Bug 1573720 - Convert security.view-source.reachable-from-inner-protocol to a static pref. r=bzbarsky
authorNicholas Nethercote <nnethercote@mozilla.com>
Thu, 15 Aug 2019 05:29:35 +0000
changeset 488183 0bef6c2195bc758dffd7265b06c0502d1612918f
parent 488182 a35f22f9d97ab8052dc49f378d0deb345c0276c9
child 488184 c468c61b502549d11efbc0d09fb8ea542eeecdf5
push id36437
push userncsoregi@mozilla.com
push dateThu, 15 Aug 2019 19:33:18 +0000
treeherdermozilla-central@44aac6fc3352 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbzbarsky
bugs1573720
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1573720 - Convert security.view-source.reachable-from-inner-protocol to a static pref. r=bzbarsky Differential Revision: https://phabricator.services.mozilla.com/D41912
caps/nsScriptSecurityManager.cpp
modules/libpref/init/StaticPrefList.yaml
modules/libpref/init/all.js
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -671,34 +671,23 @@ nsScriptSecurityManager::CheckLoadURIWit
     return aPrincipal->CheckMayLoad(targetBaseURI, true, false);
   }
 
   //-- get the source scheme
   nsAutoCString sourceScheme;
   rv = sourceBaseURI->GetScheme(sourceScheme);
   if (NS_FAILED(rv)) return rv;
 
-  // When comparing schemes, if the relevant pref is set, view-source URIs
-  // are reachable from same-protocol (so e.g. file: can link to
-  // view-source:file). This is required for reftests.
-  static bool sViewSourceReachableFromInner = false;
-  static bool sCachedViewSourcePref = false;
-  if (!sCachedViewSourcePref) {
-    sCachedViewSourcePref = true;
-    mozilla::Preferences::AddBoolVarCache(
-        &sViewSourceReachableFromInner,
-        "security.view-source.reachable-from-inner-protocol");
-  }
-
   if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
     // A null principal can target its own URI.
     if (sourceURI == aTargetURI) {
       return NS_OK;
     }
-  } else if (sViewSourceReachableFromInner &&
+  } else if (StaticPrefs::
+                 security_view_source_reachable_from_inner_protocol() &&
              sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
              aTargetURI->SchemeIs("view-source")) {
     // exception for foo: linking to view-source:foo for reftests...
     return NS_OK;
   } else if (sourceScheme.EqualsIgnoreCase("file") &&
              targetScheme.EqualsIgnoreCase("moz-icon")) {
     // exception for file: linking to moz-icon://.ext?size=...
     // Note that because targetScheme is the base (innermost) URI scheme,
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -6290,16 +6290,24 @@
   # Whether win32k is disabled for content processes.
   # true means win32k system calls are not permitted.
 -   name: security.sandbox.content.win32k-disable
     type: RelaxedAtomicBool
     value: false
     mirror: always
 #endif
 
+# When comparing schemes, if this pref is set, view-source URIs are reachable
+# from same-protocol (so e.g. file: can link to view-source:file). This is
+# required for reftests.
+- name: security.view-source.reachable-from-inner-protocol
+  type: bool
+  value: false
+  mirror: always
+
 # Hardware Origin-bound Second Factor Support
 - name: security.webauth.webauthn
   type: bool
   value: true
   mirror: always
 
 # No way to enable on Android, Bug 1552602
 - name: security.webauth.u2f
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2591,20 +2591,16 @@ pref("security.insecure_field_warning.ig
 
 // Disable pinning checks by default.
 pref("security.cert_pinning.enforcement_level", 0);
 // Do not process hpkp headers rooted by not built in roots by default.
 // This is to prevent accidental pinning from MITM devices and is used
 // for tests.
 pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 
-// If set to true, allow view-source URIs to be opened from URIs that share
-// their protocol with the inner URI of the view-source URI
-pref("security.view-source.reachable-from-inner-protocol", false);
-
 // If set to true strict checks will happen on the triggering principal for loads.
 // Android is disabled at the moment pending Bug 1504968
 #if !defined(RELEASE_OR_BETA) && !defined(ANDROID)
   pref("security.strict_security_checks.enabled", true);
 #else
   pref("security.strict_security_checks.enabled", false);
 #endif