Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

Commit b75a8e0

Browse files
committed
Bug 1405971 - Test that Webextension UUID doesn't leak via XHR/Fetch requests. r=mixedpuppy
Differential Revision: https://phabricator.services.mozilla.com/D40854 --HG-- extra : moz-landing-system : lando
1 parent 68ebc30 commit b75a8e0

3 files changed

Lines changed: 86 additions & 0 deletions

File tree

toolkit/components/extensions/test/mochitest/mochitest-common.ini

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ support-files =
5050
redirect_auto.sjs
5151
redirection.sjs
5252
return_headers.sjs
53+
return_headers_cors.sjs
5354
slow_response.sjs
5455
webrequest_worker.js
5556
!/dom/tests/mochitest/geolocation/network_geolocation.sjs
@@ -163,3 +164,4 @@ skip-if = os == 'android' # Currently fails in emulator tests
163164
[test_ext_webrequest_urlClassification.html]
164165
[test_ext_window_postMessage.html]
165166
[test_ext_webrequest_redirect_bypass_cors.html]
167+
[test_ext_fetch_origin.html]
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
2+
/* vim: set ft=javascript sts=2 sw=2 et tw=80: */
3+
"use strict";
4+
5+
/* exported handleRequest */
6+
7+
function handleRequest(request, response) {
8+
response.setStatusLine(request.httpVersion, 200, "OK");
9+
response.setHeader("Content-Type", "text/json", false);
10+
response.setHeader("Access-Control-Allow-Credentials", "true", false);
11+
response.setHeader("Access-Control-Allow-Origin", "*", false);
12+
13+
14+
let headers = {};
15+
// Why on earth is this a nsISimpleEnumerator...
16+
let enumerator = request.headers;
17+
while (enumerator.hasMoreElements()) {
18+
let header = enumerator.getNext().data;
19+
headers[header.toLowerCase()] = request.getHeader(header);
20+
}
21+
22+
response.write(JSON.stringify(headers));
23+
}
24+
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
<!DOCTYPE HTML>
2+
<html>
3+
<head>
4+
<title>Test for simple WebExtension</title>
5+
<script src="/tests/SimpleTest/SimpleTest.js"></script>
6+
<script src="/tests/SimpleTest/ExtensionTestUtils.js"></script>
7+
<script type="text/javascript" src="head.js"></script>
8+
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
9+
</head>
10+
<body>
11+
12+
<script type="text/javascript">
13+
"use strict";
14+
15+
add_task(async function test_fetch_origin() {
16+
let extension = ExtensionTestUtils.loadExtension({
17+
manifest: {
18+
permissions: [
19+
// We purposefully don't add any host permission for example.org
20+
// (or all_urls). This ensures the requests below use CORS,
21+
// which would normally send an Origin header with a moz-extension:
22+
// scheme.
23+
],
24+
},
25+
async background() {
26+
const PATH = "https://example.org/tests/toolkit/components/extensions/test/mochitest/return_headers_cors.sjs";
27+
28+
let response = await fetch(PATH);
29+
let headers = await response.json();
30+
31+
browser.test.assertEq(headers.host, "example.org", "right host");
32+
browser.test.assertFalse("origin" in headers, "no Origin header")
33+
34+
headers = await new Promise((resolve, reject) => {
35+
/* eslint-disable mozilla/balanced-listeners */
36+
let xhr = new XMLHttpRequest();
37+
xhr.open("GET", PATH);
38+
xhr.addEventListener("load", () => {
39+
resolve(JSON.parse(xhr.response));
40+
})
41+
xhr.addEventListener("error", reject)
42+
xhr.send();
43+
})
44+
45+
browser.test.assertEq(headers.host, "example.org", "right host");
46+
browser.test.assertFalse("origin" in headers, "no Origin header");
47+
48+
browser.test.sendMessage("finished");
49+
},
50+
});
51+
52+
await extension.startup();
53+
await extension.awaitMessage("finished");
54+
await extension.unload();
55+
});
56+
57+
</script>
58+
59+
</body>
60+
</html>

0 commit comments

Comments
 (0)