QA/Firefox3.5/XHR TestPlan

From MozillaWiki
< QA‎ | Firefox3.5(Redirected from QA/Firefox3.1/XHR TestPlan)
Jump to: navigation, search

« QA/Firefox3.1/TestPlan

XS-XHR Test plan

Overview

Provides a mechanism to safely allow cross site XHR calls to a white listed grouping of domains while keeping private information on web sites safeguarded at the same time.

Test Strategy

  • Test that we handle redirects to non-same origin hosts properly
  • Test that we handle redirects to same origin hosts without change (i.e. behavior should not be affected)
  • Test that internal resources that exist and do not exist look the same until access is granted to the requestor
  • Test that HTTP header data is not exposed (HOW?)
  • Ensure that cookies are not set for the request (HOW?)
  • Test that malformed Access-Control-Allow-Origin flags are thrown out
  • Test that the wildcards work
  • Test delta seconds timeout on max-age header
  • Verify each algorithm outlined in the Processing model
    • 5.1 Cross-Site Access Request
    • 5.1.1 Cross-site access source origin
    • 5.1.2 Cross-Site Access Request Header Lists
    • 5.1.3 Simple Cross Site Access Request
    • 5.1.4 Cross site Access Request with Preflight
    • 5.1.5 Ensure these redirect policies are followed for generic XS access requests
    • Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2


Test Cases

  • [DONE] Test various values of origin
  • [DONE] Ensure preflight req gets fired when try a REQ that is not GET or POST
  • [DONE] Ensure prelight req gets fired when REQ with header not in whitelist
  • [DONE] Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS
  • [DONE] test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
  • [DONE] attempt to fake the origin on the REQ
  • [DONE] redirects (see redirect cases below)
  • [DONE] Ensure no trusted data ever exposed of the resource
  • [DONE] test expiration of a access-control-max-age header from a result cache
  • [DONE] test with access-control-allow-credentials as both true and false
  • [DONE] use access-control-allow-methods to ensure only specified methods work
  • [DONE] do the same with *-headers.
  • [DONE] test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
  • [DONE] test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight
  • [TODO] XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist
  • [DONE] Attempt to set a cookie on the REQ
  • [DONE] Ensure we have a test for a proper access-control-allow-origin header
  • [DONE] Can we simply create a testcase where we attempt a REQ without an origin?

Simple XSS XHR

  • [DONE] preflight false, REQ method GET && headers in whitelist --> work
  • preflight false, REQ method HEAD && headers in whitelist --> work
    • [DONE] ensure we get the "success" status flag
  • [DONE] preflight false, REQ method GET && headers ! in whitelist --> preflight
  • [DONE] preflight false, REQ method HEAD && headers ! in whitelist --> preflight
  • [DONE] preflight false, REQ method POST && headers ! in whitelist -- preflight
  • [DONE] preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
    • [DONE] the above with content-type == to each of those three things --> work
      • [DONE] content-type == text/plain
      • [DONE] content-type == application/x-www-form-urlencoded. I disagree with spec here. Should raise with spec editor.
      • [DONE] content-type == multipart/form-data. I disagree with spec here. Should raise with spec editor.
  • [TODO] getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
  • [TODO] cause a user cancel and ensure abort steps followed
  • [TODO] cause a network error (by failing access control check) and ensure network error steps are followed
  • [DONE] ensure access control check works status flag set to success, ensure REQ not terminated

Preflight XSS XHR

  • [DONE] test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again
  • [DONE] test that a method name matches case insensitively
  • test that headers match case insensitively
  • [DONE] test that every header name matches header in the cache
  • [DONE] test when both a header and a method are specified that we match the proper one
  • [DONE] test that if no expiration time given, no cache entry made
  • [DONE] test that when we do not have all the headers in our request that are in the cache --> cache fail
  • [DONE] test that we do not have a method that matches --> cache fail
  • [DONE] test that multiple methods can be cached and retrieved
  • [DONE] test that both header and method are empty when they are not empty in the cache --> cache fail
  • can we make a preflight with credentials? Should fail, should not be allowed. (JS: You can check if the preflight has cookies)
  • can we make a preflight with an entity body? should fail, should not be allowed. (JS: You can check if the preflight has body)
  • [SKIPPED] test redirect
  • [DONE] test alternate ways of specifying the expiration time (white space, invalid values etc)
  • test abort
  • test network error
  • test access control fail --> ensure cache and network steps followed
  • [DONE] test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
  • [DONE] test failure to parse headers when parsing access-control-headers --> cache and network steps
  • [DONE] test that every REQ header does not match headers --> cache & network steps
  • [DONE] test that REQ header not in simple header whitelist --> cache & network steps
  • [SKIPPED] Ensure that preflight requests that succeed update cache entries (spec no longer requires updating, but tests do ensure that cache entries are created and removed - ct)
  • [DONE] if actual request gets redirect --> cache and network steps (handled by redirect tests)
  • if actual req canceled -> abort
  • if actual req network error -> network eror
  • if actual req access check fails -> cache & network steps
  • test that an actual req can pass

cache matches

  • ensure that when testing for cache matches we fail when any of these conditions are met:
    • [DONE] URL != REQ URL
    • origin  != source origin
    • credentials != credentials flag

cache & network steps

  • [SKIPPED] remove cache entries for source origin and URL - can we test that the entries get removed? (JS: not done, and not yet implemented)
  • [SKIPPED] return network error

cache updates

  • [DONE] ensure that for each method in methods of the preflight REQ an entry is made in the cache
  • [SKIPPED] ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)
  • [DONE] ensure that for each header in header of the preflight REQ an entry is made in the cache
  • [SKIPPED] ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)

abort steps

  • test that user cancel results in "abort" state being returned and the request stops
  • [TODO] ensure no data passed back from an abort (necessary?) (JS: yes, necessary)

network error

  • [TODO] ensure network error status and no data comes back to XHR (necessary?) (JS: yes, necessary)

cache steps

  • check that an entry fro a network error is not used for the next request (network and cache error should clear cache)
  • check that an preflight response that is a network error, but otherwise well formed, does not populate the cache or allow the REQ.

Access Control Check

  • [DONE] test with 0 access-control-allow-origin headers --> fail (JS: I think done)
  • [DONE] test with > 1 access-control-allow-origin-headers --> fail
  • [DONE] test with access-control-allow-origin == * && credentials flag == false ---> return pass
  • [DONE] test with access-control-allow-origin != source origin --> return fail
  • [DONE] test with credentials flag == true && 0 access-control-allow-origin hdr --> fail (JS: I think done)
  • [DONE] test with credentials flag == true && access-control-allow-credentials is not true --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass
  • [DONE] test with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case) (JS: I think done)
  • [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass
  • [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
  • [DONE] test with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass

Redirect Steps

  • [DONE] Test redirects:
    • [DONE] force new URL scheme to some unsupported scheme --> network error
    • [TODO] force infinite loop to occur --> network error
    • [TODO] force disconnect or invalid response --> network error
    • [DONE] if REQ URL contains the userinfo production (user name and password in URL) -> network error
    • [DONE] REQ URL and source origin are same origin --> should get "same-origin" status (spec should be changed to still require access control headers)
    • access control check returns fail --> network error
    • [DONE] if nothing goes wrong, ensure redirect followed and XSS XHR request rules followed

References

REQ hdr whitelist (case insensitive matching):

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type

RESP HDR whitelist (case insisitive)

  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

Things we probably won't get to testing

  • disk full - should stop caching and stop updating cache entries

Things we'd like to get to testing

Can we get the security team to help with some of this part?

  • All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.
  • private browsing mode - should not cache entries
  • what happens if user makes a request, goes offline, and comes back online
  • what happens if these requests are done through Worker threads

Schedule Scoping

Patch landed, was reopened.

It's going to take probably the better part of a week to get these implemented, unless we come up with a pretty simple way to fake the XS scripting stuff in mochitest. Todo: Look for example tests

References