Bug 1778291 Comment 5 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

We have a test case for https-only mode which can be adjusted to test that behavior. Which shows that this bug is not working for an arbitrary host.


Steps to Reproduce test result:
1. Go to https://searchfox.org/mozilla-central/source/dom/security/test/https-only/browser_cors_mixedcontent.js 
and use instead of "example.com" (because there is no http version of `example.com` with a different port, see https://searchfox.org/mozilla-central/source/build/pgo/server-locations.txt#74,82,89 ) "example.org" as `sameOrigin` 
and "example.org:8000"  as `crossOrigin`. 
2. To do step one you also have to adjust the support file: https://searchfox.org/mozilla-central/source/dom/security/test/https-only/file_cors_mixedcontent.html#13,20

3. Comment out all tests till line 51 in `dom/security/test/https-only/browser_cors_mixedcontent.js` (unneeded tests and since localhost doesn't get upgraded to https it wouldn't simulate the test we want to proccess).
4. From line 51-74 we should have something like that
```javascript
// HTTPS-Only enabled, with exception
  await SpecialPowers.pushPermissions([
    {
      type: "https-only-load-insecure",
      allow: true,
      context: "http://example.org",
    },
  ]);
  await SpecialPowers.pushPermissions([
    {
      type: "https-only-load-insecure",
      allow: true,
      context: "http://example.org:8000",
    },
  ]);

  await runTest({
    description: "Load site with HTTP, HOM enabled but site exempt",
    topLevelScheme: "http",

    expectedSameOrigin: "success", // ok
    expectedCrossOrigin: "error", // CORS
  });
```
5. Run. Result : `"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.org:8000/...`
We have a test case for https-only mode which can be adjusted to test that behavior. Running the adjusted test shows that this bug is not working for an arbitrary host.


Steps to Reproduce test result:
1. Go to https://searchfox.org/mozilla-central/source/dom/security/test/https-only/browser_cors_mixedcontent.js 
and use instead of "example.com" (because there is no http version of `example.com` with a different port, see https://searchfox.org/mozilla-central/source/build/pgo/server-locations.txt#74,82,89 ) "example.org" as `sameOrigin` 
and "example.org:8000"  as `crossOrigin`. 
2. To do step one you also have to adjust the support file: https://searchfox.org/mozilla-central/source/dom/security/test/https-only/file_cors_mixedcontent.html#13,20

3. Comment out all tests till line 51 in `dom/security/test/https-only/browser_cors_mixedcontent.js` (unneeded tests and since localhost doesn't get upgraded to https it wouldn't simulate the test we want to proccess).
4. From line 51-74 we should have something like that
```javascript
// HTTPS-Only enabled, with exception
  await SpecialPowers.pushPermissions([
    {
      type: "https-only-load-insecure",
      allow: true,
      context: "http://example.org",
    },
  ]);
  await SpecialPowers.pushPermissions([
    {
      type: "https-only-load-insecure",
      allow: true,
      context: "http://example.org:8000",
    },
  ]);

  await runTest({
    description: "Load site with HTTP, HOM enabled but site exempt",
    topLevelScheme: "http",

    expectedSameOrigin: "success", // ok
    expectedCrossOrigin: "error", // CORS
  });
```
5. Run. Result : `"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.org:8000/...`

Back to Bug 1778291 Comment 5