blob: b33d76696acc4a2b0093f20cb696b514441cd75e [file] [log] [blame]
/*
* Copyright (C) 2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#import "config.h"
#import "HTTPServer.h"
#import "PlatformUtilities.h"
#import "TestNavigationDelegate.h"
#import "TestUIDelegate.h"
#import "Utilities.h"
#import <WebKit/WKWebsiteDataStorePrivate.h>
#import <WebKit/_WKWebsiteDataStoreConfiguration.h>
#import <pal/spi/cf/CFNetworkSPI.h>
namespace TestWebKitAPI {
#if HAVE(CFNETWORK_NSURLSESSION_HSTS_WITH_UNTRUSTED_ROOT)
std::pair<RetainPtr<WKWebView>, RetainPtr<TestNavigationDelegate>> hstsWebViewAndDelegate(const HTTPServer& httpsServer, const HTTPServer& httpServer)
{
auto storeConfiguration = adoptNS([[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration]);
[storeConfiguration setHTTPSProxy:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", httpsServer.port()]]];
[storeConfiguration setHTTPProxy:[NSURL URLWithString:[NSString stringWithFormat:@"http://127.0.0.1:%d/", httpServer.port()]]];
[storeConfiguration setAllowsServerPreconnect:NO];
[storeConfiguration setAllowsHSTSWithUntrustedRootCertificate:YES];
auto viewConfiguration = adoptNS([WKWebViewConfiguration new]);
[viewConfiguration setWebsiteDataStore:adoptNS([[WKWebsiteDataStore alloc] _initWithConfiguration:storeConfiguration.get()]).get()];
auto webView = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 100, 100) configuration:viewConfiguration.get()]);
auto delegate = adoptNS([TestNavigationDelegate new]);
[webView setNavigationDelegate:delegate.get()];
delegate.get().didReceiveAuthenticationChallenge = ^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^completionHandler)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
};
return { WTFMove(webView), WTFMove(delegate) };
}
static HTTPServer hstsServer()
{
return HTTPServer({{ "/", {{{"Strict-Transport-Security" , "max-age=31536000"}}, "" }}}, HTTPServer::Protocol::HttpsProxy);
}
TEST(HSTS, Basic)
{
auto httpsServer = hstsServer();
HTTPServer httpServer({{ "http://example.com/", { {{ "Strict-Transport-Security", "max-age=31536000"}}, "hi" }}});
auto [webView, delegate] = hstsWebViewAndDelegate(httpsServer, httpServer);
NSURLRequest *httpRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"http://example.com/"]];
NSURLRequest *httpsRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://example.com/"]];
[webView loadRequest:httpRequest];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "http://example.com/");
[webView reload];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "http://example.com/");
[webView loadRequest:httpsRequest];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
[webView loadRequest:httpRequest];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
}
TEST(HSTS, ThirdParty)
{
auto httpsServer = hstsServer();
const char* html = "<script>"
"var xhr = new XMLHttpRequest();"
"xhr.open('GET', 'http://example.com/');"
"xhr.onreadystatechange = function () { if(xhr.readyState == 4) { alert(xhr.responseURL + ' ' + xhr.responseText) } };"
"xhr.send();"
"</script>";
HTTPServer httpServer({
{ "http://example.com/", { {{ "Access-Control-Allow-Origin", "http://example.org" }}, "hi" }},
{ "http://example.org/", { html }},
});
auto [webView, delegate] = hstsWebViewAndDelegate(httpsServer, httpServer);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://example.com/"]]];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"http://example.org/"]]];
EXPECT_WK_STREQ([webView _test_waitForAlert], "http://example.com/ hi");
EXPECT_EQ(httpServer.totalRequests(), 2u);
}
TEST(HSTS, CrossOriginRedirect)
{
auto httpsServer = hstsServer();
HTTPServer httpServer({
{ "http://example.com/", { "hi" }},
{ "http://example.org/", { 301, {{ "Location", "http://example.com/" }} } },
});
auto [webView, delegate] = hstsWebViewAndDelegate(httpsServer, httpServer);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://example.com/"]]];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"http://example.org/"]]];
[delegate waitForDidFinishNavigation];
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
EXPECT_EQ(httpServer.totalRequests(), 1u);
}
#endif // HAVE(CFNETWORK_NSURLSESSION_HSTS_WITH_UNTRUSTED_ROOT)
} // namespace TestWebKitAPI