Home Explore Help
Sign In
khronosschoty
/
palemoon-dev
Watch 2
Star 1
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
palemoon-dev
/
platform
/
devtools
/
client
/
webconsole
/
test
/
browser_webconsole_hpkp_invalid-headers.js

browser_webconsole_hpkp_invalid-headers.js 4.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. /* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
    2. 

  2. /* Any copyright is dedicated to the Public Domain.
    3. 

  3.  * http://creativecommons.org/publicdomain/zero/1.0/ */
    4. 

  4. 

  5. // Tests that errors about invalid HPKP security headers are logged to the web
    6. 

  6. // console.
    7. 

  7. 

  8. "use strict";
    9. 

  9. 

  10. const TEST_URI = "data:text/html;charset=utf-8,Web Console HPKP invalid " +
    11. 

  11.                  "header test";
    12. 

  12. const SJS_URL = "https://example.com/browser/devtools/client/webconsole/" +
    13. 

  13.                 "test/test_hpkp-invalid-headers.sjs";
    14. 

  14. const LEARN_MORE_URI = "https://developer.mozilla.org/docs/Web/Security/" +
    15. 

  15.                        "Public_Key_Pinning" + DOCS_GA_PARAMS;
    16. 

  16. const HPKP_ENABLED_PREF = "security.cert_pinning.hpkp.enabled";
    17. 

  17. const NON_BUILTIN_ROOT_PREF = "security.cert_pinning.process_headers_from_" +
    18. 

  18.                               "non_builtin_roots";
    19. 

  19. 

  20. add_task(function* () {
    21. 

  21.   registerCleanupFunction(() => {
    22. 

  22.     Services.prefs.clearUserPref(HPKP_ENABLED_PREF);
    23. 

  23.     Services.prefs.clearUserPref(NON_BUILTIN_ROOT_PREF);
    24. 

  24.   });
    25. 

  25. 

  26.   Services.prefs.setBoolPref(HPKP_ENABLED_PREF, true);
    27. 

  27.   
    28. 

  28.   yield loadTab(TEST_URI);
    29. 

  29. 

  30.   let hud = yield openConsole();
    31. 

  31. 

  32.   yield* checkForMessage({
    33. 

  33.     url: SJS_URL + "?badSyntax",
    34. 

  34.     name: "Could not parse header error displayed successfully",
    35. 

  35.     text: "Public-Key-Pins: The site specified a header that could not be " +
    36. 

  36.           "parsed successfully."
    37. 

  37.   }, hud);
    38. 

  38. 

  39.   yield* checkForMessage({
    40. 

  40.     url: SJS_URL + "?noMaxAge",
    41. 

  41.     name: "No max-age error displayed successfully",
    42. 

  42.     text: "Public-Key-Pins: The site specified a header that did not include " +
    43. 

  43.           "a \u2018max-age\u2019 directive."
    44. 

  44.   }, hud);
    45. 

  45. 

  46.   yield* checkForMessage({
    47. 

  47.     url: SJS_URL + "?invalidIncludeSubDomains",
    48. 

  48.     name: "Invalid includeSubDomains error displayed successfully",
    49. 

  49.     text: "Public-Key-Pins: The site specified a header that included an " +
    50. 

  50.           "invalid \u2018includeSubDomains\u2019 directive."
    51. 

  51.   }, hud);
    52. 

  52. 

  53.   yield* checkForMessage({
    54. 

  54.     url: SJS_URL + "?invalidMaxAge",
    55. 

  55.     name: "Invalid max-age error displayed successfully",
    56. 

  56.     text: "Public-Key-Pins: The site specified a header that included an " +
    57. 

  57.           "invalid \u2018max-age\u2019 directive."
    58. 

  58.   }, hud);
    59. 

  59. 

  60.   yield* checkForMessage({
    61. 

  61.     url: SJS_URL + "?multipleIncludeSubDomains",
    62. 

  62.     name: "Multiple includeSubDomains error displayed successfully",
    63. 

  63.     text: "Public-Key-Pins: The site specified a header that included " +
    64. 

  64.           "multiple \u2018includeSubDomains\u2019 directives."
    65. 

  65.   }, hud);
    66. 

  66. 

  67.   yield* checkForMessage({
    68. 

  68.     url: SJS_URL + "?multipleMaxAge",
    69. 

  69.     name: "Multiple max-age error displayed successfully",
    70. 

  70.     text: "Public-Key-Pins: The site specified a header that included " +
    71. 

  71.           "multiple \u2018max-age\u2019 directives."
    72. 

  72.   }, hud);
    73. 

  73. 

  74.   yield* checkForMessage({
    75. 

  75.     url: SJS_URL + "?multipleReportURIs",
    76. 

  76.     name: "Multiple report-uri error displayed successfully",
    77. 

  77.     text: "Public-Key-Pins: The site specified a header that included " +
    78. 

  78.           "multiple \u2018report-uri\u2019 directives."
    79. 

  79.   }, hud);
    80. 

  80. 

  81.   // The root used for mochitests is not built-in, so set the relevant pref to
    82. 

  82.   // true to have the PKP implementation return more specific errors.
    83. 

  83.   Services.prefs.setBoolPref(NON_BUILTIN_ROOT_PREF, true);
    84. 

  84. 

  85.   yield* checkForMessage({
    86. 

  86.     url: SJS_URL + "?pinsetDoesNotMatch",
    87. 

  87.     name: "Non-matching pinset error displayed successfully",
    88. 

  88.     text: "Public-Key-Pins: The site specified a header that did not include " +
    89. 

  89.           "a matching pin."
    90. 

  90.   }, hud);
    91. 

  91. 

  92.   Services.prefs.setBoolPref(NON_BUILTIN_ROOT_PREF, false);
    93. 

  93. 

  94.   yield* checkForMessage({
    95. 

  95.     url: SJS_URL + "?pinsetDoesNotMatch",
    96. 

  96.     name: "Non-built-in root error displayed successfully",
    97. 

  97.     text: "Public-Key-Pins: The certificate used by the site was not issued " +
    98. 

  98.           "by a certificate in the default root certificate store. To " +
    99. 

  99.           "prevent accidental breakage, the specified header was ignored."
    100. 

  100.   }, hud);
    101. 

  101. });
    102. 

  102. 

  103. function* checkForMessage(curTest, hud) {
    104. 

  104.   hud.jsterm.clearOutput();
    105. 

  105. 

  106.   BrowserTestUtils.loadURI(gBrowser.selectedBrowser, curTest.url);
    107. 

  107. 

  108.   let results = yield waitForMessages({
    109. 

  109.     webconsole: hud,
    110. 

  110.     messages: [
    111. 

  111.       {
    112. 

  112.         name: curTest.name,
    113. 

  113.         text: curTest.text,
    114. 

  114.         category: CATEGORY_SECURITY,
    115. 

  115.         severity: SEVERITY_WARNING,
    116. 

  116.         objects: true,
    117. 

  117.       },
    118. 

  118.     ],
    119. 

  119.   });
    120. 

  120. 

  121.   yield testClickOpenNewTab(hud, results);
    122. 

  122. }
    123. 

  123. 

  124. function testClickOpenNewTab(hud, results) {
    125. 

  125.   let warningNode = results[0].clickableElements[0];
    126. 

  126.   ok(warningNode, "link element");
    127. 

  127.   ok(warningNode.classList.contains("learn-more-link"), "link class name");
    128. 

  128.   return simulateMessageLinkClick(warningNode, LEARN_MORE_URI);
    129. 

  129. }
    130. 

  130.