Bug 1226928 - allow disabling content-signatures for about:newtab on certain channels, r?mayhemer draft
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Fri, 11 Mar 2016 17:46:20 +0100
changeset 340004 0236c0f3914287764ef2ef4e21447713de755bea
parent 340003 2059bce919f68afa9ecf87dda9293cc01f5dbd79
child 340005 49cad0b6c7d7a7939f128ec0baa3eea5b641d430
push id12869
push userjhao@mozilla.com
push dateMon, 14 Mar 2016 18:25:17 +0000
reviewersmayhemer
bugs1226928
milestone48.0a1
Bug 1226928 - allow disabling content-signatures for about:newtab on certain channels, r?mayhemer
netwerk/protocol/http/nsHttpChannel.cpp
netwerk/protocol/http/nsHttpHandler.cpp
netwerk/protocol/http/nsHttpHandler.h
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -1344,16 +1344,26 @@ nsresult
 nsHttpChannel::ProcessContentSignatureHeader(nsHttpResponseHead *aResponseHead)
 {
     nsresult rv = NS_OK;
 
     // we only do this if we require it in loadInfo
     if (!mLoadInfo || !mLoadInfo->GetVerifySignedContent()) {
         return NS_OK;
     }
+
+    // check if we verify content signatures on this newtab channel
+    nsAutoCString channel;
+    gHttpHandler->NewtabChannel(channel);
+    if (channel.EqualsASCII("test") ||
+        channel.EqualsASCII("test2") ||
+        channel.EqualsASCII("dev")) {
+        return NS_OK;
+    }
+
     NS_ENSURE_TRUE(aResponseHead, NS_ERROR_ABORT);
     nsAutoCString contentSignatureHeader;
     nsHttpAtom atom = nsHttp::ResolveAtom("Content-Signature");
     rv = aResponseHead->GetHeader(atom, contentSignatureHeader);
     if (NS_FAILED(rv)) {
         LOG(("Content-Signature header is missing but expected."));
         DoInvalidateCacheEntry(mURI);
         return NS_ERROR_INVALID_SIGNATURE;
--- a/netwerk/protocol/http/nsHttpHandler.cpp
+++ b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -85,16 +85,17 @@
 #define INTL_ACCEPT_LANGUAGES   "intl.accept_languages"
 #define BROWSER_PREF_PREFIX     "browser.cache."
 #define DONOTTRACK_HEADER_ENABLED "privacy.donottrackheader.enabled"
 #define H2MANDATORY_SUITE        "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256"
 #define TELEMETRY_ENABLED        "toolkit.telemetry.enabled"
 #define ALLOW_EXPERIMENTS        "network.allow-experiments"
 #define SAFE_HINT_HEADER_VALUE   "safeHint.enabled"
 #define SECURITY_PREFIX          "security."
+#define NEWTAB_CHANNEL           "browser.newtabpage.remote.mode"
 
 #define UA_PREF(_pref) UA_PREF_PREFIX _pref
 #define HTTP_PREF(_pref) HTTP_PREF_PREFIX _pref
 #define BROWSER_PREF(_pref) BROWSER_PREF_PREFIX _pref
 
 #define NS_HTTP_PROTOCOL_FLAGS (URI_STD | ALLOWS_PROXY | ALLOWS_PROXY_HTTP | URI_LOADABLE_BY_ANYONE)
 
 //-----------------------------------------------------------------------------
@@ -275,16 +276,17 @@ nsHttpHandler::Init()
         prefBranch->AddObserver(BROWSER_PREF("disk_cache_ssl"), this, true);
         prefBranch->AddObserver(DONOTTRACK_HEADER_ENABLED, this, true);
         prefBranch->AddObserver(TELEMETRY_ENABLED, this, true);
         prefBranch->AddObserver(H2MANDATORY_SUITE, this, true);
         prefBranch->AddObserver(HTTP_PREF("tcp_keepalive.short_lived_connections"), this, true);
         prefBranch->AddObserver(HTTP_PREF("tcp_keepalive.long_lived_connections"), this, true);
         prefBranch->AddObserver(SAFE_HINT_HEADER_VALUE, this, true);
         prefBranch->AddObserver(SECURITY_PREFIX, this, true);
+        prefBranch->AddObserver(NEWTAB_CHANNEL, this, true);
         PrefsChanged(prefBranch, nullptr);
     }
 
     rv = Preferences::AddBoolVarCache(&mPackagedAppsEnabled,
         "network.http.enable-packaged-apps", false);
     if (NS_FAILED(rv)) {
         mPackagedAppsEnabled = false;
     }
@@ -1633,16 +1635,21 @@ nsHttpHandler::PrefsChanged(nsIPrefBranc
             if (NS_SUCCEEDED(rv) && cVar) {
                 mEnforceH1Framing = FRAMECHECK_BARELY;
             } else {
                 mEnforceH1Framing = FRAMECHECK_LAX;
             }
         }
     }
 
+    // remote content-signature testing option
+    if (PREF_CHANGED(NEWTAB_CHANNEL)) {
+        prefs->GetCharPref(NEWTAB_CHANNEL, getter_Copies(mNewtabChannel));
+    }
+
     // Enable HTTP response timeout if TCP Keepalives are disabled.
     mResponseTimeoutEnabled = !mTCPKeepaliveShortLivedEnabled &&
                               !mTCPKeepaliveLongLivedEnabled;
 
 #undef PREF_CHANGED
 #undef MULTI_PREF_CHANGED
 }
 
--- a/netwerk/protocol/http/nsHttpHandler.h
+++ b/netwerk/protocol/http/nsHttpHandler.h
@@ -331,16 +331,19 @@ public:
         return mPipelineRescheduleTimeout;
     }
 
     PRIntervalTime GetPipelineTimeout()   { return mPipelineReadTimeout; }
 
     SpdyInformation *SpdyInfo() { return &mSpdyInfo; }
     bool IsH2MandatorySuiteEnabled() { return mH2MandatorySuiteEnabled; }
 
+    // returns true if content-signature test pref is set
+    void NewtabChannel(nsACString& aNewtabChannel) {aNewtabChannel = mNewtabChannel; }
+
     // returns true in between Init and Shutdown states
     bool Active() { return mHandlerActive; }
 
     // When the disk cache is responding slowly its use is suppressed
     // for 1 minute for most requests. Callable from main thread only.
     TimeStamp GetCacheSkippedUntil() { return mCacheSkippedUntil; }
     void SetCacheSkippedUntil(TimeStamp arg) { mCacheSkippedUntil = arg; }
     void ClearCacheSkippedUntil() { mCacheSkippedUntil = TimeStamp(); }
@@ -557,16 +560,19 @@ private:
     int32_t mTCPKeepaliveLongLivedIdleTimeS;
 
     // if true, generate NS_ERROR_PARTIAL_TRANSFER for h1 responses with
     // incorrect content lengths or malformed chunked encodings
     FrameCheckLevel mEnforceH1Framing;
 
     nsCOMPtr<nsISchedulingContextService> mSchedulingContextService;
 
+    // Remote newtab channel.
+    nsCString mNewtabChannel;
+
 private:
     // For Rate Pacing Certain Network Events. Only assign this pointer on
     // socket thread.
     void MakeNewRequestTokenBucket();
     RefPtr<EventTokenBucket> mRequestTokenBucket;
 
 public:
     // Socket thread only