Mercurial > integration > autoland / changeset / e47127323735b990d6f808c35f5730d0610483b2
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1450309 - Allow nSIContentPolicy to reject based on enterprise policy. r=ckerschb
authorMichael Kaply <mozilla@kaply.com>
Sat, 03 Oct 2020 00:02:19 +0000
changeset 551376 e47127323735b990d6f808c35f5730d0610483b2
parent 551375 863e0eb77fb0c830b802980da3ad39b6b1bea5af
child 551377 011ac3fee0047adb4049c73e05831b2ecc13edd8
push id127828
push usermozilla@kaply.com
push dateSat, 03 Oct 2020 05:53:09 +0000
treeherderautoland@011ac3fee004 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1450309
milestone83.0a1
first release with
nightly linux32
33139800aca5 / 83.0a1 / 20201003215356 / files
nightly linux64
33139800aca5 / 83.0a1 / 20201003215356 / files
nightly mac
33139800aca5 / 83.0a1 / 20201003215356 / files
nightly win32
33139800aca5 / 83.0a1 / 20201003215356 / files
nightly win64
33139800aca5 / 83.0a1 / 20201003215356 / files
last release without
nightly linux32
c25899d7b631 / 83.0a1 / 20201002154327 / files
nightly linux64
c25899d7b631 / 83.0a1 / 20201002154327 / files
nightly mac
c25899d7b631 / 83.0a1 / 20201002154327 / files
nightly win32
c25899d7b631 / 83.0a1 / 20201002154327 / files
nightly win64
c25899d7b631 / 83.0a1 / 20201002154327 / files
Bug 1450309 - Allow nSIContentPolicy to reject based on enterprise policy. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D91487
docshell/base/nsDocShell.cpp file | annotate | diff | comparison | revisions
dom/base/nsIContentPolicy.idl file | annotate | diff | comparison | revisions
dom/security/nsContentSecurityManager.cpp file | annotate | diff | comparison | revisions 
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8426,18 +8426,23 @@ nsresult nsDocShell::PerformRetargeting(
     secCheckLoadInfo->SetSkipContentPolicyCheckForWebRequest(true);
 
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(aLoadState->URI(), secCheckLoadInfo,
                                    ""_ns,  // mime guess
                                    &shouldLoad);
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
-      if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
-        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      if (NS_SUCCEEDED(rv)) {
+        if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+          return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+        }
+        if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+          return NS_ERROR_BLOCKED_BY_POLICY;
+        }
       }
 
       return NS_ERROR_CONTENT_BLOCKED;
     }
   }
 
   //
   // Resolve the window target before going any further...
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@@ -464,16 +464,22 @@ interface nsIContentPolicy : nsISupports
    * based on some other criteria. Mozilla callers will handle this like
    * REJECT_REQUEST; third-party implementors may, for example, use this to
    * direct their own callers to consult the extra parameter for additional
    * details.
    */
   const short REJECT_OTHER = -4;
 
   /**
+   * Returned from shouldLoad or shouldProcess if the load/process is forbiddden
+   * based on enterprise policy.
+   */
+  const short REJECT_POLICY = -5;
+
+  /**
    * Returned from shouldLoad or shouldProcess if the load or process request
    * is not rejected.
    */
   const short ACCEPT = 1;
 
   /**
    * Should the resource at this location be loaded?
    * ShouldLoad will be called before loading the resource at aContentLocation
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -583,21 +583,26 @@ static nsresult DoContentSecurityChecks(
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad,
                                  nsContentUtils::GetContentPolicy());
 
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     NS_SetRequestBlockingReasonIfNull(
         aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL);
 
-    if ((NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) &&
+    if (NS_SUCCEEDED(rv) &&
         (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
          contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
-      // for docshell loads we might have to return SHOW_ALT.
-      return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+        // for docshell loads we might have to return SHOW_ALT.
+        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
+      }
+      if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
+        return NS_ERROR_BLOCKED_BY_POLICY;
+      }
     }
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   return NS_OK;
 }
 
 static void LogPrincipal(nsIPrincipal* aPrincipal,
autoland
Deployed from e404c980045c at 2021-03-01T18:43:47Z.