test_upgrade_insecure.html

Enable keyboard shortcuts

This test gets skipped with pattern: os == 'linux' && bits == 64 OR os == 'android'
This test failed 10 times in the preceding 30 days. quicksearch this test
Manifest: dom/security/test/csp/mochitest.toml

<!DOCTYPE HTML>

<html>

<head>

  <meta charset="utf-8">

  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>

  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:

 * We load resources (img, script, sytle, etc) over *http* and make sure

 * that all the resources get upgraded to use  >> https << when the

 * csp-directive "upgrade-insecure-requests" is specified. We further

 * test that subresources within nested contexts (iframes) get upgraded

 * and also test the handling of server side redirects.

 * In detail:

 * We perform an XHR request to the *.sjs file which is processed async on

 * the server and waits till all the requests were processed by the server.

 * Once the server received all the different requests, the server responds

 * to the initial XHR request with an array of results which must match

 * the expected results from each test, making sure that all requests

 * received by the server (*.sjs) were actually *https* requests.

*/

const { AppConstants } = SpecialPowers.ChromeUtils.importESModule(

  "resource://gre/modules/AppConstants.sys.mjs"

);

const UPGRADE_POLICY =

  "upgrade-insecure-requests;" +               // upgrade all http requests to https

  "block-all-mixed-content;" +                 // upgrade should be enforced before block-all.

  "default-src https: wss: 'unsafe-inline';" + // only allow https: and wss:

  "form-action https:;";                       // explicit, no fallback to default-src

const UPGRADE_POLICY_NO_DEFAULT_SRC =

  "upgrade-insecure-requests;" +               // upgrade all http requests to https

  "script-src 'unsafe-inline' *";              // we have to allowlist the inline scripts

                                               // in the test.

const NO_UPGRADE_POLICY =

  "default-src http: ws: 'unsafe-inline';" +   // allow http:// and ws://

  "form-action http:;";                        // explicit, no fallback to default-src

var tests = [

  { // (1) test that all requests within an >> https << page get updated

    policy: UPGRADE_POLICY,

    topLevelScheme: "https://",

    description: "upgrade all requests on toplevel https",

    deliveryMethod: "header",

    results: [

      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",

      "media-ok", "object-ok", "form-ok", "nested-img-ok"

},

  { // (2) test that all requests within an >> http << page get updated

    policy: UPGRADE_POLICY,

    topLevelScheme: "http://",

    description: "upgrade all requests on toplevel http",

    deliveryMethod: "header",

    results: [

      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",

      "media-ok", "object-ok", "form-ok", "nested-img-ok"

},

  { // (3) test that all requests within an >> http << page get updated, but do

    //     not specify a default-src directive.

    policy: UPGRADE_POLICY_NO_DEFAULT_SRC,

    topLevelScheme: "http://",

    description: "upgrade all requests on toplevel http where default-src is not specified",

    deliveryMethod: "header",

    results: [

      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",

      "media-ok", "object-ok", "form-ok", "nested-img-ok"

},

  { // (4) test that no requests get updated if >> upgrade-insecure-requests << is not used

    policy: NO_UPGRADE_POLICY,

    topLevelScheme: "http://",

    description: "do not upgrade any requests on toplevel http",

    deliveryMethod: "header",

    results: [

      "iframe-error", "script-error", "img-error", "img-redir-error", "font-error",

      "xhr-error", "style-error", "media-error", "object-error", "form-error",

      "nested-img-error"

},

  { // (5) test that all requests within an >> https << page using meta CSP get updated

    // policy: UPGRADE_POLICY, that test uses UPGRADE_POLICY within

    //                         file_upgrade_insecure_meta.html

    //                         no need to define it within that object.

    topLevelScheme: "https://",

    description: "upgrade all requests on toplevel https using meta csp",

    deliveryMethod: "meta",

    results: [

      "iframe-ok", "script-ok", "img-ok", "img-redir-ok", "font-ok", "xhr-ok", "style-ok",

      "media-ok", "object-ok", "form-ok", "nested-img-ok"

},

];

// TODO: WebSocket tests are not supported on Android Yet. Bug 1566168.

if (AppConstants.platform !== "android") {

    for (let test of tests) {

        test.results.push(test.results[0] == "iframe-ok" ? "websocket-ok" : "websocket-error");

var counter = 0;

var curTest;

function loadTestPage() {

  curTest = tests[counter++];

  var src = curTest.topLevelScheme + "example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";

  if (curTest.deliveryMethod === "header") {

    // append the file that should be served

    src += escape("tests/dom/security/test/csp/file_upgrade_insecure.html");

    // append the CSP that should be used to serve the file

    src += "&csp=" + escape(curTest.policy);

  else {

    src += escape("tests/dom/security/test/csp/file_upgrade_insecure_meta.html");

    // no csp here, since it's in the meta element

  document.getElementById("testframe").src = src;

function finishTest() {

  window.removeEventListener("message", receiveMessage);

  SimpleTest.finish();

function checkResults(result) {

    // try to find the expected result within the results array

  var index = curTest.results.indexOf(result);

  isnot(index, -1, curTest.description + " (result: " + result + ")");

  // take the element out the array and continue till the results array is empty

  if (index != -1) {

    curTest.results.splice(index, 1);

  // lets check if we are expecting more results to bubble up

  if (curTest.results.length) {

    return;

  // lets see if we ran all the tests

  if (counter == tests.length) {

    finishTest();

    return;

  // otherwise it's time to run the next test

  runNextTest();

// a postMessage handler that is used by sandboxed iframes without

// 'allow-same-origin' to bubble up results back to this main page.

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  checkResults(event.data.result);

function runNextTest() {

  // sends an xhr request to the server which is processed async, which only

  // returns after the server has received all the expected requests.

  var myXHR = new XMLHttpRequest();

  myXHR.open("GET", "file_upgrade_insecure_server.sjs?queryresult");

  myXHR.onload = function(e) {

    var results = myXHR.responseText.split(",");

    for (var index in results) {

      checkResults(results[index]);

  myXHR.onerror = function(e) {

    ok(false, "could not query results from server (" + e.message + ")");

    finishTest();

  myXHR.send();

  // give it some time and run the testpage

  SimpleTest.executeSoon(loadTestPage);

SimpleTest.waitForExplicitFinish();

runNextTest();

</script>

</body>

</html>