test_security_settings.js

Enable keyboard shortcuts

/* Any copyright is dedicated to the Public Domain.

   http://creativecommons.org/publicdomain/zero/1.0/ */

/**

 *  Test for SecuritySettingsCleaner.

 *  This tests both, the SiteSecurityService and the ClientAuthRememberService.

*/

"use strict";

let gSSService = Cc["@mozilla.org/ssservice;1"].getService(

  Ci.nsISiteSecurityService

);

let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService(

  Ci.nsIClientAuthRememberService

);

let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(

  Ci.nsIX509CertDB

);

// These are not actual server and client certs. The ClientAuthRememberService

// does not care which certs we store decisions for, as long as they're valid.

let [clientCert] = certDB.getCerts();

function addSecurityInfo({ host, topLevelBaseDomain, originAttributes = {} }) {

  let attrs = getOAWithPartitionKey({ topLevelBaseDomain }, originAttributes);

  let uri = Services.io.newURI(`https://${host}`);

  gSSService.processHeader(uri, "max-age=1000;", attrs);

  cars.rememberDecisionScriptable(host, attrs, clientCert);

function addTestSecurityInfo() {

  // First party

  addSecurityInfo({ host: "example.net" });

  addSecurityInfo({ host: "test.example.net" });

  addSecurityInfo({ host: "example.org" });

  // Third-party partitioned

  addSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });

  addSecurityInfo({ host: "example.net", topLevelBaseDomain: "example.org" });

  addSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

});

  // Ensure we have the correct state initially.

  testSecurityInfo({ host: "example.net" });

  testSecurityInfo({ host: "test.example.net" });

  testSecurityInfo({ host: "example.org" });

  testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });

  testSecurityInfo({ host: "example.net", topLevelBaseDomain: "example.org" });

  testSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

});

function testSecurityInfo({

  host,

  topLevelBaseDomain,

  expectedHSTS = true,

  expectedCARS = true,

  originAttributes = {},

}) {

  let attrs = getOAWithPartitionKey({ topLevelBaseDomain }, originAttributes);

  let messageSuffix = `for ${host}`;

  if (topLevelBaseDomain) {

    messageSuffix += ` partitioned under ${topLevelBaseDomain}`;

  let uri = Services.io.newURI(`https://${host}`);

  let isSecure = gSSService.isSecureURI(uri, attrs);

  Assert.equal(

    isSecure,

    expectedHSTS,

    `HSTS ${expectedHSTS ? "is set" : "is not set"} ${messageSuffix}`

);

  let hasRemembered = cars.hasRememberedDecisionScriptable(host, attrs, {});

  // CARS deleteDecisionsByHost does not include subdomains. That means for some

  // test cases we expect a different remembered state.

  Assert.equal(

    hasRemembered,

    expectedCARS,

    `CAR ${expectedCARS ? "is set" : "is not set"} ${messageSuffix}`

);

add_task(async function test_baseDomain() {

  gSSService.clearAll();

  // ---- hsts cleaner ----

  addTestSecurityInfo();

  // Clear hsts data of example.net including partitions.

  await new Promise(aResolve => {

    Services.clearData.deleteDataFromBaseDomain(

      "example.net",

      false,

      Ci.nsIClearDataService.CLEAR_HSTS,

      aResolve

);

});

  testSecurityInfo({

    host: "example.net",

    expectedHSTS: false,

    expectedCARS: true,

});

  // HSTSCleaner also removes subdomain settings.

  testSecurityInfo({

    host: "test.example.net",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({ host: "example.org" });

  testSecurityInfo({

    host: "example.com",

    topLevelBaseDomain: "example.net",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({

    host: "example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: false,

    expectedCARS: true,

});

  // ---- client auth remember cleaner -----

  addTestSecurityInfo();

  // Clear security settings of example.net including partitions.

  await new Promise(aResolve => {

    Services.clearData.deleteDataFromBaseDomain(

      "example.net",

      false,

      Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,

      aResolve

);

});

  testSecurityInfo({

    host: "example.net",

    expectedHSTS: true,

    expectedCARS: false,

});

  // ClientAuthRememberCleaner also removes subdomain settings.

  testSecurityInfo({

    host: "test.example.net",

    expectedHSTS: true,

    expectedCARS: false,

});

  testSecurityInfo({ host: "example.org" });

  testSecurityInfo({

    host: "example.com",

    topLevelBaseDomain: "example.net",

    expectedHSTS: true,

    expectedCARS: false,

});

  testSecurityInfo({

    host: "example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: true,

    expectedCARS: false,

});

  testSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: true,

    expectedCARS: false,

});

  // Cleanup

  gSSService.clearAll();

});

add_task(async function test_host() {

  gSSService.clearAll();

  // ---- HSTS cleaer ----

  addTestSecurityInfo();

  // Clear security settings of example.net without partitions.

  await new Promise(aResolve => {

    Services.clearData.deleteDataFromHost(

      "example.net",

      false,

      Ci.nsIClearDataService.CLEAR_HSTS,

      aResolve

);

});

  testSecurityInfo({

    host: "example.net",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({

    host: "test.example.net",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({ host: "example.org" });

  testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });

  testSecurityInfo({

    host: "example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: false,

    expectedCARS: true,

});

  testSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: false,

    expectedCARS: true,

});

  // Cleanup

  gSSService.clearAll();

  // --- clientAuthRemember cleaner ---

  addTestSecurityInfo();

  // Clear security settings of example.net without partitions.

  await new Promise(aResolve => {

    Services.clearData.deleteDataFromHost(

      "example.net",

      false,

      Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,

      aResolve

);

});

  testSecurityInfo({

    host: "example.net",

    expectedHSTS: true,

    expectedCARS: false,

});

  testSecurityInfo({

    host: "test.example.net",

    expectedHSTS: true,

    expectedCARS: true,

});

  testSecurityInfo({ host: "example.org" });

  testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });

  testSecurityInfo({

    host: "example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: true,

    expectedCARS: false,

});

  testSecurityInfo({

    host: "test.example.net",

    topLevelBaseDomain: "example.org",

    expectedHSTS: true,

    expectedCARS: true,

});

  // Cleanup

  gSSService.clearAll();

});