diff options
| author | Simon McVittie <smcv@debian.org> | 2014-10-05 22:56:55 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2014-10-05 23:49:37 +0100 |
| commit | d712389ae3e8351c1416aa81d4b85586cf98f002 (patch) | |
| tree | 061c5a01b27288baa7b90d96fab19dd1513ee3bd /t | |
| parent | 5014a091ba14a6ecf05cfc5f5ae67331b506b348 (diff) | |
| download | ikiwiki-d712389ae3e8351c1416aa81d4b85586cf98f002.tar ikiwiki-d712389ae3e8351c1416aa81d4b85586cf98f002.tar.gz | |
Avoid mixed content when cgiurl is https but url is not
Diffstat (limited to 't')
| -rwxr-xr-x | t/relativity.t | 16 | ||||
| -rwxr-xr-x | t/urlto.t | 10 |
2 files changed, 12 insertions, 14 deletions
diff --git a/t/relativity.t b/t/relativity.t index 6c4d1107e..675efc903 100755 --- a/t/relativity.t +++ b/t/relativity.t @@ -407,12 +407,9 @@ run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { $ENV{HTTPS} = 'on'; }); %bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; is($bits{basehref}, "https://example.com/wiki/"); like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); like($bits{tophref}, qr{^(?:/wiki|\.)/$}); -} like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); # when not accessed via HTTPS, ??? @@ -439,11 +436,13 @@ run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub { $ENV{HTTPS} = 'on'; }); %bits = parse_cgi_content($content); +# because the static and dynamic stuff is on the same server, we assume that +# both are also on the staging server +like($bits{basehref}, qr{^https://staging.example.net/wiki/$}); +like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$}); +like($bits{tophref}, qr{^(?:(?:(?:https:)?//staging.example.net)?/wiki|\.)/$}); TODO: { -local $TODO = "avoid mixed content"; -like($bits{basehref}, qr{^https://example.com/wiki/$}); -like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -like($bits{tophref}, qr{^(?:(?:(?:https:)?//example.com)?/wiki|\.)/$}); +local $TODO = "this should really point back to itself but currently points to example.com"; like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$}); } @@ -458,11 +457,8 @@ run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub { $ENV{HTTPS} = 'on'; }); %bits = parse_cgi_content($content); -TODO: { -local $TODO = "avoid mixed content"; is($bits{basehref}, "https://example.com/wiki/a/b/c/"); like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$}); -} like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$}); like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$}); @@ -50,11 +50,13 @@ is(IkiWiki::baseurl(undef), "//example.co.uk/~smcv/"); is(IkiWiki::urlto('stoats', undef), "//example.co.uk/~smcv/stoats/"); is(IkiWiki::urlto('', undef), "//example.co.uk/~smcv/"); -# with url and cgiurl on different schemes, "local" degrades to absolute +# with url and cgiurl on different schemes, "local" degrades to absolute for +# CGI but protocol-relative for static content, to avoid the CGI having +# mixed content $IkiWiki::config{url} = "http://example.co.uk/~smcv"; $IkiWiki::config{cgiurl} = "https://dynamic.example.co.uk/~smcv/ikiwiki.cgi"; is(IkiWiki::checkconfig(), 1); is(IkiWiki::cgiurl(), "https://dynamic.example.co.uk/~smcv/ikiwiki.cgi"); -is(IkiWiki::baseurl(undef), "http://example.co.uk/~smcv/"); -is(IkiWiki::urlto('stoats', undef), "http://example.co.uk/~smcv/stoats/"); -is(IkiWiki::urlto('', undef), "http://example.co.uk/~smcv/"); +is(IkiWiki::baseurl(undef), "//example.co.uk/~smcv/"); +is(IkiWiki::urlto('stoats', undef), "//example.co.uk/~smcv/stoats/"); +is(IkiWiki::urlto('', undef), "//example.co.uk/~smcv/"); |