QA/Firefox3.5/XHR TestPlan: Difference between revisions

From MozillaWiki
< QA‎ | Firefox3.5
Jump to navigation Jump to search
No edit summary
 
(34 intermediate revisions by 2 users not shown)
Line 25: Line 25:
** Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2
** Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2


== Test cases ==
 
* test forcing preflight to false and trying a REQ that is not GET or POST
== Test Cases ==
* force preflight to false try a REQ with a header that contains a header not in the header whitelist
* {{done|Test various values of origin}}
* force preflight to be true and try a REQ that is GET or POST and contains whitelist headers (should still do preflight check)
* {{done|Ensure preflight req gets fired when try a REQ that is not GET or POST}}
* perform a simple XSS REQ and get a RESP header not in RESP header whitelist (UA should filter it out)
* {{done|Ensure prelight req gets fired when REQ with header not in whitelist}}
* perform a REQ that gets the URL return flag and then fetches the same site URL (necessary??)
* {{done|Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS}}
* is it useful to attempt faking the origin settng on a XHR request?
* {{done|test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header}}
* Test redirects:
* {{done|attempt to fake the origin on the REQ}}
** force new URL scheme to some unsupported scheme --> network error
* {{done|redirects (see redirect cases below)}}
** force infinite loop to occur --> network error
* {{done|Ensure no trusted data ever exposed of the resource}}
** force disconnect or invalid response --> network error
* {{done|test expiration of a access-control-max-age header from a result cache}}
** if REQ URL contains the xxxpersonal data production -> network error
* {{done|test with access-control-allow-credentials as both true and false}}
** REQ URL an source origin are same origin --> should get "same-origin" status
* {{done|use access-control-allow-methods to ensure only specified methods work}}
* {{done|do the same with *-headers.}}
* {{done|test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)}}
*{{done|test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight}}
* {{todo|XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist}}
* {{done|Attempt to set a cookie on the REQ}}
* {{done|Ensure we have a test for a proper access-control-allow-origin header}}
* {{done|Can we simply create a testcase where we attempt a REQ without an origin?}}
 
=== Simple XSS XHR ===
* {{done|preflight false, REQ method GET && headers in whitelist --> work}}
* preflight false, REQ method HEAD && headers in whitelist --> work
** {{done|ensure we get the "success" status flag}}
* {{done|preflight false, REQ method GET && headers ! in whitelist --> preflight}}
* {{done|preflight false, REQ method HEAD && headers ! in whitelist --> preflight}}
* {{done|preflight false, REQ method POST && headers ! in whitelist -- preflight}}
* {{done|preflight}} false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
** {{done|the above with content-type}} == to each of those three things --> work
*** {{done|content-type}} == text/plain
*** {{done|content-type}} == application/x-www-form-urlencoded. I disagree with spec here. Should raise with spec editor.
*** {{done|content-type}} == multipart/form-data. I disagree with spec here. Should raise with spec editor.
* {{todo|getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist}}
* {{todo|cause a user cancel and ensure abort steps followed}}
* {{todo|cause a network error (by failing access control check) and ensure network error steps are followed}}
* {{done|ensure access control check works status flag set to success, ensure REQ not terminated}}
 
=== Preflight XSS XHR ===
* {{done|test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again}}
* {{done|test that a method name matches case insensitively}}
* test that headers match case insensitively
* {{done|test that every header name matches header in the cache}}
* {{done|test when both a header and a method are specified that we match the proper one}}
* {{done|test that if no expiration time given, no cache entry made}}
* {{done|test that when we do not have all the headers in our request that are in the cache --> cache fail}}
* {{done|test that we do not have a method that matches --> cache fail}}
* {{done|test that multiple methods can be cached and retrieved}}
* {{done|test that both header and method are empty when they are not empty in the cache --> cache fail}}
* can we make a preflight with credentials?  Should fail, should not be allowed. (JS: You can check if the preflight has cookies)
* can we make a preflight with an entity body? should fail, should not be allowed. (JS: You can check if the preflight has body)
* {{skip|test redirect}}
* {{done|test alternate ways of specifying the expiration time (white space, invalid values etc)}}
* test abort
* test network error
* test access control fail --> ensure cache and network steps followed
* {{done|test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps}}
* {{done|test}} failure to parse headers when parsing access-control-headers --> cache and network steps
* {{done|test that every REQ header does not match headers --> cache & network steps}}
* {{done|test that REQ header not in simple header whitelist --> cache & network steps}}
* {{skip|Ensure}} that preflight requests that succeed update cache entries (spec no longer requires updating, but tests do ensure that cache entries are created and removed - ct)
* {{done|if}} actual request gets redirect --> cache and network steps (handled by redirect tests)
* if actual req canceled -> abort
* if actual req network error -> network eror
* if actual req access check fails -> cache & network steps
* test that an actual req can pass
 
=== cache matches ===
* ensure that when testing for cache matches we fail when any of these conditions are met:
** {{done|URL}} != REQ URL
** origin  != source origin
** credentials != credentials flag
 
=== cache & network steps ===
* {{skip|remove cache entries for source origin and URL - can we test that the entries get removed? (JS: not done, and not yet implemented)}}
* {{skip|return network error}}
 
=== cache updates ===
* {{done|ensure that for each method in methods of the preflight REQ an entry is made in the cache}}
* {{skip|ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct) }}
* {{done|ensure that for each header in header of the preflight REQ an entry is made in the cache}}
* {{skip|ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct) }}
 
=== abort steps ===
* test that user cancel results in "abort" state being returned and the request stops
* {{todo|ensure no data passed back from an abort (necessary?) (JS: yes, necessary)}}
 
=== network error ===
* {{todo|ensure network error status and no data comes back to XHR (necessary?) (JS: yes, necessary)}}
 
=== cache steps ===
* check that an entry fro a network error is not used for the next request (network and cache error should clear cache)
* check that an preflight response that is a network error, but otherwise well formed, does not populate the cache or allow the REQ.
 
=== Access Control Check ===
* {{done|test with 0 access-control-allow-origin headers --> fail (JS: I think done)}}
* {{done|test with > 1 access-control-allow-origin-headers --> fail}}
* {{done|test}} with access-control-allow-origin == * && credentials flag == false ---> return pass
* {{done|test}} with access-control-allow-origin != source origin --> return fail
* {{done|test}} with credentials flag == true && 0 access-control-allow-origin hdr --> fail (JS: I think done)
* {{done|test}} with credentials flag == true && access-control-allow-credentials is not true --> fail
* {{done|test}} with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
* {{done|test}} with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
* {{done|test}} with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass
* {{done|test}} with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case) (JS: I think done)
* {{done|test}} with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass
* {{done|test}} with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
* {{done|test}} with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass
 
=== Redirect Steps ===
* {{done|Test redirects:}}
** {{done|force new URL scheme to some unsupported scheme --> network error}}
** {{todo|force infinite loop to occur --> network error}}
** {{todo|force disconnect or invalid response --> network error}}
** {{done|if REQ URL contains the userinfo production (user name and password in URL) -> network error}}
** {{done|REQ URL and source origin are same origin --> should get "same-origin" status (spec should be changed to still require access control headers)}}
** access control check returns fail --> network error
** access control check returns fail --> network error
** if nothing goes wrong, ensure redirect followed and XSS XHR request rules followed
** {{done|if nothing goes wrong, ensure redirect followed and XSS XHR request rules followed}}
* abort steps:
 
** test that user cancel results in "abort" state being returned and the request stops
== References ==
** ensure no data passed back from an abort (necessary?)
REQ hdr whitelist (case insensitive matching):
* network error
* Accept
** esure network error status and no data comes back to XHR (necessary?)
* Accept-Language
* cache
* Content-Language
** check that an entry fro a network error is not used for the next request (network and cache error should clear cache)
* Content-Type
*
 
RESP HDR whitelist (case insisitive)
* Cache-Control
* Content-Language
* Content-Type
* Expires
* Last-Modified
* Pragma
 
== Things we probably won't get to testing ==
* disk full - should stop caching and stop updating cache entries


== Things we'd like to get to testing ==
== Things we'd like to get to testing ==
'' Can we get the security team to help with some of this part? ''
'' Can we get the security team to help with some of this part? ''
* All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.
* All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.
 
* private browsing mode - should not cache entries
== Test Cases ==
* what happens if user makes a request, goes offline, and comes back online
* Cannot get document.cookie of requested resource
* what happens if these requests are done through Worker threads
* Ensure no trusted data ever exposed of the resource
* resource with two access-control-allow-origin headers one with site and one with * -> should be relegated only to the site one
* test expiration of a access-control-max-age header from a result cache
* test with access-control-allow-credentials as both true and false
* use access-control-allow-methods to ensure only specified methods work (disable get for ex)
* do the same with *-headers.
* test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
* test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight
* XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist


= Schedule Scoping =
= Schedule Scoping =

Latest revision as of 03:54, 24 March 2009

« QA/Firefox3.1/TestPlan

XS-XHR Test plan

Overview

Provides a mechanism to safely allow cross site XHR calls to a white listed grouping of domains while keeping private information on web sites safeguarded at the same time.

Test Strategy

  • Test that we handle redirects to non-same origin hosts properly
  • Test that we handle redirects to same origin hosts without change (i.e. behavior should not be affected)
  • Test that internal resources that exist and do not exist look the same until access is granted to the requestor
  • Test that HTTP header data is not exposed (HOW?)
  • Ensure that cookies are not set for the request (HOW?)
  • Test that malformed Access-Control-Allow-Origin flags are thrown out
  • Test that the wildcards work
  • Test delta seconds timeout on max-age header
  • Verify each algorithm outlined in the Processing model
    • 5.1 Cross-Site Access Request
    • 5.1.1 Cross-site access source origin
    • 5.1.2 Cross-Site Access Request Header Lists
    • 5.1.3 Simple Cross Site Access Request
    • 5.1.4 Cross site Access Request with Preflight
    • 5.1.5 Ensure these redirect policies are followed for generic XS access requests
    • Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2


Test Cases

  • [DONE] Test various values of origin
  • [DONE] Ensure preflight req gets fired when try a REQ that is not GET or POST
  • [DONE] Ensure prelight req gets fired when REQ with header not in whitelist
  • [DONE] Ensure that in a situation where preflight is forced to be true (due to update progress listeners) we still do that even though everything else about our REQ is simple XSS
  • [DONE] test error handling when we get a XSS REQ and get a header not in RESP header whitelist - ensure both looking for specific header and looking for all headers doesn't display the header
  • [DONE] attempt to fake the origin on the REQ
  • [DONE] redirects (see redirect cases below)
  • [DONE] Ensure no trusted data ever exposed of the resource
  • [DONE] test expiration of a access-control-max-age header from a result cache
  • [DONE] test with access-control-allow-credentials as both true and false
  • [DONE] use access-control-allow-methods to ensure only specified methods work
  • [DONE] do the same with *-headers.
  • [DONE] test correct request with an origin from evil.com and see if the specification blocks the request (isn't that part of the server code and outside our control?)
  • [DONE] test access-control-request-method/-header to ensure that non-allowed method/headers are blocked from the actual request as part of the pre-flight
  • [TODO] XMLHttpRequest::getResponseHeader() does not have access to the Cookie2 header and other headers not on Response Header whitelist
  • [DONE] Attempt to set a cookie on the REQ
  • [DONE] Ensure we have a test for a proper access-control-allow-origin header
  • [DONE] Can we simply create a testcase where we attempt a REQ without an origin?

Simple XSS XHR

  • [DONE] preflight false, REQ method GET && headers in whitelist --> work
  • preflight false, REQ method HEAD && headers in whitelist --> work
    • [DONE] ensure we get the "success" status flag
  • [DONE] preflight false, REQ method GET && headers ! in whitelist --> preflight
  • [DONE] preflight false, REQ method HEAD && headers ! in whitelist --> preflight
  • [DONE] preflight false, REQ method POST && headers ! in whitelist -- preflight
  • [DONE] preflight false, REQ method POST && headers in whitelist && Header contains content-type but value of content-type != (application/x-www-form-urlencoded, multipart/form-dat, or text/plain) --> preflight
    • [DONE] the above with content-type == to each of those three things --> work
      • [DONE] content-type == text/plain
      • [DONE] content-type == application/x-www-form-urlencoded. I disagree with spec here. Should raise with spec editor.
      • [DONE] content-type == multipart/form-data. I disagree with spec here. Should raise with spec editor.
  • [TODO] getResponseHeader() does not get access to cookie2 header and othe headers not in RESP whitelist
  • [TODO] cause a user cancel and ensure abort steps followed
  • [TODO] cause a network error (by failing access control check) and ensure network error steps are followed
  • [DONE] ensure access control check works status flag set to success, ensure REQ not terminated

Preflight XSS XHR

  • [DONE] test using a cached entry after the time has expired --> should get a notification of failure that you need to preflight again
  • [DONE] test that a method name matches case insensitively
  • test that headers match case insensitively
  • [DONE] test that every header name matches header in the cache
  • [DONE] test when both a header and a method are specified that we match the proper one
  • [DONE] test that if no expiration time given, no cache entry made
  • [DONE] test that when we do not have all the headers in our request that are in the cache --> cache fail
  • [DONE] test that we do not have a method that matches --> cache fail
  • [DONE] test that multiple methods can be cached and retrieved
  • [DONE] test that both header and method are empty when they are not empty in the cache --> cache fail
  • can we make a preflight with credentials? Should fail, should not be allowed. (JS: You can check if the preflight has cookies)
  • can we make a preflight with an entity body? should fail, should not be allowed. (JS: You can check if the preflight has body)
  • [SKIPPED] test redirect
  • [DONE] test alternate ways of specifying the expiration time (white space, invalid values etc)
  • test abort
  • test network error
  • test access control fail --> ensure cache and network steps followed
  • [DONE] test failure to parse methods (value with a space for instance) when parsing the access-control-allow-methods values --> cache and network steps
  • [DONE] test failure to parse headers when parsing access-control-headers --> cache and network steps
  • [DONE] test that every REQ header does not match headers --> cache & network steps
  • [DONE] test that REQ header not in simple header whitelist --> cache & network steps
  • [SKIPPED] Ensure that preflight requests that succeed update cache entries (spec no longer requires updating, but tests do ensure that cache entries are created and removed - ct)
  • [DONE] if actual request gets redirect --> cache and network steps (handled by redirect tests)
  • if actual req canceled -> abort
  • if actual req network error -> network eror
  • if actual req access check fails -> cache & network steps
  • test that an actual req can pass

cache matches

  • ensure that when testing for cache matches we fail when any of these conditions are met:
    • [DONE] URL != REQ URL
    • origin  != source origin
    • credentials != credentials flag

cache & network steps

  • [SKIPPED] remove cache entries for source origin and URL - can we test that the entries get removed? (JS: not done, and not yet implemented)
  • [SKIPPED] return network error

cache updates

  • [DONE] ensure that for each method in methods of the preflight REQ an entry is made in the cache
  • [SKIPPED] ensure that for each method in methods of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)
  • [DONE] ensure that for each header in header of the preflight REQ an entry is made in the cache
  • [SKIPPED] ensure that for each header in header of the preflight REQ where there is already an entry in the cache, update the expiry time (no longer in spec - ct)

abort steps

  • test that user cancel results in "abort" state being returned and the request stops
  • [TODO] ensure no data passed back from an abort (necessary?) (JS: yes, necessary)

network error

  • [TODO] ensure network error status and no data comes back to XHR (necessary?) (JS: yes, necessary)

cache steps

  • check that an entry fro a network error is not used for the next request (network and cache error should clear cache)
  • check that an preflight response that is a network error, but otherwise well formed, does not populate the cache or allow the REQ.

Access Control Check

  • [DONE] test with 0 access-control-allow-origin headers --> fail (JS: I think done)
  • [DONE] test with > 1 access-control-allow-origin-headers --> fail
  • [DONE] test with access-control-allow-origin == * && credentials flag == false ---> return pass
  • [DONE] test with access-control-allow-origin != source origin --> return fail
  • [DONE] test with credentials flag == true && 0 access-control-allow-origin hdr --> fail (JS: I think done)
  • [DONE] test with credentials flag == true && access-control-allow-credentials is not true --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && 0 access-control-allow-origin --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && >1 access-control-allow-origin --> fail
  • [DONE] test with credentials flag == true && access-control-allow-credentials == true && 1 access-control-allow-origin --> pass
  • [DONE] test with credentials flag == false && access-control-allow-credentials==true && 1 access-control-allow-origin --> pass (as per the spec, unspecified case) (JS: I think done)
  • [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == true --> pass
  • [DONE] test with access-control-allow-origin == * && credentials flag == false && access-allow-credentials == false --> pass
  • [DONE] test with access-control-allow-origin == * && credentials flag == true && access-allow-credentials == true --> pass

Redirect Steps

  • [DONE] Test redirects:
    • [DONE] force new URL scheme to some unsupported scheme --> network error
    • [TODO] force infinite loop to occur --> network error
    • [TODO] force disconnect or invalid response --> network error
    • [DONE] if REQ URL contains the userinfo production (user name and password in URL) -> network error
    • [DONE] REQ URL and source origin are same origin --> should get "same-origin" status (spec should be changed to still require access control headers)
    • access control check returns fail --> network error
    • [DONE] if nothing goes wrong, ensure redirect followed and XSS XHR request rules followed

References

REQ hdr whitelist (case insensitive matching):

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type

RESP HDR whitelist (case insisitive)

  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

Things we probably won't get to testing

  • disk full - should stop caching and stop updating cache entries

Things we'd like to get to testing

Can we get the security team to help with some of this part?

  • All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.
  • private browsing mode - should not cache entries
  • what happens if user makes a request, goes offline, and comes back online
  • what happens if these requests are done through Worker threads

Schedule Scoping

Patch landed, was reopened.

It's going to take probably the better part of a week to get these implemented, unless we come up with a pretty simple way to fake the XS scripting stuff in mochitest. Todo: Look for example tests

References

Retrieved from "https://wiki.allizom.org/index.php?title=QA/Firefox3.5/XHR_TestPlan&oldid=135746"