searching for reviewer(ckerschb)
f75d3d0846627e3d47efad9e61701f41491fa4be: Bug 1593969 Refactor nsWindowMemoryReporter.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 18 Nov 2019 15:47:40 +0000 - rev 502425
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1593969 Refactor nsWindowMemoryReporter.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51800
c2ec766b798c413c44928968edd783fd454be8da: Bug 1594053 - Add XTCO Telemetry r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 18 Nov 2019 15:21:59 +0000 - rev 502424
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1594053 - Add XTCO Telemetry r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51848
5e324cc146e3171fd88d4ed2a3727cc1498e8d6a: Bug 1596421 - Disable eval restrictions if the web extension process is disabled r=ckerschb
Tom Ritter <tom@mozilla.com> - Fri, 15 Nov 2019 15:36:42 +0000 - rev 502186
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1596421 - Disable eval restrictions if the web extension process is disabled r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D53026
3b42f1a5097a3ea23d91740ffd3bac899d128952: Bug 1405971 - Strip existing disallowed schemes in Origin header. r=JuniorHsu,ckerschb
Tom Schuster <evilpies@gmail.com> - Thu, 14 Nov 2019 18:11:16 +0000 - rev 502011
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1405971 - Strip existing disallowed schemes in Origin header. r=JuniorHsu,ckerschb Differential Revision: https://phabricator.services.mozilla.com/D39781
09a0252278f8bcd493345f2e05179f78f16e5a10: Bug 1594004 - Enable CacheSplit on nightly r=ckerschb,annevk
Sebastian Streich <sstreich@mozilla.com> - Wed, 13 Nov 2019 12:11:30 +0000 - rev 501736
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1594004 - Enable CacheSplit on nightly r=ckerschb,annevk Differential Revision: https://phabricator.services.mozilla.com/D51815
35436d4e7917bf9d9b96a6173201ca001a8ff7bc: Bug 1591932 - Enable Sniffing on No Mime+ XCTO nosniff r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Wed, 13 Nov 2019 12:12:34 +0000 - rev 501735
Push 114172 by dluca@mozilla.com at Tue, 19 Nov 2019 11:31:10 +0000
Bug 1591932 - Enable Sniffing on No Mime+ XCTO nosniff r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50816
a4e17e19b2078866776be8a8998aafed47e4aad1: Bug 1595541 - enable test_same_site_cookies_laxByDefault with fission r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 12 Nov 2019 07:50:25 +0000 - rev 501551
Push 114170 by malexandru@mozilla.com at Tue, 12 Nov 2019 21:58:32 +0000
Bug 1595541 - enable test_same_site_cookies_laxByDefault with fission r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D52552
c07d058d206cf71d16f85bf2294e1265b402ee18: Bug 1594166 - Dont do nsContentSecurityManager checks for internal redirects. r=baku,ckerschb
Matt Woodrow <mwoodrow@mozilla.com> - Thu, 07 Nov 2019 19:13:59 +0000 - rev 501145
Push 114168 by dluca@mozilla.com at Sun, 10 Nov 2019 03:08:55 +0000
Bug 1594166 - Dont do nsContentSecurityManager checks for internal redirects. r=baku,ckerschb We fail this during test_invalid_mime_type_blob.html when using DocumentChannel for blobs without this. DocumentChannelChild reports an internal redirect as it replaces itself with the real channel (BlobURLChannel), and we fail the CheckLoadURIWithPrincipal checks. The old channel has a null principal (due to being a sandboxed iframe), and we compare that to the blob principal computed from the URI, which is a normal content principal. Differential Revision: https://phabricator.services.mozilla.com/D51905
d3acb5c52fc6576021bd90fad805ffea0d0b11c3: Bug 1592701 - Remove usage of GetURI in nsGlobalWindowInner r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 07 Nov 2019 13:42:37 +0000 - rev 501077
Push 114167 by csabou@mozilla.com at Fri, 08 Nov 2019 00:35:25 +0000
Bug 1592701 - Remove usage of GetURI in nsGlobalWindowInner r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51258
d6410f35a1f2f4a733dcbea6ccdad68740bab79c: Bug 1585000 - Enable Samesite Cookies for Fission r=ckerschb,farre
Sebastian Streich <sstreich@mozilla.com> - Tue, 05 Nov 2019 09:39:13 +0000 - rev 500578
Push 114166 by apavel@mozilla.com at Thu, 07 Nov 2019 10:04:01 +0000
Bug 1585000 - Enable Samesite Cookies for Fission r=ckerschb,farre Differential Revision: https://phabricator.services.mozilla.com/D49424
ebc3ca33bc0cd34636b54999959db36b1454c6d5: Bug 1592975 - Re-enable XTCO per default r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 05 Nov 2019 09:39:22 +0000 - rev 500577
Push 114166 by apavel@mozilla.com at Thu, 07 Nov 2019 10:04:01 +0000
Bug 1592975 - Re-enable XTCO per default r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51292
23c113d65b48353d5ce085fd0c7f67d3604bd244: Bug 1587939 enforce addon content script CSP in eval r=ckerschb,robwu
Shane Caraveo <scaraveo@mozilla.com> - Fri, 01 Nov 2019 06:03:35 +0000 - rev 500081
Push 114164 by aiakab@mozilla.com at Tue, 05 Nov 2019 10:06:15 +0000
Bug 1587939 enforce addon content script CSP in eval r=ckerschb,robwu Differential Revision: https://phabricator.services.mozilla.com/D48924
53390b20df642d370124457623822d5dcde5a708: Bug 1581611 Part 2: apply content script csp r=robwu,ckerschb
Shane Caraveo <scaraveo@mozilla.com> - Fri, 01 Nov 2019 06:03:13 +0000 - rev 500080
Push 114164 by aiakab@mozilla.com at Tue, 05 Nov 2019 10:06:15 +0000
Bug 1581611 Part 2: apply content script csp r=robwu,ckerschb Manifest V3 functionality. This applies CSP on the webextension content scripts using either a default csp or an extension provided csp. It will remain pref'd off but is available for developers to test against, as well as for future validation of chrome compatibility. Differential Revision: https://phabricator.services.mozilla.com/D48107
e66da643d9bcbc594a9c09a99271ae4d9415e388: Bug 1592651 Disable Pref respect_document_nosniff for Firefox 71 r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Wed, 30 Oct 2019 17:55:46 +0000 - rev 499840
Push 114163 by aiakab@mozilla.com at Thu, 31 Oct 2019 10:03:38 +0000
Bug 1592651 Disable Pref respect_document_nosniff for Firefox 71 r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51132
a3a5b8bf05dc9b91cbca15b1729c861e5ea5cae4: Bug 1586684 - Rewrite test_navigate_to.html to pass when fission enable r=ckerschb
Thomas Nguyen <tnguyen@mozilla.com> - Wed, 30 Oct 2019 17:14:56 +0000 - rev 499810
Push 114163 by aiakab@mozilla.com at Thu, 31 Oct 2019 10:03:38 +0000
Bug 1586684 - Rewrite test_navigate_to.html to pass when fission enable r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D51096
8cce153f4722511b81123e289987a29c267b80fc: Bug 1584602 - Enforce eval restrictions in Workers and do not enforce restrictions in Release r=ckerschb
Tom Ritter <tom@mozilla.com> - Wed, 30 Oct 2019 15:21:57 +0000 - rev 499784
Push 114163 by aiakab@mozilla.com at Thu, 31 Oct 2019 10:03:38 +0000
Bug 1584602 - Enforce eval restrictions in Workers and do not enforce restrictions in Release r=ckerschb This commit does two things. Firstly it enforces eval restrictions in Workers per Bug 1584602. We're collecting telemetry on these in Beta (and not seeing any) so we can let enforcement ride up to Beta. Secondly, it disables enforcement checks on Release (and late Beta, as explained in the comment) until we can gather data about what's happening in Release. This is a counterpart to Bug 1592349 for -central. We have two separate commits because the first part of this is a change in the same code and we'd have rebase problems if we tried to do them both separately. This does tie enforcement to a build-time constant instead of leaving it as a pref. This doesn't make me very happy inside, but I don't think the extra complexity is worth it... Differential Revision: https://phabricator.services.mozilla.com/D50970
a86e49e19b03e2c7e3f1bd4d41e97f74c92ad55b: Bug 1590917 - Extend telemetry of HTTP_CHANNEL_DISPOSITION_UPGRADE expiry to never r=ckerschb
Jonathan Kingston <jkt@mozilla.com> - Fri, 25 Oct 2019 16:33:54 +0000 - rev 499693
Push 114163 by aiakab@mozilla.com at Thu, 31 Oct 2019 10:03:38 +0000
Bug 1590917 - Extend telemetry of HTTP_CHANNEL_DISPOSITION_UPGRADE expiry to never r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50386
40d13b1dab183bd7821f6dcc091a79bcfc93b5c5: Bug 1590321 - Rewrite browser_test_referrer_loadInOtherProcess.js to work with fission enabled r=ckerschb
Thomas Nguyen <tnguyen@mozilla.com> - Mon, 28 Oct 2019 09:44:30 +0000 - rev 499411
Push 114161 by ncsoregi@mozilla.com at Tue, 29 Oct 2019 21:34:24 +0000
Bug 1590321 - Rewrite browser_test_referrer_loadInOtherProcess.js to work with fission enabled r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50570
8e2882dd4caec9637e97d33eb3d1f4ca2461c815: Bug 1588461 - Added OA StripAttributes flag for privateBrowsingId. r=johannh,ckerschb
Paul Zuehlcke <pzuhlcke@mozilla.com> - Thu, 24 Oct 2019 14:18:54 +0000 - rev 499235
Push 114161 by ncsoregi@mozilla.com at Tue, 29 Oct 2019 21:34:24 +0000
Bug 1588461 - Added OA StripAttributes flag for privateBrowsingId. r=johannh,ckerschb Differential Revision: https://phabricator.services.mozilla.com/D49174
9cfb573e3b2c09cd15b768520f129934c1fcceb7: Bug 1590322 - Enable Cache-Split-Test with fission r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 24 Oct 2019 14:50:06 +0000 - rev 499112
Push 114161 by ncsoregi@mozilla.com at Tue, 29 Oct 2019 21:34:24 +0000
Bug 1590322 - Enable Cache-Split-Test with fission r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50476
880dd7fed087a839f8e8ee351248a4e57e20a1b2: Bug 1590889: Stop warning on common failures in ThirdPartyUtil.cpp r=ckerschb
Dave Townsend <dtownsend@oxymoronical.com> - Thu, 24 Oct 2019 09:19:07 +0000 - rev 499077
Push 114161 by ncsoregi@mozilla.com at Tue, 29 Oct 2019 21:34:24 +0000
Bug 1590889: Stop warning on common failures in ThirdPartyUtil.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50365
57e190b02a52a557120f008fbc7fd2a305ba1096: Bug 1583700 - Pass the loading context of the cspToInherit when deserializing LoadInfo, since this isn't necessarily the same as the loading context of the LoadInfo. r=ckerschb
Matt Woodrow <mwoodrow@mozilla.com> - Tue, 22 Oct 2019 01:03:10 +0000 - rev 498605
Push 114159 by shindli@mozilla.com at Thu, 24 Oct 2019 09:49:00 +0000
Bug 1583700 - Pass the loading context of the cspToInherit when deserializing LoadInfo, since this isn't necessarily the same as the loading context of the LoadInfo. r=ckerschb Depends on D47358 Differential Revision: https://phabricator.services.mozilla.com/D47406
7ff126a6e02a5d048d3e149615bfa4397e62c05e: Bug 1583700 - Move CSP setup code to run in both processes. r=nika,ckerschb,mattwoodrow
Matt Woodrow <mwoodrow@mozilla.com> - Tue, 22 Oct 2019 01:03:18 +0000 - rev 498602
Push 114159 by shindli@mozilla.com at Thu, 24 Oct 2019 09:49:00 +0000
Bug 1583700 - Move CSP setup code to run in both processes. r=nika,ckerschb,mattwoodrow We want this to run in both processes so that we set the cspToInherit on the LoadInfo within the child as well as the parent. Differential Revision: https://phabricator.services.mozilla.com/D47355
c989dfe0d8132c9a46fb8606251cb7b9387f7b54: Bug 1585664 - Add GetAsciiSpecForLogging and update callers r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 22 Oct 2019 16:03:27 +0000 - rev 498587
Push 114159 by shindli@mozilla.com at Thu, 24 Oct 2019 09:49:00 +0000
Bug 1585664 - Add GetAsciiSpecForLogging and update callers r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47909
47d7c18620c845c3a42610fea5468ccc50889bae: Bug 1590318 - Make browser_test_FTP_console_warning.js fission ready r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 22 Oct 2019 16:20:11 +0000 - rev 498579
Push 114159 by shindli@mozilla.com at Thu, 24 Oct 2019 09:49:00 +0000
Bug 1590318 - Make browser_test_FTP_console_warning.js fission ready r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50075
4d52d68c7c46b3719f5b50e5f7c6142680f5ede8: Bug 1583553 - Make browser_CORS-console-warnings.js fission ready r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 22 Oct 2019 16:20:09 +0000 - rev 498578
Push 114159 by shindli@mozilla.com at Thu, 24 Oct 2019 09:49:00 +0000
Bug 1583553 - Make browser_CORS-console-warnings.js fission ready r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D50080
dc9e317da307c0437689b3b36b2747b06e560c55: Bug 1583700 - Pass the loading context of the cspToInherit when deserializing LoadInfo, since this isn't necessarily the same as the loading context of the LoadInfo. r=ckerschb
Matt Woodrow <mwoodrow@mozilla.com> - Mon, 21 Oct 2019 02:03:24 +0000 - rev 498437
Push 114158 by ncsoregi@mozilla.com at Tue, 22 Oct 2019 09:53:30 +0000
Bug 1583700 - Pass the loading context of the cspToInherit when deserializing LoadInfo, since this isn't necessarily the same as the loading context of the LoadInfo. r=ckerschb Depends on D47358 Differential Revision: https://phabricator.services.mozilla.com/D47406
cfb571dd120aa797211c7422633875350f85a870: Bug 1583700 - Move CSP setup code to run in both processes. r=nika,ckerschb,mattwoodrow
Matt Woodrow <mwoodrow@mozilla.com> - Tue, 15 Oct 2019 07:52:09 +0000 - rev 498434
Push 114158 by ncsoregi@mozilla.com at Tue, 22 Oct 2019 09:53:30 +0000
Bug 1583700 - Move CSP setup code to run in both processes. r=nika,ckerschb,mattwoodrow We want this to run in both processes so that we set the cspToInherit on the LoadInfo within the child as well as the parent. Differential Revision: https://phabricator.services.mozilla.com/D47355
6e923be2cf6ac05eb6fcc38cd7dfe1fbb2948b30: Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Fri, 18 Oct 2019 11:07:14 +0000 - rev 498163
Push 114157 by nbeleuzu@mozilla.com at Mon, 21 Oct 2019 22:00:13 +0000
Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47255
9a67d60ec29da5f2a82b123aa93407eb2d2c6168: Bug 1585331 - Add nsIPrincipal::GetAboutModuleFlags r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 17 Oct 2019 13:54:41 +0000 - rev 498092
Push 114157 by nbeleuzu@mozilla.com at Mon, 21 Oct 2019 22:00:13 +0000
Bug 1585331 - Add nsIPrincipal::GetAboutModuleFlags r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47775
0115a701a8e77876bc70add73301448f62506b63: Bug 1587448 enable XTCO-nosniff by default r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Wed, 09 Oct 2019 17:24:33 +0000 - rev 497087
Push 114148 by shindli@mozilla.com at Mon, 14 Oct 2019 10:49:50 +0000
Bug 1587448 enable XTCO-nosniff by default r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D48709
3e896e8ca6b7899fa2e256eb3a6b0c0a935bf5a7: Bug 1583949 - Add a check for IsEvalAllowed to the worker callpath for eval() r=ckerschb,baku
Tom Ritter <tom@mozilla.com> - Tue, 08 Oct 2019 17:31:35 +0000 - rev 496792
Push 114146 by dmajor@mozilla.com at Wed, 09 Oct 2019 17:52:49 +0000
Bug 1583949 - Add a check for IsEvalAllowed to the worker callpath for eval() r=ckerschb,baku This patch does several things. Because Workers aren't on the main thread, many of the things done are in the name of off main thread access. 1) Changes a parameter in IsEvalAllowed from a nsIPrincipal to a bool. We only used the principal to determined if it was the System Principal. Principals aren't thread safe and can only be accessed on Main Thread, so if we passed a Principal in, we would be in error. Instead only pass in the bool which - for workers - comes from a thread-safe location. 2) Separates out the Telemetry Event Recording and sending a message to the console into a new function nsContentSecurityUtils::NotifyEvalUsage. (And creates a runnable that calls it.) We do this because we will need to only call this method on the main thread. Telemetry Event Recording has only ever been called on the Main Thread. While I possibly-successfully cut it over to happen Off Main Thread (OMT) by porting preferences to StaticPrefs, I don't know if there were other threading assumptions in the Telemetry Code. So it would be much safer to just continue recording Event Telemetry on the main thread. Sending a message to the console requires calling GetStringBundleService() which requires main thread. I didn't investigate if this could be made thread-safe, I just threw it onto the main thread too. If, in IsEvalAllowed, we are on the main thread - we call NotifyEvalUsage directly. If we are not, we create a runnable which will then call NotifyEvalUsage for us on the main thread. 3) Ports allow_eval_with_system_principal and allow_eval_in_parent_process from bools to RelaxedAtomicBool - because we now check these prefs OMT. 4) In RuntimeService.cpp, adds the call to IsEvalAllowed. 5) Add resource://gre/modules/workers/require.js to the allowlist of eval usage. This was the script that identified this gap in the first place. It uses eval (twice) for structural reasons (scope and line number massaging.) The contents of the eval are the result of a request to a uri (which may be internal, like resource://). The whole point of this is to implement a CommonJS require() api. This usage of eval is safe because the only way an attacker can inject into it is by either controlling the response of the uri request or controlling (or appending to) the argument. If they can do that, they are able to inject script into Firefox even if we cut this usage of eval over to some other type of safe(r) script loader. Bug 1584564 tracks making sure calls to require.js are safe. 6) Adds cld-worker.js to the allowlist. Bug 1584605 is for refactoring that eval usage, which is decidedly non-trivial. 7) Does _not_ enforce the eval restrictions for workers. While I've gotten try to be green and not throw up any instances of eval-usage by workers, it is much safer to deploy this is Telemetry-only mode for Workers for a little bit to see if anything pops up from the Nightly population. Bug 1584602 is for enforcing the checks. Differential Revision: https://phabricator.services.mozilla.com/D47480
eb8cc69904edc3c18e3c142d5ed3626637b8a2cd: Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 07 Oct 2019 12:05:36 +0000 - rev 496569
Push 114145 by apavel@mozilla.com at Tue, 08 Oct 2019 11:00:56 +0000
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb *** Use Window.opener in test Differential Revision: https://phabricator.services.mozilla.com/D47635
f3804bb2592c3107beaea6ad0181c83cee42f56b: Bug 1585364 - Fix IsFrame check to work in fission. r=ckerschb,nika
Jonathan Kingston <jkt@mozilla.com> - Thu, 03 Oct 2019 16:42:25 +0000 - rev 496205
Push 114143 by rgurzau@mozilla.com at Mon, 07 Oct 2019 09:35:08 +0000
Bug 1585364 - Fix IsFrame check to work in fission. r=ckerschb,nika Differential Revision: https://phabricator.services.mozilla.com/D47783
a472d9f9c874774e5e65ed15c7da4a6fcb1d5ce9: Bug 1583871 Refactor ThirdpartyUtil.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Wed, 02 Oct 2019 15:10:40 +0000 - rev 496095
Push 114141 by rmaries@mozilla.com at Thu, 03 Oct 2019 09:42:28 +0000
Bug 1583871 Refactor ThirdpartyUtil.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47099
76668583a71f94ebe8ce3b86d71b6edd76ffdc2c: Bug 1585297- Use Principal->SchemeIs in nsGeolocation.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 01 Oct 2019 12:54:56 +0000 - rev 495998
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1585297- Use Principal->SchemeIs in nsGeolocation.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47750
b1a61ab3019cd59eb07235097fca99cc48ca190f: Bug 1585604 - Remove telemetry for mixed object subrequst counting. r=ckerschb
Jonathan Kingston <jkt@mozilla.com> - Wed, 02 Oct 2019 11:17:28 +0000 - rev 495989
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1585604 - Remove telemetry for mixed object subrequst counting. r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47888
7978f68a53554de5a679c49e48719a7ac0eff4dc: Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Tue, 01 Oct 2019 09:43:36 +0000 - rev 495846
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47635
10c7400edbc1d7754b44e090e5a7685991ba16a6: Bug 1584543 - Make checks for in-content functionality depend on documentURI instead of principal URI. r=ckerschb,Gijs
Johann Hofmann <jhofmann@mozilla.com> - Tue, 01 Oct 2019 12:14:22 +0000 - rev 495813
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1584543 - Make checks for in-content functionality depend on documentURI instead of principal URI. r=ckerschb,Gijs This is a necessary change that was done for Fluent access in bug 1573276. In almost all cases, we want to rely on the principal for making security decisions, but the principal does not store the original URI in cases where an about: page was sandboxed (it becomes a null principal URI), and thus we need to use the documentURI here. Differential Revision: https://phabricator.services.mozilla.com/D47582
494c7364c54462c856cead8a4d455effa4bf8127: Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 30 Sep 2019 13:42:23 +0000 - rev 495680
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47255
bda8ceea80d0d53bfd79d5db5828c6a66dd2d221: Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 30 Sep 2019 10:46:27 +0000 - rev 495646
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1584204 Remove requestingLocation from nsContentPolicy.cpp r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47255
6f8c20edadbacd0ce3978cd168883e6a33c39c3e: Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 30 Sep 2019 10:38:32 +0000 - rev 495645
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47125
04f75de35ca75a9edac37d7329b384ca9823cfb7: Bug 1583869 - Call Sniffers for application/* mime Types r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Mon, 30 Sep 2019 10:41:51 +0000 - rev 495644
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1583869 - Call Sniffers for application/* mime Types r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47258
32932bd2857190460aec71e16f3016fe84b117fb: Bug 1581559 - Refresh script MIME type telemtry. r=ckerschb
Tom Schuster <evilpies@gmail.com> - Mon, 30 Sep 2019 09:45:07 +0000 - rev 495629
Push 114140 by dvarga@mozilla.com at Wed, 02 Oct 2019 18:04:51 +0000
Bug 1581559 - Refresh script MIME type telemtry. r=ckerschb I think at this point we refreshed this probe often enough and we don't really have an idea if we ever manage to limit script MIMEs completely. Differential Revision: https://phabricator.services.mozilla.com/D47418
c3579f540cd7c4ba60530659205675fd9aa80cc9: Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 26 Sep 2019 12:34:17 +0000 - rev 495181
Push 114133 by shindli@mozilla.com at Thu, 26 Sep 2019 21:40:49 +0000
Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47125
7eb799868e2bca66d5a647325242bc8a38cb0f8f: Bug 1580782 - Remove JS Callsites for Principal->GetURI->Schemeis r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 26 Sep 2019 10:47:33 +0000 - rev 495177
Push 114133 by shindli@mozilla.com at Thu, 26 Sep 2019 21:40:49 +0000
Bug 1580782 - Remove JS Callsites for Principal->GetURI->Schemeis r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D45685
253627be92f04af6efabb74f68a6d4f2c6ad0ec7: Bug 1580782 - Change Callsites to use nsIPrincipal->SchemeIs r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 26 Sep 2019 10:47:16 +0000 - rev 495176
Push 114133 by shindli@mozilla.com at Thu, 26 Sep 2019 21:40:49 +0000
Bug 1580782 - Change Callsites to use nsIPrincipal->SchemeIs r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D45654
e40e7df668835350b2e341663617dc580e92e01a: Bug 1580782 - Expose SchemeIs on nsIPrincipal r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 26 Sep 2019 10:47:03 +0000 - rev 495175
Push 114133 by shindli@mozilla.com at Thu, 26 Sep 2019 21:40:49 +0000
Bug 1580782 - Expose SchemeIs on nsIPrincipal r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D45653
af8ca81b90e4eabf5de4ccb669381271565fc15e: Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb
Sebastian Streich <sstreich@mozilla.com> - Thu, 26 Sep 2019 10:16:36 +0000 - rev 495159
Push 114133 by shindli@mozilla.com at Thu, 26 Sep 2019 21:40:49 +0000
Bug 1583932 - Remove aRequestOrigin from nsCSPContext::ShouldLoad r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D47125
bf2586dc82562136449ebe14bbc14b609c20c245: Bug 1419222, Add test for correct handling of iFrame CSPs, r=ckerschb
Jonas Allmann <jallmann@mozilla.com> - Wed, 25 Sep 2019 12:30:23 +0000 - rev 494915
Push 114131 by dluca@mozilla.com at Thu, 26 Sep 2019 09:47:34 +0000
Bug 1419222, Add test for correct handling of iFrame CSPs, r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D46452