test_upgrade_insecure_cors.html

Enable keyboard shortcuts

<!DOCTYPE HTML>

<html>

<head>

  <meta charset="utf-8">

  <title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>

  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

</head>

<body>

<iframe style="width:100%;" id="testframe"></iframe>

<script class="testbody" type="text/javascript">

/* Description of the test:

 * We load a page serving two XHR requests (including being redirected);

 * one that should not require CORS and one that should require cors, in particular:

 * Test 1:

 *   Main page:   https://test1.example.com

 *   XHR request: http://test1.example.com

 *   Redirect to: http://test1.example.com

 *   Description: Upgrade insecure should upgrade from http to https and also

 *                surpress CORS for that case.

 * Test 2:

 *   Main page:   https://test1.example.com

 *   XHR request: http://test1.example.com

 *   Redirect to: http://test1.example.com:443

 *   Description: Upgrade insecure should upgrade from http to https and also

 *                prevent CORS for that case.

 *   Note: If redirecting to a different port, then CORS *should* be enforced (unless

 *         it's port 443). Unfortunately we can't test that because of the setup of our

 *         *.sjs files; they only are able to listen to port 443, see:

 *         http://mxr.mozilla.org/mozilla-central/source/build/pgo/server-locations.txt#98

 * Test 3:

 *   Main page:   https://test1.example.com

 *   XHR request: http://test2.example.com

 *   Redirect to: http://test1.example.com

 *   Description: Upgrade insecure should *not* prevent CORS since

 *                the page performs a cross origin xhr.

*/

const CSP_POLICY = "upgrade-insecure-requests; script-src 'unsafe-inline'";

var tests = 3;

function loadTest() {

  var src = "https://test1.example.com/tests/dom/security/test/csp/file_testserver.sjs?file=";

  // append the file that should be served

  src += escape("tests/dom/security/test/csp/file_upgrade_insecure_cors.html")

  // append the CSP that should be used to serve the file

  src += "&csp=" + escape(CSP_POLICY);

  document.getElementById("testframe").src = src;

function checkResult(result) {

  if (result === "test1-no-cors-ok" ||

      result === "test2-no-cors-diffport-ok" ||

      result === "test3-cors-ok") {

    ok(true, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");

  else {

    ok(false, "'upgrade-insecure-requests' acknowledges CORS (" + result + ")");

  if (--tests > 0) {

    return;

  window.removeEventListener("message", receiveMessage);

  SimpleTest.finish();

// a postMessage handler that is used to bubble up results from

// within the iframe.

window.addEventListener("message", receiveMessage);

function receiveMessage(event) {

  checkResult(event.data);

SimpleTest.waitForExplicitFinish();

loadTest();

</script>

</body>

</html>