mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 23:31:56 +00:00
Backed out 2 changesets (bug 1453814) for failing dom/base/test/chrome/test_bug884693.xul on a CLOSED TREE
Backed out changeset 86a4c50c98f6 (bug 1453814) Backed out changeset 4d37ff0c232e (bug 1453814)
This commit is contained in:
Andreea Pavel
parent
dcb92ef089
commit
c98766975d
@ -1,61 +0,0 @@
|
||||
// Custom *.sjs file specifically for the needs of Bug 1453814
|
||||
|
||||
// small red image
|
||||
const IMG_BYTES = atob(
|
||||
"iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
|
||||
"P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
|
||||
|
||||
const FRAME = `
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1453814 - Do not allow same-site cookies for cross origin redirect</title>
|
||||
</head>
|
||||
<body>
|
||||
<script type="application/javascript">
|
||||
let cookie = document.cookie;
|
||||
// now reset the cookie for the next test
|
||||
document.cookie = "myKey=;" + "expires=Thu, 01 Jan 1970 00:00:00 GMT";
|
||||
window.parent.postMessage({result: cookie}, 'http://mochi.test:8888');
|
||||
</script>
|
||||
</body>
|
||||
</html>`;
|
||||
|
||||
const SAME_ORIGIN = "http://mochi.test:8888/"
|
||||
const CROSS_ORIGIN = "http://example.com/";
|
||||
const PATH = "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs";
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
// avoid confusing cache behaviors
|
||||
response.setHeader("Cache-Control", "no-cache", false);
|
||||
|
||||
if (request.queryString === "setSameSiteCookie") {
|
||||
response.setHeader("Set-Cookie", "myKey=strictSameSiteCookie; samesite=strict", true);
|
||||
response.setHeader("Content-Type", "image/png");
|
||||
response.write(IMG_BYTES);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.queryString === "sameToCrossRedirect") {
|
||||
let URL = CROSS_ORIGIN + PATH + "?loadFrame";
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", URL, false);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.queryString === "crossToSameRedirect") {
|
||||
let URL = SAME_ORIGIN + PATH + "?loadFrame";
|
||||
response.setStatusLine("1.1", 302, "Found");
|
||||
response.setHeader("Location", URL, false);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.queryString === "loadFrame") {
|
||||
response.write(FRAME);
|
||||
return;
|
||||
}
|
||||
|
||||
// we should never get here, but just in case return something unexpected
|
||||
response.write("D'oh");
|
||||
}
|
||||
@ -12,7 +12,6 @@ support-files =
|
||||
file_same_site_cookies_toplevel_nav.sjs
|
||||
file_same_site_cookies_cross_origin_context.sjs
|
||||
file_same_site_cookies_from_script.sjs
|
||||
file_same_site_cookies_redirect.sjs
|
||||
|
||||
[test_contentpolicytype_targeted_link_iframe.html]
|
||||
[test_nosniff.html]
|
||||
@ -30,4 +29,3 @@ skip-if = toolkit == 'android'
|
||||
[test_same_site_cookies_toplevel_nav.html]
|
||||
[test_same_site_cookies_cross_origin_context.html]
|
||||
[test_same_site_cookies_from_script.html]
|
||||
[test_same_site_cookies_redirect.html]
|
||||
|
||||
@ -1,83 +0,0 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1453814 - Do not allow same-site cookies for cross origin redirect</title>
|
||||
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<img id="cookieImage">
|
||||
<iframe id="testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
/*
|
||||
* Description of the test:
|
||||
* 1) We load an image from http://mochi.test which set a same site cookie
|
||||
* 2) We then load an iframe that redirects
|
||||
* (a) from same-origin to cross-origin
|
||||
* (b) from cross-origin to same-origin
|
||||
* 3) We observe that in both cases same-site cookies should not be send
|
||||
*/
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
const SAME_ORIGIN = "http://mochi.test:8888/"
|
||||
const CROSS_ORIGIN = "http://example.com/";
|
||||
const PATH = "tests/dom/security/test/general/file_same_site_cookies_redirect.sjs";
|
||||
|
||||
let curTest = 0;
|
||||
|
||||
var tests = [
|
||||
{
|
||||
description: "same-site cookie, redirect same-site to cross-site",
|
||||
imgSRC: SAME_ORIGIN + PATH + "?setSameSiteCookie",
|
||||
frameSRC: SAME_ORIGIN + PATH + "?sameToCrossRedirect",
|
||||
result: "", // no cookie should be set
|
||||
},
|
||||
{
|
||||
description: "same-site cookie, redirect cross-site to same-site",
|
||||
imgSRC: SAME_ORIGIN + PATH + "?setSameSiteCookie",
|
||||
frameSRC: CROSS_ORIGIN + PATH + "?crossToSameRedirect",
|
||||
result: "", // no cookie should be set
|
||||
},
|
||||
];
|
||||
|
||||
window.addEventListener("message", receiveMessage);
|
||||
function receiveMessage(event) {
|
||||
is(event.data.result, tests[curTest].result, tests[curTest].description);
|
||||
curTest += 1;
|
||||
|
||||
// // lets see if we ran all the tests
|
||||
if (curTest == tests.length) {
|
||||
window.removeEventListener("message", receiveMessage);
|
||||
SimpleTest.finish();
|
||||
return;
|
||||
}
|
||||
// otherwise it's time to run the next test
|
||||
setCookieAndInitTest();
|
||||
}
|
||||
|
||||
function setupQueryResultAndRunTest() {
|
||||
let testframe = document.getElementById("testframe");
|
||||
testframe.src = tests[curTest].frameSRC;
|
||||
}
|
||||
|
||||
function setCookieAndInitTest() {
|
||||
var cookieImage = document.getElementById("cookieImage");
|
||||
cookieImage.onload = function() {
|
||||
ok(true, "trying to set cookie for test (" + tests[curTest].description + ")");
|
||||
setupQueryResultAndRunTest();
|
||||
}
|
||||
cookieImage.onerror = function() {
|
||||
ok(false, "could not load image for test (" + tests[curTest].description + ")");
|
||||
}
|
||||
cookieImage.src = tests[curTest].imgSRC;
|
||||
}
|
||||
|
||||
// fire up the test
|
||||
setCookieAndInitTest();
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
@ -2162,30 +2162,6 @@ bool NS_IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI)
|
||||
|
||||
bool isForeign = false;
|
||||
thirdPartyUtil->IsThirdPartyChannel(aChannel, uri, &isForeign);
|
||||
|
||||
// if we are dealing with a cross origin request, we can return here
|
||||
// because we already know the request is 'foreign'.
|
||||
if (isForeign) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// for the purpose of same-site cookies we have to treat any cross-origin
|
||||
// redirects as foreign. E.g. cross-site to same-site redirect is a problem
|
||||
// with regards to CSRF.
|
||||
|
||||
nsCOMPtr<nsIPrincipal> redirectPrincipal;
|
||||
nsCOMPtr<nsIURI> redirectURI;
|
||||
for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
|
||||
entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
|
||||
if (redirectPrincipal) {
|
||||
redirectPrincipal->GetURI(getter_AddRefs(redirectURI));
|
||||
thirdPartyUtil->IsThirdPartyChannel(aChannel, redirectURI, &isForeign);
|
||||
// if at any point we encounter a cross-origin redirect we can return.
|
||||
if (isForeign) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return isForeign;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user