browser_redirect_tainting.js

Enable keyboard shortcuts

/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

// Test steps:

// 1. Load file_redirect_tainting.sjs?html.

// 2. The server returns an html which loads an image at http://example.net.

// 3. The image request will be upgraded to HTTPS since HTTPS-only mode is on.

// 4. In file_redirect_tainting.sjs, we set "Access-Control-Allow-Origin" to

//    the value of the Origin header.

// 5. If the vlaue does not match, the image won't be loaded.

async function do_test() {

  let requestUrl = `https://example.com/browser/dom/security/test/https-only/file_redirect_tainting.sjs?html`;

  await BrowserTestUtils.withNewTab(

      gBrowser,

      url: requestUrl,

      waitForLoad: true,

},

    async function (browser) {

      let imageLoaded = await SpecialPowers.spawn(browser, [], function () {

        let image = content.document.getElementById("test_image");

        return image && image.complete && image.naturalHeight !== 0;

});

      await Assert.ok(imageLoaded, "test_image should be loaded");

);

add_task(async function test_https_only_redirect_tainting() {

  await SpecialPowers.pushPrefEnv({

    set: [["dom.security.https_only_mode", true]],

});

  await do_test();

  await SpecialPowers.popPrefEnv();

});