificate = content.document.getElementById("viewCertificate");
viewCertificate.click();
});
await loaded;
let spec = gBrowser.currentURI.spec;
Assert.ok(
spec.startsWith("about:certificate"),
"about:certificate is the new opened tab"
);
await SpecialPowers.spawn(
gBrowser.selectedTab.linkedBrowser,
[],
async function () {
let doc = content.document;
let certificateSection = await ContentTaskUtils.waitForCondition(() => {
return doc.querySelector("certificate-section");
}, "Certificate section found");
let infoGroup =
certificateSection.shadowRoot.querySelector("info-group");
Assert.ok(infoGroup, "infoGroup found");
let items = infoGroup.shadowRoot.querySelectorAll("info-item");
let commonnameID = items[items.length - 1].shadowRoot
.querySelector("label")
.getAttribute("data-l10n-id");
Assert.equal(
commonnameID,
"certificate-viewer-common-name",
"The correct item was selected"
);
let commonnameValue =
items[items.length - 1].shadowRoot.querySelector(".info").textContent;
Assert.equal(
commonnameValue,
"self-signed.example.com",
"Shows the correct certificate in the page"
);
}
);
BrowserTestUtils.removeTab(gBrowser.selectedTab); // closes about:certificate
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkBadStsCertHeadline_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad sts cert error page and checking that the correct headline is shown"
);
for (let useFrame of [false, true]) {
let tab = await openErrorPage(BAD_CERT, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
await SpecialPowers.spawn(bc, [useFrame], async _useFrame => {
const titleText = content.document.querySelector(".title-text");
is(
titleText.dataset.l10nId,
_useFrame ? "nssBadCert-sts-title" : "nssBadCert-title",
"Error page title is set"
);
});
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkSandboxedIframe_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad sts cert error in a sandboxed iframe and check that the correct headline is shown"
);
let useFrame = true;
let sandboxed = true;
let tab = await openErrorPage(BAD_CERT, useFrame, sandboxed);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext.children[0];
await SpecialPowers.spawn(bc, [], async function () {
let doc = content.document;
const titleText = doc.querySelector(".title-text");
is(
titleText.dataset.l10nId,
"nssBadCert-sts-title",
"Title shows Did Not Connect: Potential Security Issue"
);
const errorLabel = doc.querySelector(
'[data-l10n-id="cert-error-code-prefix-link"]'
);
const elArgs = JSON.parse(errorLabel.dataset.l10nArgs);
is(
elArgs.error,
"SEC_ERROR_EXPIRED_CERTIFICATE",
"Correct error message found"
);
is(
doc.getElementById("errorCode").tagName.toLowerCase(),
"a",
"Error message contains a link"
);
});
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
add_task(async function checkViewSource_feltPrivacyToFalse() {
await setSecurityCertErrorsFeltPrivacyToFalse();
info(
"Loading a bad sts cert error in a sandboxed iframe and check that the correct headline is shown"
);
let uri = "view-source:" + BAD_CERT;
let tab = await openErrorPage(uri);
let browser = tab.linkedBrowser;
await SpecialPowers.spawn(browser, [], async function () {
let doc = content.document;
const errorLabel = doc.querySelector(
'[data-l10n-id="cert-error-code-prefix-link"]'
);
const elArgs = JSON.parse(errorLabel.dataset.l10nArgs);
is(
elArgs.error,
"SEC_ERROR_EXPIRED_CERTIFICATE",
"Correct error message found"
);
is(
doc.getElementById("errorCode").tagName.toLowerCase(),
"a",
"Error message contains a link"
);
const titleText = doc.querySelector(".title-text");
is(titleText.dataset.l10nId, "nssBadCert-title", "Error page title is set");
const shortDesc = doc.getElementById("errorShortDesc");
const sdArgs = JSON.parse(shortDesc.dataset.l10nArgs);
is(
sdArgs.hostname,
"expired.example.com",
"Should list hostname in error message."
);
});
let loaded = BrowserTestUtils.browserLoaded(browser, false, uri);
info("Clicking the exceptionDialogButton in advanced panel");
await SpecialPowers.spawn(browser, [], async function () {
let doc = content.document;
let exceptionButton = doc.getElementById("exceptionDialogButton");
exceptionButton.click();
});
info("Loading the url after adding exception");
await loaded;
await SpecialPowers.spawn(browser, [], async function () {
let doc = content.document;
ok(
!doc.documentURI.startsWith("about:certerror"),
"Exception has been added"
);
});
let certOverrideService = Cc[
"@mozilla.org/security/certoverride;1"
].getService(Ci.nsICertOverrideService);
certOverrideService.clearValidityOverride("expired.example.com", -1, {});
loaded = BrowserTestUtils.waitForErrorPage(browser);
BrowserCommands.reloadSkipCache();
await loaded;
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});
add_task(async function testCertificateTransparency() {
info(
"Test that when certificate transparency is enforced, the right error page is shown."
);
// Enforce certificate transparency for certificates issued by our test root.
// This is only possible in debug builds, hence skipping this test in
// non-debug builds (see below).
await SpecialPowers.pushPrefEnv({
set: [
["security.pki.certificate_transparency.mode", 2],
[
"security.test.built_in_root_hash",
"8D:9D:57:09:E5:7D:D5:C6:4B:BE:24:70:E9:E5:BF:FF:16:F6:F2:C2:49:4E:0F:B9:37:1C:DD:3A:0E:10:45:F4",
],
],
});
for (let useFrame of [false, true]) {
let tab;
let browser;
if (useFrame) {
tab = await BrowserTestUtils.openNewForegroundTab(
gBrowser,
"about:blank"
);
browser = tab.linkedBrowser;
// injectErrorPageFrame is a helper from head.js for this purpose
await injectErrorPageFrame(tab, GOOD_PAGE, useFrame);
} else {
tab = await openErrorPage(GOOD_PAGE, useFrame);
browser = tab.linkedBrowser;
}
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
let message = await SpecialPowers.spawn(bc, [], async function () {
const doc = content.document;
const shortDesc = doc.getElementById("errorShortDesc");
const sdArgs = JSON.parse(shortDesc.dataset.l10nArgs);
Assert.equal(
sdArgs.hostname,
"example.com",
"Should list hostname in error message."
);
const advancedButton = doc.getElementById("advancedButton");
advancedButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(advancedButton, {}, content);
// Wait until fluent sets the errorCode inner text.
let errorCode;
await ContentTaskUtils.waitForCondition(() => {
errorCode = doc.getElementById("errorCode");
return errorCode && errorCode.textContent != "";
}, "error code has been set inside the advanced button panel");
return {
textContent: errorCode.textContent,
tagName: errorCode.tagName.toLowerCase(),
};
});
Assert.equal(
message.textContent,
"MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY",
"Correct error message found"
);
Assert.equal(message.tagName, "a", "Error message is a link");
message = await SpecialPowers.spawn(bc, [], async function () {
const doc = content.document;
const errorCode = doc.getElementById("errorCode");
errorCode.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(errorCode, {}, content);
const text = doc.getElementById("certificateErrorText");
return {
text: text.textContent,
};
});
Assert.ok(message.text.includes(GOOD_PAGE), "Correct URL found");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
BrowserTestUtils.removeTab(tab);
}
await SpecialPowers.popPrefEnv();
// Certificate transparency can only be enforced for our test certificates in
// debug builds.
}).skip(!AppConstants.DEBUG);
add_task(async function testCertificateTransparency_feltPrivacyTrue() {
info(
"Test that when certificate transparency is enforced, the right error page is shown."
);
// Enforce certificate transparency for certificates issued by our test root.
// This is only possible in debug builds, hence skipping this test in
// non-debug builds (see below).
await SpecialPowers.pushPrefEnv({
set: [
["security.pki.certificate_transparency.mode", 2],
[
"security.test.built_in_root_hash",
"8D:9D:57:09:E5:7D:D5:C6:4B:BE:24:70:E9:E5:BF:FF:16:F6:F2:C2:49:4E:0F:B9:37:1C:DD:3A:0E:10:45:F4",
],
["security.certerrors.felt-privacy-v1", true],
],
});
for (let useFrame of [false, true]) {
const tab = await openErrorPage(GOOD_PAGE, useFrame);
const browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
const message = await SpecialPowers.spawn(bc, [], async function () {
const doc = content.document;
const netErrorCard = doc.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
netErrorCard.advancedButton.scrollIntoView();
EventUtils.synthesizeMouseAtCenter(
netErrorCard.advancedButton,
{},
content
);
await ContentTaskUtils.waitForCondition(() => {
return (
netErrorCard.whyDangerous &&
netErrorCard.whyDangerous.textContent != ""
);
}, "Waiting for why dangerous text");
const args = JSON.parse(netErrorCard.whyDangerous.dataset.l10nArgs);
Assert.strictEqual(
args.hostname,
"example.com",
"Should list hostname in error message."
);
// Wait until fluent sets the errorCode inner text.
await ContentTaskUtils.waitForCondition(() => {
return (
netErrorCard.errorCode && netErrorCard.errorCode.textContent != ""
);
}, "error code has been set inside the advanced button panel");
netErrorCard.errorCode.scrollIntoView();
EventUtils.synthesizeMouseAtCenter(netErrorCard.errorCode, {}, content);
await ContentTaskUtils.waitForCondition(() => {
return (
netErrorCard.certErrorText &&
netErrorCard.certErrorText.textContent != ""
);
}, "Certificate Error is showing");
return {
certText: netErrorCard.certErrorText.textContent,
errorCode: netErrorCard.errorCode.textContent,
tagName: netErrorCard.errorCode.tagName.toLowerCase(),
};
});
Assert.ok(
message.errorCode.includes(
"MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY"
),
"Correct error message found"
);
Assert.strictEqual(message.tagName, "a", "Error message is a link");
Assert.ok(message.certText.includes(GOOD_PAGE), "Correct URL found");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
await SpecialPowers.popPrefEnv();
// Certificate transparency can only be enforced for our test certificates in
// debug builds.
}).skip(!AppConstants.DEBUG);
/**
* A reusable helper that runs assertions on a network error page.
* It encapsulates the SpecialPowers.spawn call to be CSP-compliant.
*
* @param {object} params - Parameters for the assertion.
* @param {string} params.expectedUrl - The URL to load and check.
* @param {string} params.expectedHostname - The expected hostname to assert in the error page.
* @param {string} params.expectedErrorCode - The expected error code to assert.
* @param {string} params.expectedInfo - Info string for logging.
* @param {string} params.expectedErrorMessage - Error message to assert in the error text.
* @param {boolean} params.expectedHpkp - HPKP value to assert in the error text.
*/
async function assertNetErrorPage({
expectedUrl,
expectedHostname,
expectedErrorCode,
expectedInfo,
expectedErrorMessage,
expectedHpkp,
}) {
await setSecurityCertErrorsFeltPrivacyToTrue();
info(`${expectedInfo}`);
for (let useFrame of [false, true]) {
let tab = await openErrorPage(expectedUrl, useFrame);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
const newTabPromise = BrowserTestUtils.waitForNewTab(gBrowser, null, true);
const contentData = await SpecialPowers.spawn(
bc,
[expectedHostname, expectedErrorCode],
async function (hostname, errorCode) {
const netErrorCard =
content.document.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
// Assert Error Card Basics
Assert.ok(
netErrorCard.certErrorBodyTitle,
"The error page title should exist."
);
const shortDesc = netErrorCard.certErrorIntro;
const shortDescArgs = JSON.parse(shortDesc.dataset.l10nArgs);
Assert.equal(
shortDescArgs.hostname,
hostname,
"Should list hostname in error message."
);
// Assert Advanced button
Assert.ok(
!netErrorCard.advancedContainer,
"The Advanced container should NOT be found in shadow DOM before click."
);
const advancedButton = netErrorCard.advancedButton;
Assert.ok(advancedButton, "The advanced button should exist.");
Assert.equal(
advancedButton.dataset.l10nId,
"fp-certerror-advanced-button",
"Button should have the 'advanced' l10n ID."
);
advancedButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(advancedButton, {}, content);
await ContentTaskUtils.waitForCondition(
() => netErrorCard.advancedContainer,
"Wait for the advanced container."
);
const hideExceptionButton = netErrorCard.shouldHideExceptionButton();
if (!hideExceptionButton) {
await ContentTaskUtils.waitForCondition(
() =>
netErrorCard.exceptionButton &&
!netErrorCard.exceptionButton.disabled,
"Wait for the exception button to be created."
);
Assert.ok(
!netErrorCard.exceptionButton.disabled,
"The exception button is now enabled."
);
}
Assert.equal(
advancedButton.dataset.l10nId,
"fp-certerror-hide-advanced-button",
"Button should have the 'hide-advanced' l10n ID."
);
Assert.ok(
netErrorCard.advancedShowing,
"Advanced showing attribute should be true"
);
// Assert Error Code
const certErrorCodeLink = netErrorCard.errorCode;
Assert.equal(
certErrorCodeLink.textContent,
`Error Code: ${errorCode}`,
"Error code text is as expected"
);
Assert.equal(
certErrorCodeLink.tagName.toLowerCase(),
"a",
"Error code is a link"
);
certErrorCodeLink.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(certErrorCodeLink, {}, content);
await ContentTaskUtils.waitForMutationCondition(
netErrorCard,
{ attributeFilter: ["certErrorDebugInfoShowing"] },
() => netErrorCard.certErrorDebugInfoShowing
);
Assert.ok(
netErrorCard.certErrorDebugInfoShowing,
"The 'certErrorDebugInfoShowing' boolean should be toggled (to true) after Advance button click on assertAdvancedButton."
);
Assert.ok(netErrorCard.certErrorText, "Error Code Detail should exist");
// Assert Site Certificate
info("Clicking the View Certificate button in advanced panel");
netErrorCard.viewCertificate.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(
netErrorCard.viewCertificate,
{},
content
);
// Extract data needed by the parent process
const failedCertChain =
content.docShell.failedChannel.securityInfo.handshakeCertificates.map(
cert => cert.getBase64DERString()
);
return {
errorText: netErrorCard.certErrorText.textContent,
rawCertChain: failedCertChain,
};
}
);
Assert.ok(
contentData.errorText.includes(expectedHostname),
"Correct URL found"
);
Assert.ok(
contentData.errorText.includes(expectedErrorMessage),
"Correct error message exists"
);
Assert.ok(
contentData.errorText.includes("HTTP Strict Transport Security: false"),
"Correct HSTS value exists"
);
Assert.ok(
contentData.errorText.includes(
`HTTP Public Key Pinning: ${expectedHpkp}`
),
"Correct HPKP value exists"
);
info("Loading the about:certificate page");
let newTab = await newTabPromise;
// Parent process checking if certificate viewer opened
const spec = gBrowser.currentURI.spec;
Assert.ok(
spec.startsWith("about:certificate"),
"about:certificate is the new opened tab"
);
await SpecialPowers.spawn(
gBrowser.selectedTab.linkedBrowser,
[expectedHostname],
async function (hostname) {
const doc = content.document;
const certificateSection = await ContentTaskUtils.waitForCondition(
() => {
// Content process checking if we're no longer on the error page
Assert.ok(
!doc.documentURI.startsWith("about:certerror"),
"We are now in a new tab with content including: about:certificate"
);
return doc.querySelector("certificate-section");
},
"Certificate section found"
);
const infoGroup =
certificateSection.shadowRoot.querySelector("info-group");
Assert.ok(infoGroup, "infoGroup found");
const items = infoGroup.shadowRoot.querySelectorAll("info-item");
const commonNameID = items[items.length - 1].shadowRoot
.querySelector("label")
.getAttribute("data-l10n-id");
Assert.equal(
commonNameID,
"certificate-viewer-common-name",
"The correct item was selected"
);
const commonNameValue =
items[items.length - 1].shadowRoot.querySelector(".info").textContent;
// Structuring the logic this way avoids issue to be addressed
// in most cases the values match, "self-signed.example.com", "self-signed.example.com"
// in the case of pinning, the commonNameValue is shorter, "pinning-test.example.com",
// than the hostname "badchain.include-subdomains.pinning.example.com"
// as a temporary measure I have reversed the logic such that hostname includes commonNameValue
Assert.ok(
hostname.includes(commonNameValue),
"Error text should include the expected hostname"
);
}
);
BrowserTestUtils.removeTab(newTab);
BrowserTestUtils.removeTab(tab);
}
}
/**
* A reusable helper that runs assertions on a view-source network error page.
* It encapsulates the SpecialPowers.spawn call to be CSP-compliant.
*
* @param {object} params - Parameters for the assertion.
* @param {string} params.expectedHostname - The expected hostname to assert in the error page.
* @param {string} params.expectedUrl - The URL to load and check.
*/
async function assertViewSourceNetErrorPage({
expectedHostname,
expectedUrl,
expectedInfo,
}) {
await setSecurityCertErrorsFeltPrivacyToTrue();
info(`${expectedInfo}`);
let tab = await openErrorPage(expectedUrl);
const browser = tab.linkedBrowser;
const loaded = BrowserTestUtils.browserLoaded(browser, false, expectedUrl);
await SpecialPowers.spawn(browser, [], async function () {
const netErrorCard =
content.document.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
// Advanced button
const advancedButton = netErrorCard.advancedButton;
advancedButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(advancedButton, {}, content);
await ContentTaskUtils.waitForCondition(
() =>
netErrorCard.exceptionButton && !netErrorCard.exceptionButton.disabled,
"Wait for the exception button to be created."
);
info("Clicking the Proceed Risky button in advanced panel");
netErrorCard.exceptionButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(
netErrorCard.exceptionButton,
{},
content
);
});
info("Loading the url after proceeding with risk");
await loaded;
// Clean up the cert override
const certOverrideService = Cc[
"@mozilla.org/security/certoverride;1"
].getService(Ci.nsICertOverrideService);
certOverrideService.clearValidityOverride(expectedHostname, -1, {});
// To ensure the state is reset, reload and wait for the error page to return.
info("Reloading to ensure the certificate override was cleared.");
const errorPageLoaded = BrowserTestUtils.waitForErrorPage(browser);
BrowserCommands.reloadSkipCache();
await errorPageLoaded;
info("Override cleared and error page is shown again.");
BrowserTestUtils.removeTab(tab);
}
// Security CertError Felt Privacy set to true only
add_task(async function checkReturnToPreviousPage_feltPrivacyToTrue() {
await setSecurityCertErrorsFeltPrivacyToTrue();
info(
"Loading a bad cert page and making sure 'return to previous page' goes back"
);
for (let useFrame of [false, true]) {
let tab;
let browser;
if (useFrame) {
tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, GOOD_PAGE);
browser = tab.linkedBrowser;
await SpecialPowers.spawn(browser, [], () => {
content.document.notifyUserGestureActivation();
});
BrowserTestUtils.startLoadingURIString(browser, GOOD_PAGE_2);
await BrowserTestUtils.browserLoaded(browser, false, GOOD_PAGE_2);
await injectErrorPageFrame(tab, BAD_CERT);
} else {
tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, GOOD_PAGE);
browser = gBrowser.selectedBrowser;
await SpecialPowers.spawn(browser, [], () => {
content.document.notifyUserGestureActivation();
});
info("Loading and waiting for the cert error");
const certErrorLoaded = BrowserTestUtils.waitForErrorPage(browser);
BrowserTestUtils.startLoadingURIString(browser, BAD_CERT);
await certErrorLoaded;
}
Assert.ok(browser.webNavigation.canGoBack, "webNavigation.canGoBack");
Assert.ok(
!browser.webNavigation.canGoForward,
"!webNavigation.canGoForward"
);
// Populate the shistory entries manually, since it happens asynchronously
// and the following tests will be too soon otherwise.
await TabStateFlusher.flush(browser);
const { entries } = JSON.parse(SessionStore.getTabState(tab));
Assert.equal(entries.length, 2, "there are two history entries");
info("Clicking the go back button on about:certerror");
let bc = browser.browsingContext;
if (useFrame) {
bc = bc.children[0];
}
const pageShownPromise = BrowserTestUtils.waitForContentEvent(
browser,
"pageshow",
true
);
await SpecialPowers.spawn(bc, [useFrame], async function () {
const netErrorCard =
content.document.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
const returnButton = netErrorCard.returnButton;
returnButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(returnButton, {}, content);
});
await pageShownPromise;
Assert.ok(!browser.webNavigation.canGoBack, "!webNavigation.canGoBack");
Assert.ok(browser.webNavigation.canGoForward, "webNavigation.canGoForward");
Assert.equal(gBrowser.currentURI.spec, GOOD_PAGE, "Went back");
BrowserTestUtils.removeTab(gBrowser.selectedTab);
}
});
add_task(async function checkAdvancedDetails_feltPrivacyToTrue() {
// Helper function does all the content-side checks.
await assertNetErrorPage({
expectedUrl: BAD_CERT,
expectedHostname: new URL(BAD_CERT).hostname,
expectedErrorCode: "SEC_ERROR_EXPIRED_CERTIFICATE",
expectedInfo:
"Loading a bad cert page and verifying the main error and advanced details section",
expectedErrorMessage: "Certificate has expired",
expectedHpkp: false,
});
});
add_task(async function checkAdvancedDetailsForHSTS_feltPrivacyToTrue() {
// Helper function does all the content-side checks.
await assertNetErrorPage({
expectedUrl: BAD_STS_CERT,
expectedHostname: new URL(BAD_STS_CERT).hostname,
expectedErrorCode: "SSL_ERROR_BAD_CERT_DOMAIN",
expectedInfo:
"Loading a bad STS cert page and verifying the advanced details section",
expectedErrorMessage:
"requested domain name does not match the server\u2019s certificate", // Expected error message
expectedHpkp: true,
});
});
add_task(async function checkUnknownIssuerDetails_feltPrivacyToTrue() {
// Helper function does all the content-side checks.
await assertNetErrorPage({
expectedUrl: UNKNOWN_ISSUER,
expectedHostname: new URL(UNKNOWN_ISSUER).hostname,
expectedErrorCode: "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT",
expectedInfo:
"Loading a cert error for self-signed pages and checking the correct link is shown",
expectedErrorMessage:
"The certificate is not trusted because it is self-signed.",
expectedHpkp: false,
});
});
add_task(async function checkViewSource_feltPrivacyToTrue() {
await assertViewSourceNetErrorPage({
expectedHostname: new URL(BAD_CERT).hostname,
expectedUrl: "view-source:" + BAD_CERT,
expectedInfo:
"Loading a bad sts cert error in a sandboxed iframe and check that the correct headline is shown",
});
});
add_task(async function checkSandboxedIframe_feltPrivacyToTrue() {
await setSecurityCertErrorsFeltPrivacyToTrue();
info(
"Loading a bad sts cert error in a sandboxed iframe and check that the correct headline is shown"
);
let useFrame = true;
let sandboxed = true;
let tab = await openErrorPage(BAD_CERT, useFrame, sandboxed);
let browser = tab.linkedBrowser;
let bc = browser.browsingContext.children[0];
await SpecialPowers.spawn(bc, [], async function () {
const netErrorCard =
content.document.querySelector("net-error-card").wrappedJSObject;
await netErrorCard.getUpdateComplete();
// Assert Error Card Basics
Assert.ok(
netErrorCard.certErrorBodyTitle,
"The error page title should exist."
);
const advancedButton = netErrorCard.advancedButton;
advancedButton.scrollIntoView(true);
EventUtils.synthesizeMouseAtCenter(advancedButton, {}, content);
await ContentTaskUtils.waitForCondition(
() => netErrorCard.advancedContainer,
"Wait for the advanced container."
);
const hideExceptionButton = netErrorCard.shouldHideExceptionButton();
if (!hideExceptionButton) {
await ContentTaskUtils.waitForCondition(
() =>
netErrorCard.exceptionButton &&
!netErrorCard.exceptionButton.disabled,
"Wait for the exception button to be created."
);
}
// Assert Error Code
const certErrorCodeLink = netErrorCard.errorCode;
Assert.equal(
certErrorCodeLink.textContent,
`Error Code: SEC_ERROR_EXPIRED_CERTIFICATE`,
"Error Code is as expected"
);
Assert.equal(
certErrorCodeLink.tagName.toLowerCase(),
"a",
"Error Code is a link"
);
});
BrowserTestUtils.removeTab(gBrowser.selectedTab);
});