<!DOCTYPE HTML> <html> <!-- https://bugzilla.mozilla.org/show_bug.cgi?id=1247733 --> <head> <meta charset="utf-8"> <title>Test for Bug 1247733</title> <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <script type="application/javascript" src="/tests/SimpleTest/WindowSnapshot.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> </head> <body> <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247733">Mozilla Bug 1247733</a> <p id="display"> <iframe id="myIframe"></iframe> </p> <div id="content" style="display: none"> </div> <pre id="test"></pre> <script type="application/javascript"> /** Test for Bug 1247733 **/ /** * This test ensures that we render the SVG 'use' element correctly, in * pages that have been upgraded from HTTP to HTTPS using strict transport * security (HSTS) * * Specifically: * (1) We load a file using HTTPS, in an iframe. The file gets sent * with a Strict-Transport-Security flag. * (2) We load the same file again, but now over HTTP (which should get * upgraded to HTTPS, since we received the Strict-Transport-Security * flag during the first load). * (3) After each of the above loads, we take a snapshot of the iframe * and ensure that it renders as fully lime (which the 'use' element * is responsible for). If the 'use' element fails to render, the iframe * will be fully red, and we'll fail an "assertSnapshots" check. */ SimpleTest.waitForExplicitFinish(); const iframe = document.getElementById("myIframe"); const iframeWin = iframe.contentWindow; // URI for our testcase with 'use' element, via HTTP and HTTPS: const insecureURI = "http://example.com/tests/dom/svg/test/use-with-hsts-helper.html"; const secureURI = "https://example.com/tests/dom/svg/test/use-with-hsts-helper.html"; // Snapshots that we'll populate below: var blankSnapshot; // Snapshot of blank iframe. var refSnapshot; // Snapshot of lime reference rendering in iframe. var secureSnapshot; // Snapshot of testcase using HTTPS. var upgradedSnapshot; // Snapshot of testcase using HTTP-upgraded-to-HTTPS. // Bookkeeping to be sure receiveMessage is called as many times as we expect: var numPostMessageCalls = 0; const expectedNumPostMessageCalls = 2; // (We load the helper file twice.) // Helper function, called via postMessage, to check iframe's actual location: function receiveMessage(event) { is(event.data, secureURI, "iframe should end up viewing secure URI"); numPostMessageCalls++; } // TEST CODE BEGINS HERE. // Execution basically proceeds top-to-bottom through the functions // from this point on, via a chain of iframe onload-callbacks. function runTest() { // Capture a snapshot with nothing in the iframe, so we can do a // sanity-check not-equal comparison against our reference case, to be // sure we're rendering anything at all: blankSnapshot = snapshotWindow(iframeWin); // Point iframe at a reference case: iframe.onload = captureRefSnapshot; iframe.src = "data:text/html,<body style='background:lime'>"; } function captureRefSnapshot() { // Capture the reference screenshot: refSnapshot = snapshotWindow(iframeWin); // Ensure reference-case looks different from blank snapshot: assertSnapshots(refSnapshot, blankSnapshot, false /*not equal*/, null /*no fuzz*/, "refSnapshot", "blankSnapshot"); // OK, assuming we've got a valid refSnapshot, we can now proceed to // capture test screenshots. // Register a postMessage handler, so that iframe can report its location: window.addEventListener("message", receiveMessage, false); // Point iframe at secure (HTTPS) version of testcase, & wait for callback: iframe.onload = captureSecureSnapshot; iframe.src = secureURI; } function captureSecureSnapshot() { // Capture snapshot of iframe showing always-HTTPS version of testcase: secureSnapshot = snapshotWindow(iframeWin); assertSnapshots(secureSnapshot, refSnapshot, true /*equal*/, null /*no fuzz*/, "secureSnapshot", "refSnapshot"); // Point iframe at insecure (HTTP) version of testcase (which should get // automatically upgraded to secure (HTTPS) under the hood), & wait for // callback: iframe.onload = captureUpgradedSnapshot; iframe.src = insecureURI; } function captureUpgradedSnapshot() { // Double-check that iframe is really pointed at insecure URI, to be sure // we're actually exercising HSTS. (Note that receiveMessage() will make // sure it's been upgraded to a secure HTTPS URI under the hood.) is(iframe.src, insecureURI, "test should've attempted to load insecure HTTP URI, to exercise HSTS"); // Capture snapshot of iframe showing upgraded-to-HTTPS version of testcase: upgradedSnapshot = snapshotWindow(iframeWin); assertSnapshots(upgradedSnapshot, refSnapshot, true /*equal*/, null /*no fuzz*/, "upgradedSnapshot", "refSnapshot"); cleanupAndFinish(); } function cleanupAndFinish() { is(numPostMessageCalls, expectedNumPostMessageCalls, "didn't receive as many messages from child iframe as expected"); SpecialPowers.cleanUpSTSData("http://example.com"); SimpleTest.finish(); } runTest(); </script> </body> </html>