We have a test case for https-only mode which can be adjusted to test that behavior. Which shows that this bug is not working for an arbitrary host. Steps to Reproduce test result: 1. Go to https://searchfox.org/mozilla-central/source/dom/security/test/https-only/browser_cors_mixedcontent.js and use instead of "example.com" (because there is no http version of `example.com` with a different port, see https://searchfox.org/mozilla-central/source/build/pgo/server-locations.txt#74,82,89 ) "example.org" as `sameOrigin` and "example.org:8000" as `crossOrigin`. 2. To do step one you also have to adjust the support file: https://searchfox.org/mozilla-central/source/dom/security/test/https-only/file_cors_mixedcontent.html#13,20 3. Comment out all tests till line 51 in `dom/security/test/https-only/browser_cors_mixedcontent.js` (unneeded tests and since localhost doesn't get upgraded to https it wouldn't simulate the test we want to proccess). 4. From line 51-74 we should have something like that ```javascript // HTTPS-Only enabled, with exception await SpecialPowers.pushPermissions([ { type: "https-only-load-insecure", allow: true, context: "http://example.org", }, ]); await SpecialPowers.pushPermissions([ { type: "https-only-load-insecure", allow: true, context: "http://example.org:8000", }, ]); await runTest({ description: "Load site with HTTP, HOM enabled but site exempt", topLevelScheme: "http", expectedSameOrigin: "success", // ok expectedCrossOrigin: "error", // CORS }); ``` 5. Run. Result : `"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.org:8000/...`
Bug 1778291 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We have a test case for https-only mode which can be adjusted to test that behavior. Running the adjusted test shows that this bug is not working for an arbitrary host. Steps to Reproduce test result: 1. Go to https://searchfox.org/mozilla-central/source/dom/security/test/https-only/browser_cors_mixedcontent.js and use instead of "example.com" (because there is no http version of `example.com` with a different port, see https://searchfox.org/mozilla-central/source/build/pgo/server-locations.txt#74,82,89 ) "example.org" as `sameOrigin` and "example.org:8000" as `crossOrigin`. 2. To do step one you also have to adjust the support file: https://searchfox.org/mozilla-central/source/dom/security/test/https-only/file_cors_mixedcontent.html#13,20 3. Comment out all tests till line 51 in `dom/security/test/https-only/browser_cors_mixedcontent.js` (unneeded tests and since localhost doesn't get upgraded to https it wouldn't simulate the test we want to proccess). 4. From line 51-74 we should have something like that ```javascript // HTTPS-Only enabled, with exception await SpecialPowers.pushPermissions([ { type: "https-only-load-insecure", allow: true, context: "http://example.org", }, ]); await SpecialPowers.pushPermissions([ { type: "https-only-load-insecure", allow: true, context: "http://example.org:8000", }, ]); await runTest({ description: "Load site with HTTP, HOM enabled but site exempt", topLevelScheme: "http", expectedSameOrigin: "success", // ok expectedCrossOrigin: "error", // CORS }); ``` 5. Run. Result : `"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.org:8000/...`