summaryrefslogtreecommitdiff
path: root/dom/svg/test/test_use_with_hsts.html
blob: 1c5952707d914785c1d345206eb800411eca8b5d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=1247733
-->
<head>
  <meta charset="utf-8">
  <title>Test for Bug 1247733</title>
  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
  <script type="application/javascript" src="/tests/SimpleTest/WindowSnapshot.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a>
<p id="display">
  <iframe id="myIframe"></iframe>
</p>
<div id="content" style="display: none">

</div>
<pre id="test"></pre>
<script type="application/javascript">
  /** Test for Bug 1247733 **/

  /**
   * This test ensures that we render the SVG 'use' element correctly, in
   * pages that have been upgraded from HTTP to HTTPS using strict transport
   * security (HSTS)
   *
   * Specifically:
   *  (1) We load a file using HTTPS, in an iframe. The file gets sent
   *      with a Strict-Transport-Security flag.
   *  (2) We load the same file again, but now over HTTP (which should get
   *      upgraded to HTTPS, since we received the Strict-Transport-Security
   *      flag during the first load).
   *  (3) After each of the above loads, we take a snapshot of the iframe
   *      and ensure that it renders as fully lime (which the 'use' element
   *      is responsible for). If the 'use' element fails to render, the iframe
   *      will be fully red, and we'll fail an "assertSnapshots" check.
   */
  SimpleTest.waitForExplicitFinish();

  const iframe = document.getElementById("myIframe");
  const iframeWin = iframe.contentWindow;

  // URI for our testcase with 'use' element, via HTTP and HTTPS:
  const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html";
  const secureURI   = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html";

  // Snapshots that we'll populate below:
  var blankSnapshot;  // Snapshot of blank iframe.
  var refSnapshot;    // Snapshot of lime reference rendering in iframe.
  var secureSnapshot; // Snapshot of testcase using HTTPS.
  var upgradedSnapshot; // Snapshot of testcase using HTTP-upgraded-to-HTTPS.

  // Bookkeeping to be sure receiveMessage is called as many times as we expect:
  var numPostMessageCalls = 0;
  const expectedNumPostMessageCalls = 2; // (We load the helper file twice.)

  // Helper function, called via postMessage, to check iframe's actual location:
  function receiveMessage(event) {
    is(event.data, secureURI, "iframe should end up viewing secure URI");
    numPostMessageCalls++;
  }

  // TEST CODE BEGINS HERE.
  // Execution basically proceeds top-to-bottom through the functions
  // from this point on, via a chain of iframe onload-callbacks.
  function runTest() {
    // Capture a snapshot with nothing in the iframe, so we can do a
    // sanity-check not-equal comparison against our reference case, to be
    // sure we're rendering anything at all:
    blankSnapshot = snapshotWindow(iframeWin);

    // Point iframe at a reference case:
    iframe.onload = captureRefSnapshot;
    iframe.src = "data:text/html,<body style='background:lime'>";
  }

  function captureRefSnapshot() {
    // Capture the reference screenshot:
    refSnapshot = snapshotWindow(iframeWin);

    // Ensure reference-case looks different from blank snapshot:
    assertSnapshots(refSnapshot, blankSnapshot,
                    false /*not equal*/, null /*no fuzz*/,
                    "refSnapshot", "blankSnapshot");

    // OK, assuming we've got a valid refSnapshot, we can now proceed to
    // capture test screenshots.

    // Register a postMessage handler, so that iframe can report its location:
    window.addEventListener("message", receiveMessage, false);

    // Point iframe at secure (HTTPS) version of testcase, & wait for callback:
    iframe.onload = captureSecureSnapshot;
    iframe.src = secureURI;
  }

  function captureSecureSnapshot() {
    // Capture snapshot of iframe showing always-HTTPS version of testcase:
    secureSnapshot = snapshotWindow(iframeWin);
    assertSnapshots(secureSnapshot, refSnapshot,
                    true /*equal*/, null /*no fuzz*/,
                    "secureSnapshot", "refSnapshot");

    // Point iframe at insecure (HTTP) version of testcase (which should get
    // automatically upgraded to secure (HTTPS) under the hood), & wait for
    // callback:
    iframe.onload = captureUpgradedSnapshot;
    iframe.src = insecureURI;
  }

  function captureUpgradedSnapshot() {
    // Double-check that iframe is really pointed at insecure URI, to be sure
    // we're actually exercising HSTS. (Note that receiveMessage() will make
    // sure it's been upgraded to a secure HTTPS URI under the hood.)
    is(iframe.src, insecureURI,
       "test should've attempted to load insecure HTTP URI, to exercise HSTS");

    // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase:
    upgradedSnapshot = snapshotWindow(iframeWin);
    assertSnapshots(upgradedSnapshot, refSnapshot,
                    true /*equal*/, null /*no fuzz*/,
                    "upgradedSnapshot", "refSnapshot");
    cleanupAndFinish();
  }

  function cleanupAndFinish() {
    is(numPostMessageCalls, expectedNumPostMessageCalls,
      "didn't receive as many messages from child iframe as expected");
    SpecialPowers.cleanUpSTSData("http://example.com");
    SimpleTest.finish();
  }

  runTest();
</script>
</body>
</html>