Backed out 2 changesets (bug 1450309) for wpt failures on reporting-navigation.https.html. CLOSED TREE
authorCosmin Sabou <csabou@mozilla.com>
Thu, 01 Oct 2020 08:50:41 +0300
changeset 551013 efdf5255c248b66c9c132db4087f0ef464d5018a
parent 551012 9e61e67ae323fc6b32a5a8a0a3e367899a5b0afd
child 551014 9e0769bfbd9c2502a466ad0f3394e9dcb7f08041
push id127616
push usercsabou@mozilla.com
push dateThu, 01 Oct 2020 06:53:17 +0000
treeherderautoland@efdf5255c248 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1450309
milestone83.0a1
backs out7fae6ea289bde450c37ca6bb1e3dfa404e026572
14c35856cea4a26f80a6f6d7dcbd13c7f7ff07fd
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 2 changesets (bug 1450309) for wpt failures on reporting-navigation.https.html. CLOSED TREE Backed out changeset 7fae6ea289bd (bug 1450309) Backed out changeset 14c35856cea4 (bug 1450309)
browser/components/enterprisepolicies/Policies.jsm
browser/components/enterprisepolicies/helpers/WebsiteFilter.jsm
browser/components/enterprisepolicies/tests/browser/browser_policy_websitefilter.js
docshell/base/nsDocShell.cpp
dom/base/nsIContentPolicy.idl
dom/security/nsContentSecurityManager.cpp
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -2006,17 +2006,20 @@ var Policies = {
       if ("SkipOnboarding") {
         setAndLockPref("browser.aboutwelcome.enabled", false);
       }
     },
   },
 
   WebsiteFilter: {
     onBeforeUIStartup(manager, param) {
-      WebsiteFilter.init(param.Block || [], param.Exceptions || []);
+      this.filter = new WebsiteFilter(
+        param.Block || [],
+        param.Exceptions || []
+      );
     },
   },
 };
 
 /*
  * ====================
  * = HELPER FUNCTIONS =
  * ====================
--- a/browser/components/enterprisepolicies/helpers/WebsiteFilter.jsm
+++ b/browser/components/enterprisepolicies/helpers/WebsiteFilter.jsm
@@ -13,18 +13,18 @@
  *
  * The exceptions list takes the same as input. This list opens up
  * exceptions for rules on the blocklist that might be too strict.
  *
  * In addition to that, this allows the user to create a whitelist approach,
  * by using the special "<all_urls>" pattern for the blocklist, and then
  * adding all whitelisted websites on the exceptions list.
  *
- * Note that this module only blocks top-level website navigations and embeds.
- * It does not block any other accesses to these urls: image tags, scripts, XHR, etc.,
+ * Note that this module only blocks top-level website navigations. It doesn't
+ * block any other accesses to these urls: image tags, scripts, XHR, etc.,
  * because that could cause unexpected breakage. This is a policy to block
  * users from visiting certain websites, and not from blocking any network
  * connections to those websites. If the admin is looking for that, the recommended
  * way is to configure that with extensions or through a company firewall.
  */
 
 const { XPCOMUtils } = ChromeUtils.import(
   "resource://gre/modules/XPCOMUtils.jsm"
@@ -43,91 +43,78 @@ XPCOMUtils.defineLazyGetter(this, "log",
     // messages during development. See LOG_LEVELS in Console.jsm for details.
     maxLogLevel: "error",
     maxLogLevelPref: PREF_LOGLEVEL,
   });
 });
 
 var EXPORTED_SYMBOLS = ["WebsiteFilter"];
 
-let WebsiteFilter = {
-  init(blocklist, exceptionlist) {
-    let blockArray = [],
-      exceptionArray = [];
+function WebsiteFilter(blocklist, exceptionlist) {
+  let blockArray = [],
+    exceptionArray = [];
 
-    for (let i = 0; i < blocklist.length && i < LIST_LENGTH_LIMIT; i++) {
-      try {
-        let pattern = new MatchPattern(blocklist[i].toLowerCase());
-        blockArray.push(pattern);
-        log.debug(`Pattern added to WebsiteFilter. Block: ${blocklist[i]}`);
-      } catch (e) {
-        log.error(`Invalid pattern on WebsiteFilter. Block: ${blocklist[i]}`);
-      }
+  for (let i = 0; i < blocklist.length && i < LIST_LENGTH_LIMIT; i++) {
+    try {
+      let pattern = new MatchPattern(blocklist[i]);
+      blockArray.push(pattern);
+      log.debug(`Pattern added to WebsiteFilter. Block: ${blocklist[i]}`);
+    } catch (e) {
+      log.error(`Invalid pattern on WebsiteFilter. Block: ${blocklist[i]}`);
     }
+  }
 
-    this._blockPatterns = new MatchPatternSet(blockArray);
+  this._blockPatterns = new MatchPatternSet(blockArray);
 
-    for (let i = 0; i < exceptionlist.length && i < LIST_LENGTH_LIMIT; i++) {
-      try {
-        let pattern = new MatchPattern(exceptionlist[i].toLowerCase());
-        exceptionArray.push(pattern);
-        log.debug(
-          `Pattern added to WebsiteFilter. Exception: ${exceptionlist[i]}`
-        );
-      } catch (e) {
-        log.error(
-          `Invalid pattern on WebsiteFilter. Exception: ${exceptionlist[i]}`
-        );
-      }
+  for (let i = 0; i < exceptionlist.length && i < LIST_LENGTH_LIMIT; i++) {
+    try {
+      let pattern = new MatchPattern(exceptionlist[i]);
+      exceptionArray.push(pattern);
+      log.debug(
+        `Pattern added to WebsiteFilter. Exception: ${exceptionlist[i]}`
+      );
+    } catch (e) {
+      log.error(
+        `Invalid pattern on WebsiteFilter. Exception: ${exceptionlist[i]}`
+      );
     }
+  }
 
-    if (exceptionArray.length) {
-      this._exceptionsPatterns = new MatchPatternSet(exceptionArray);
+  if (exceptionArray.length) {
+    this._exceptionsPatterns = new MatchPatternSet(exceptionArray);
+  }
+
+  Services.obs.addObserver(this, "http-on-modify-request", true);
+}
+
+WebsiteFilter.prototype = {
+  QueryInterface: ChromeUtils.generateQI([
+    "nsIObserver",
+    "nsISupportsWeakReference",
+  ]),
+
+  observe(subject, topic, data) {
+    let channel,
+      isDocument = false;
+    try {
+      channel = subject.QueryInterface(Ci.nsIHttpChannel);
+      isDocument = channel.isDocument;
+    } catch (e) {
+      return;
     }
 
-    let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
+    // Only filter document accesses
+    if (!isDocument) {
+      return;
+    }
 
-    if (!registrar.isContractIDRegistered(this.contractID)) {
-      registrar.registerFactory(
-        this.classID,
-        this.classDescription,
-        this.contractID,
-        this
-      );
-
-      Services.catMan.addCategoryEntry(
-        "content-policy",
-        this.contractID,
-        this.contractID,
-        false,
-        true
-      );
+    if (this._blockPatterns.matches(channel.URI)) {
+      if (
+        !this._exceptionsPatterns ||
+        !this._exceptionsPatterns.matches(channel.URI)
+      ) {
+        // NS_ERROR_BLOCKED_BY_POLICY displays the error message
+        // designed for policy-related blocks.
+        channel.cancel(Cr.NS_ERROR_BLOCKED_BY_POLICY);
+      }
     }
   },
-
-  shouldLoad(contentLocation, loadInfo, mimeTypeGuess) {
-    let contentType = loadInfo.externalContentPolicyType;
-    if (
-      contentType == Ci.nsIContentPolicy.TYPE_DOCUMENT ||
-      contentType == Ci.nsIContentPolicy.TYPE_SUBDOCUMENT
-    ) {
-      if (this._blockPatterns.matches(contentLocation.spec.toLowerCase())) {
-        if (
-          !this._exceptionsPatterns ||
-          !this._exceptionsPatterns.matches(contentLocation.spec.toLowerCase())
-        ) {
-          return Ci.nsIContentPolicy.REJECT_POLICY;
-        }
-      }
-    }
-    return Ci.nsIContentPolicy.ACCEPT;
-  },
-  shouldProcess(contentLocation, loadInfo, mimeTypeGuess) {
-    return Ci.nsIContentPolicy.ACCEPT;
-  },
-  classDescription: "Policy Engine File Content Policy",
-  contractID: "@mozilla-org/policy-engine-file-content-policy-service;1",
-  classID: Components.ID("{c0bbb557-813e-4e25-809d-b46a531a258f}"),
-  QueryInterface: ChromeUtils.generateQI(["nsIContentPolicy"]),
-  createInstance(outer, iid) {
-    return this.QueryInterface(iid);
-  },
 };
--- a/browser/components/enterprisepolicies/tests/browser/browser_policy_websitefilter.js
+++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_websitefilter.js
@@ -2,47 +2,21 @@
  * http://creativecommons.org/publicdomain/zero/1.0/ */
 "use strict";
 
 const SUPPORT_FILES_PATH =
   "http://mochi.test:8888/browser/browser/components/enterprisepolicies/tests/browser";
 const BLOCKED_PAGE = `${SUPPORT_FILES_PATH}/policy_websitefilter_block.html`;
 const EXCEPTION_PAGE = `${SUPPORT_FILES_PATH}/policy_websitefilter_exception.html`;
 
-add_task(async function test_http() {
+add_task(async function test() {
   await setupPolicyEngineWithJson({
     policies: {
       WebsiteFilter: {
         Block: ["*://mochi.test/*policy_websitefilter_*"],
         Exceptions: ["*://mochi.test/*_websitefilter_exception*"],
       },
     },
   });
 
   await checkBlockedPage(BLOCKED_PAGE, true);
   await checkBlockedPage(EXCEPTION_PAGE, false);
 });
-
-add_task(async function test_http_mixed_case() {
-  await setupPolicyEngineWithJson({
-    policies: {
-      WebsiteFilter: {
-        Block: ["*://mochi.test/*policy_websitefilter_*"],
-        Exceptions: ["*://mochi.test/*_websitefilter_exception*"],
-      },
-    },
-  });
-
-  await checkBlockedPage(BLOCKED_PAGE.toUpperCase(), true);
-  await checkBlockedPage(EXCEPTION_PAGE.toUpperCase(), false);
-});
-
-add_task(async function test_file() {
-  await setupPolicyEngineWithJson({
-    policies: {
-      WebsiteFilter: {
-        Block: ["file:///*"],
-      },
-    },
-  });
-
-  await checkBlockedPage("file:///this_should_be_blocked", true);
-});
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -6503,17 +6503,16 @@ nsresult nsDocShell::EndPageLoad(nsIWebP
   if (NS_FAILED(aStatus)) {
     // If we got CONTENT_BLOCKED from EndPageLoad, then we need to fire
     // the error event to our embedder, since tests are relying on this.
     // The error event is usually fired by the caller of InternalLoad, but
     // this particular error can happen asynchronously.
     // Bug 1629201 is filed for having much clearer decision making around
     // which cases need error events.
     bool fireFrameErrorEvent = (aStatus == NS_ERROR_CONTENT_BLOCKED_SHOW_ALT ||
-                                aStatus == NS_ERROR_BLOCKED_BY_POLICY ||
                                 aStatus == NS_ERROR_CONTENT_BLOCKED);
     UnblockEmbedderLoadEventForFailure(fireFrameErrorEvent);
 
     bool isInitialDocument =
         !GetExtantDocument() || GetExtantDocument()->IsInitialDocument();
     bool skippedUnknownProtocolNavigation = false;
     aStatus = FilterStatusForErrorPage(aStatus, aChannel, mLoadType, isTopFrame,
                                        mBrowsingContext->GetUseErrorPages(),
@@ -8422,23 +8421,18 @@ nsresult nsDocShell::PerformRetargeting(
     secCheckLoadInfo->SetSkipContentPolicyCheckForWebRequest(true);
 
     int16_t shouldLoad = nsIContentPolicy::ACCEPT;
     rv = NS_CheckContentLoadPolicy(aLoadState->URI(), secCheckLoadInfo,
                                    ""_ns,  // mime guess
                                    &shouldLoad);
 
     if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
-      if (NS_SUCCEEDED(rv)) {
-        if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
-          return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
-        }
-        if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
-          return NS_ERROR_BLOCKED_BY_POLICY;
-        }
+      if (NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) {
+        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
       }
 
       return NS_ERROR_CONTENT_BLOCKED;
     }
   }
 
   //
   // Resolve the window target before going any further...
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@@ -464,22 +464,16 @@ interface nsIContentPolicy : nsISupports
    * based on some other criteria. Mozilla callers will handle this like
    * REJECT_REQUEST; third-party implementors may, for example, use this to
    * direct their own callers to consult the extra parameter for additional
    * details.
    */
   const short REJECT_OTHER = -4;
 
   /**
-   * Returned from shouldLoad or shouldProcess if the load/process is forbiddden
-   * based on enterprise policy.
-   */
-  const short REJECT_POLICY = -5;
-
-  /**
    * Returned from shouldLoad or shouldProcess if the load or process request
    * is not rejected.
    */
   const short ACCEPT = 1;
 
   /**
    * Should the resource at this location be loaded?
    * ShouldLoad will be called before loading the resource at aContentLocation
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -583,26 +583,21 @@ static nsresult DoContentSecurityChecks(
   int16_t shouldLoad = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(uri, aLoadInfo, mimeTypeGuess, &shouldLoad,
                                  nsContentUtils::GetContentPolicy());
 
   if (NS_FAILED(rv) || NS_CP_REJECTED(shouldLoad)) {
     NS_SetRequestBlockingReasonIfNull(
         aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL);
 
-    if (NS_SUCCEEDED(rv) &&
+    if ((NS_SUCCEEDED(rv) && shouldLoad == nsIContentPolicy::REJECT_TYPE) &&
         (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
          contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT)) {
-      if (shouldLoad == nsIContentPolicy::REJECT_TYPE) {
-        // for docshell loads we might have to return SHOW_ALT.
-        return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
-      }
-      if (shouldLoad == nsIContentPolicy::REJECT_POLICY) {
-        return NS_ERROR_BLOCKED_BY_POLICY;
-      }
+      // for docshell loads we might have to return SHOW_ALT.
+      return NS_ERROR_CONTENT_BLOCKED_SHOW_ALT;
     }
     return NS_ERROR_CONTENT_BLOCKED;
   }
 
   return NS_OK;
 }
 
 static void LogPrincipal(nsIPrincipal* aPrincipal,