Backed out 2 changesets (bug 1453814) for failing dom/base/test/chrome/test_bug884693.xul on a CLOSED TREE

Backed out changeset 86a4c50c98f6 (bug 1453814)
Backed out changeset 4d37ff0c232e (bug 1453814)
This commit is contained in:
Andreea Pavel 2018-04-13 20:19:39 +03:00
parent dcb92ef089
commit c98766975d
4 changed files with 0 additions and 170 deletions

View File

@ -1,61 +0,0 @@
// Custom *.sjs file specifically for the needs of Bug 1453814
// small red image
const IMG_BYTES = atob(
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
const FRAME = `
<!DOCTYPE html>
<html>
<head>
<title>Bug 1453814 - Do not allow same-site cookies for cross origin redirect</title>
</head>
<body>
<script type="application/javascript">
let cookie = document.cookie;
// now reset the cookie for the next test
document.cookie = "myKey=;" + "expires=Thu, 01 Jan 1970 00:00:00 GMT";
window.parent.postMessage({result: cookie}, 'http://mochi.test:8888');
</script>
</body>
</html>`;
const SAME_ORIGIN = "http://mochi.test:8888/"
const CROSS_ORIGIN = "http://example.com/";
const PATH = "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs";
function handleRequest(request, response)
{
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
if (request.queryString === "setSameSiteCookie") {
response.setHeader("Set-Cookie", "myKey=strictSameSiteCookie; samesite=strict", true);
response.setHeader("Content-Type", "image/png");
response.write(IMG_BYTES);
return;
}
if (request.queryString === "sameToCrossRedirect") {
let URL = CROSS_ORIGIN + PATH + "?loadFrame";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", URL, false);
return;
}
if (request.queryString === "crossToSameRedirect") {
let URL = SAME_ORIGIN + PATH + "?loadFrame";
response.setStatusLine("1.1", 302, "Found");
response.setHeader("Location", URL, false);
return;
}
if (request.queryString === "loadFrame") {
response.write(FRAME);
return;
}
// we should never get here, but just in case return something unexpected
response.write("D'oh");
}

View File

@ -12,7 +12,6 @@ support-files =
file_same_site_cookies_toplevel_nav.sjs
file_same_site_cookies_cross_origin_context.sjs
file_same_site_cookies_from_script.sjs
file_same_site_cookies_redirect.sjs
[test_contentpolicytype_targeted_link_iframe.html]
[test_nosniff.html]
@ -30,4 +29,3 @@ skip-if = toolkit == 'android'
[test_same_site_cookies_toplevel_nav.html]
[test_same_site_cookies_cross_origin_context.html]
[test_same_site_cookies_from_script.html]
[test_same_site_cookies_redirect.html]

View File

@ -1,83 +0,0 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1453814 - Do not allow same-site cookies for cross origin redirect</title>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<img id="cookieImage">
<iframe id="testframe"></iframe>
<script class="testbody" type="text/javascript">
/*
* Description of the test:
* 1) We load an image from http://mochi.test which set a same site cookie
* 2) We then load an iframe that redirects
* (a) from same-origin to cross-origin
* (b) from cross-origin to same-origin
* 3) We observe that in both cases same-site cookies should not be send
*/
SimpleTest.waitForExplicitFinish();
const SAME_ORIGIN = "http://mochi.test:8888/"
const CROSS_ORIGIN = "http://example.com/";
const PATH = "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs";
let curTest = 0;
var tests = [
{
description: "same-site cookie, redirect same-site to cross-site",
imgSRC: SAME_ORIGIN + PATH + "?setSameSiteCookie",
frameSRC: SAME_ORIGIN + PATH + "?sameToCrossRedirect",
result: "", // no cookie should be set
},
{
description: "same-site cookie, redirect cross-site to same-site",
imgSRC: SAME_ORIGIN + PATH + "?setSameSiteCookie",
frameSRC: CROSS_ORIGIN + PATH + "?crossToSameRedirect",
result: "", // no cookie should be set
},
];
window.addEventListener("message", receiveMessage);
function receiveMessage(event) {
is(event.data.result, tests[curTest].result, tests[curTest].description);
curTest += 1;
// // lets see if we ran all the tests
if (curTest == tests.length) {
window.removeEventListener("message", receiveMessage);
SimpleTest.finish();
return;
}
// otherwise it's time to run the next test
setCookieAndInitTest();
}
function setupQueryResultAndRunTest() {
let testframe = document.getElementById("testframe");
testframe.src = tests[curTest].frameSRC;
}
function setCookieAndInitTest() {
var cookieImage = document.getElementById("cookieImage");
cookieImage.onload = function() {
ok(true, "trying to set cookie for test (" + tests[curTest].description + ")");
setupQueryResultAndRunTest();
}
cookieImage.onerror = function() {
ok(false, "could not load image for test (" + tests[curTest].description + ")");
}
cookieImage.src = tests[curTest].imgSRC;
}
// fire up the test
setCookieAndInitTest();
</script>
</body>
</html>

View File

@ -2162,30 +2162,6 @@ bool NS_IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI)
bool isForeign = false;
thirdPartyUtil->IsThirdPartyChannel(aChannel, uri, &isForeign);
// if we are dealing with a cross origin request, we can return here
// because we already know the request is 'foreign'.
if (isForeign) {
return true;
}
// for the purpose of same-site cookies we have to treat any cross-origin
// redirects as foreign. E.g. cross-site to same-site redirect is a problem
// with regards to CSRF.
nsCOMPtr<nsIPrincipal> redirectPrincipal;
nsCOMPtr<nsIURI> redirectURI;
for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
if (redirectPrincipal) {
redirectPrincipal->GetURI(getter_AddRefs(redirectURI));
thirdPartyUtil->IsThirdPartyChannel(aChannel, redirectURI, &isForeign);
// if at any point we encounter a cross-origin redirect we can return.
if (isForeign) {
return true;
}
}
}
return isForeign;
}