QA/Firefox3.5/XHR TestPlan
From MozillaWiki
< QA | Firefox3.5
- XS-XHR Test plan
Contents
Overview
Provides a mechanism to safely allow cross site XHR calls to a white listed grouping of domains while keeping private information on web sites safeguarded at the same time.
Test Strategy
- Test that we handle redirects to non-same origin hosts properly
- Test that we handle redirects to same origin hosts without change (i.e. behavior should not be affected)
- Test that internal resources that exist and do not exist look the same until access is granted to the requestor
- Test that HTTP header data is not exposed (HOW?)
- Ensure that cookies are not set for the request (HOW?)
- Test that malformed Access-Control-Allow-Origin flags are thrown out
- Test that the wildcards work
- Test delta seconds timeout on max-age header
- Verify each algorithm outlined in the Processing model
- 5.1 Cross-Site Access Request
- 5.1.1 Cross-site access source origin
- 5.1.2 Cross-Site Access Request Header Lists
- 5.1.3 Simple Cross Site Access Request
- 5.1.4 Cross site Access Request with Preflight
- 5.1.5 Ensure these redirect policies are followed for generic XS access requests
- Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2
Test Cases
- [DONE] Test various values of origin
- [DONE] Ensure preflight req gets fired when try a REQ that is not GET or POST
- [DONE] Ensure prelight req gets fired when REQ with header not in whitelist
- [DONE] Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS
- [DONE] test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
- [DONE] attempt to fake the origin on the REQ
- [DONE] redirects (see redirect cases below)
- [DONE] Ensure no trusted data ever exposed of the resource
- [DONE] test expiration of a access-control-max-age header from a result cache
- [DONE] test with access-control-allow-credentials as both true and false
- [DONE] use access-control-allow-methods to ensure only specified methods work
- [DONE] do the same with *-headers.
- [DONE] test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
- [DONE] test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight
- [TODO] XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist
- [DONE] Attempt to set a cookie on the REQ
- [DONE] Ensure we have a test for a proper access-control-allow-origin header
- [DONE] Can we simply create a testcase where we attempt a REQ without an origin?
Simple XSS XHR
- [DONE] preflight false, REQ method GET && headers in whitelist --> work
- preflight false, REQ method HEAD && headers in whitelist --> work
- [DONE] ensure we get the "success" status flag
- [DONE] preflight false, REQ method GET && headers ! in whitelist --> preflight
- [DONE] preflight false, REQ method HEAD && headers ! in whitelist --> preflight
- [DONE] preflight false, REQ method POST && headers ! in whitelist -- preflight
- [DONE] preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
- [DONE] the above with content-type == to each of those three things --> work
- [DONE] content-type == text/plain
- [DONE] content-type == application/x-www-form-urlencoded. I disagree with spec here. Should raise with spec editor.
- [DONE] content-type == multipart/form-data. I disagree with spec here. Should raise with spec editor.
- [DONE] the above with content-type == to each of those three things --> work
- [TODO] getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
- [TODO] cause a user cancel and ensure abort steps followed
- [TODO] cause a network error (by failing access control check) and ensure network error steps are followed
- [DONE] ensure access control check works status flag set to success, ensure REQ not terminated
Preflight XSS XHR
- [DONE] test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again
- [DONE] test that a method name matches case insensitively
- test that headers match case insensitively
- [DONE] test that every header name matches header in the cache
- [DONE] test when both a header and a method are specified that we match the proper one
- [DONE] test that if no expiration time given, no cache entry made
- [DONE] test that when we do not have all the headers in our request that are in the cache --> cache fail
- [DONE] test that we do not have a method that matches --> cache fail
- [DONE] test that multiple methods can be cached and retrieved
- [DONE] test that both header and method are empty when they are not empty in the cache --> cache fail
- can we make a preflight with credentials? Should fail, should not be allowed. (JS: You can check if the preflight has cookies)
- can we make a preflight with an entity body? should fail, should not be allowed. (JS: You can check if the preflight has body)
- [SKIPPED] test redirect
- [DONE] test alternate ways of specifying the expiration time (white space, invalid values etc)
- test abort
- test network error
- test access control fail --> ensure cache and network steps followed
- [DONE] test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
- [DONE] test failure to parse headers when parsing access-control-headers --> cache and network steps
- [DONE] test that every REQ header does not match headers --> cache & network steps
- [DONE] test that REQ header not in simple header whitelist --> cache & network steps
- [SKIPPED] Ensure that preflight requests that succeed update cache entries (spec no longer requires updating, but tests do ensure that cache entries are created and removed - ct)
- [DONE] if actual request gets redirect --> cache and network steps (handled by redirect tests)
- if actual req canceled -> abort
- if actual req network error -> network eror
- if actual req access check fails -> cache & network steps
- test that an actual req can pass
cache matches
- ensure that when testing for cache matches we fail when any of these conditions are met:
- [DONE] URL != REQ URL
- origin != source origin
- credentials != credentials flag
cache & network steps
- [SKIPPED] remove cache entries for source origin and URL - can we test that the entries get removed? (JS: not done, and not yet implemented)
- [SKIPPED] return network error
cache updates
- [DONE] ensure that for each method in methods of the preflight REQ an entry is made in the cache
- [SKIPPED] ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)
- [DONE] ensure that for each header in header of the preflight REQ an entry is made in the cache
- [SKIPPED] ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)
abort steps
- test that user cancel results in "abort" state being returned and the request stops
- [TODO] ensure no data passed back from an abort (necessary?) (JS: yes, necessary)
network error
- [TODO] ensure network error status and no data comes back to XHR (necessary?) (JS: yes, necessary)
cache steps
- check that an entry fro a network error is not used for the next request (network and cache error should clear cache)
- check that an preflight response that is a network error, but otherwise well formed, does not populate the cache or allow the REQ.
Access Control Check
- [DONE] test with 0 access-control-allow-origin headers --> fail (JS: I think done)
- [DONE] test with > 1 access-control-allow-origin-headers --> fail
- [DONE] test with access-control-allow-origin == * && credentials flag == false ---> return pass
- [DONE] test with access-control-allow-origin != source origin --> return fail
- [DONE] test with credentials flag == true && 0 access-control-allow-origin hdr --> fail (JS: I think done)
- [DONE] test with credentials flag == true && access-control-allow-credentials is not true --> fail
- [DONE] test with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
- [DONE] test with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
- [DONE] test with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass
- [DONE] test with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case) (JS: I think done)
- [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass
- [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
- [DONE] test with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass
Redirect Steps
- [DONE] Test redirects:
- [DONE] force new URL scheme to some unsupported scheme --> network error
- [TODO] force infinite loop to occur --> network error
- [TODO] force disconnect or invalid response --> network error
- [DONE] if REQ URL contains the userinfo production (user name and password in URL) -> network error
- [DONE] REQ URL and source origin are same origin --> should get "same-origin" status (spec should be changed to still require access control headers)
- access control check returns fail --> network error
- [DONE] if nothing goes wrong, ensure redirect followed and XSS XHR request rules followed
References
REQ hdr whitelist (case insensitive matching):
- Accept
- Accept-Language
- Content-Language
- Content-Type
RESP HDR whitelist (case insisitive)
- Cache-Control
- Content-Language
- Content-Type
- Expires
- Last-Modified
- Pragma
Things we probably won't get to testing
- disk full - should stop caching and stop updating cache entries
Things we'd like to get to testing
Can we get the security team to help with some of this part?
- All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.
- private browsing mode - should not cache entries
- what happens if user makes a request, goes offline, and comes back online
- what happens if these requests are done through Worker threads
Schedule Scoping
Patch landed, was reopened.
It's going to take probably the better part of a week to get these implemented, unless we come up with a pretty simple way to fake the XS scripting stuff in mochitest. Todo: Look for example tests