test_use_with_hsts.html

<!DOCTYPE HTML>

<html>

<!--

https://bugzilla.mozilla.org/show_bug.cgi?id=1247733

-->

<head>

  <meta charset="utf-8">

  <title>Test for Bug 1247733</title>

  <script src="/tests/SimpleTest/SimpleTest.js"></script>

  <script src="/tests/SimpleTest/WindowSnapshot.js"></script>

  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>

</head>

<body>

<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>

<p id="display">

  <iframe id="myIframe"></iframe>

</p>

<div id="content" style="display: none">

</div>

<pre id="test"></pre>

<script type="application/javascript">

  /** Test for Bug 1247733 **/

/**

   * This test ensures that we render the SVG 'use' element correctly, in

   * pages that have been upgraded from HTTP to HTTPS using strict transport

   * security (HSTS)

   * Specifically:

   *  (1) We load a file using HTTPS, in an iframe. The file gets sent

   *      with a Strict-Transport-Security flag.

   *  (2) We load the same file again, but now over HTTP (which should get

   *      upgraded to HTTPS, since we received the Strict-Transport-Security

   *      flag during the first load).

   *  (3) After each of the above loads, we take a snapshot of the iframe

   *      and ensure that it renders as fully lime (which the 'use' element

   *      is responsible for). If the 'use' element fails to render, the iframe

   *      will be fully red, and we'll fail an "assertSnapshots" check.

*/

  SimpleTest.waitForExplicitFinish();

  const iframe = document.getElementById("myIframe");

  const iframeWin = iframe.contentWindow;

  // URI for our testcase with 'use' element, via HTTP and HTTPS:

  const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";

  const secureURI   = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";

  // Bookkeeping to be sure receiveMessage is called as many times as we expect:

  var numPostMessageCalls = 0;

  const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)

  // Helper function, called via postMessage, to check iframe's actual location:

  function receiveMessage(event) {

    is(event.data, secureURI, "iframe should end up viewing secure URI");

    numPostMessageCalls++;

  // Convenience helper which makes |iframe| load the given |uri|. Returns

  // a promise that resolves when the load completes. This makes it handy to

  // use with 'await', to avoid onload callback hell.

  async function LoadIframeAsync(uri) {

    return new Promise(resolve => {

      iframe.addEventListener("load", resolve, {once: true});

      // Kick off the requested load:

      iframe.src = uri;

});

  // MAIN TEST CODE BEGINS HERE.

  async function runTest() {

    // Capture a snapshot with nothing in the iframe, so we can do a

    // sanity-check not-equal comparison against our reference case, to be

    // sure we're rendering anything at all:

    let blankSnapshot = await snapshotWindow(iframeWin);

    // Load & snapshot a reference case (fully lime):

    await LoadIframeAsync("data:text/html,<body style='background:lime'>");

    let refSnapshot = await snapshotWindow(iframeWin);

    // Ensure reference snapshot looks different from blank snapshot:

    assertSnapshots(refSnapshot, blankSnapshot,

                    false /* not equal*/, null /* no fuzz*/,

                    "refSnapshot", "blankSnapshot");

    // OK, assuming we've got a valid refSnapshot, we can now proceed to

    // capture test screenshots.

    // Register a postMessage handler, so that iframe can report its location:

    window.addEventListener("message", receiveMessage);

    // Load & snapshot secure (HTTPS) version of testcase, & check against ref:

    await LoadIframeAsync(secureURI);

    let secureSnapshot = await snapshotWindow(iframeWin);

    assertSnapshots(secureSnapshot, refSnapshot,

                    true /* equal*/, null /* no fuzz*/,

                    "secureSnapshot", "refSnapshot");

    // Load insecure (HTTP) version of testcase (which should get

    // automatically upgraded to secure (HTTPS) under the hood):

    await LoadIframeAsync(insecureURI);

    // Double-check that iframe is really pointed at insecure URI, to be sure

    // we're actually exercising HSTS. (Note that receiveMessage() will make

    // sure it's been upgraded to a secure HTTPS URI under the hood.)

    is(iframe.src, insecureURI,

       "test should've attempted to load insecure HTTP URI, to exercise HSTS");

    // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:

    let upgradedSnapshot = await snapshotWindow(iframeWin);

    assertSnapshots(upgradedSnapshot, refSnapshot,

                    true /* equal*/, null /* no fuzz*/,

                    "upgradedSnapshot", "refSnapshot");

    // Check that the iframe did actually invoke our postMessage handler (which

    // is where we verify that the HSTS upgrade actually happened):

    is(numPostMessageCalls, expectedNumPostMessageCalls,

      "didn't receive as many messages from child iframe as expected");

    // We're done! Clear the STS headers that we set, and finish.

    SpecialPowers.cleanUpSTSData("http://example.com");

    SimpleTest.finish();

  SpecialPowers.pushPrefEnv(

    { 'set': [["security.mixed_content.block_active_content", false]] },

    function() { runTest(); }

);

</script>

</body>

</html>