Bug 1450309 - Allow nSIContentPolicy to reject based on enterprise policy. r=ckerschb
authorMichael Kaply <mozilla@kaply.com>
Sat, 03 Oct 2020 00:02:19 +0000
changeset 551376 e47127323735b990d6f808c35f5730d0610483b2
parent 551375 863e0eb77fb0c830b802980da3ad39b6b1bea5af
child 551377 011ac3fee0047adb4049c73e05831b2ecc13edd8
push id127828
push usermozilla@kaply.com
push dateSat, 03 Oct 2020 05:53:09 +0000
treeherderautoland@011ac3fee004 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1450309
milestone83.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1450309 - Allow nSIContentPolicy to reject based on enterprise policy. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D91487
docshell/base/nsDocShell.cpp
dom/base/nsIContentPolicy.idl
dom/security/nsContentSecurityManager.cpp
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8426,18 +8426,23 @@ nsresult nsDocShell::PerformRetargeting(
     secCheckLoadInfo->SetSkipContentPolicyCheckForWebRequest(true);
 
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(aLoadState->URI(), secCheckLoadInfo,
                                    ""_ns,  // mime guess
                                    &shouldLoad);
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
-      if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
-        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      if (NS_SUCCEEDED(rv)) {
+        if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+          return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+        }
+        if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+          return NS_ERROR_BLOCKED_BY_POLICY;
+        }
       }
 
       return NS_ERROR_CONTENT_BLOCKED;
     }
   }
 
   //
   // Resolve the window target before going any further...
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@@ -464,16 +464,22 @@ interface nsIContentPolicy : nsISupports
    * based on some other criteria. Mozilla callers will handle this like
    * REJECT_REQUEST; third-party implementors may, for example, use this to
    * direct their own callers to consult the extra parameter for additional
    * details.
    */
   const short REJECT_OTHER = -4;
 
   /**
+   * Returned from shouldLoad or shouldProcess if the load/process is forbiddden
+   * based on enterprise policy.
+   */
+  const short REJECT_POLICY = -5;
+
+  /**
    * Returned from shouldLoad or shouldProcess if the load or process request
    * is not rejected.
    */
   const short ACCEPT = 1;
 
   /**
    * Should the resource at this location be loaded?
    * ShouldLoad will be called before loading the resource at aContentLocation
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -583,21 +583,26 @@ static nsresult DoContentSecurityChecks(
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad,
                                  nsContentUtils::GetContentPolicy());
 
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     NS_SetRequestBlockingReasonIfNull(
         aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL);
 
-    if ((NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) &&
+    if (NS_SUCCEEDED(rv) &&
         (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
          contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
-      // for docshell loads we might have to return SHOW_ALT.
-      return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+        // for docshell loads we might have to return SHOW_ALT.
+        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      }
+      if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+        return NS_ERROR_BLOCKED_BY_POLICY;
+      }
     }
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   return NS_OK;
 }
 
 static void LogPrincipal(nsIPrincipal* aPrincipal,