Bug 1507110 - Allow hijacking localhost only if network.proxy.allow_hijacking_localhost is set r=Gijs,mayhemer,mkaply,jmaher
authorJunior Hsu <juhsu@mozilla.com>
Tue, 19 Feb 2019 21:53:22 +0000
changeset 518160 78d3e59ea9fae27455ea29b4d19ef108629aa31d
parent 518159 b500dd719adbe4bd5969d083ca04cb50a9f6273a
child 518161 ee5fa9cfca438adf1387efed0f7c39e646d6a21f
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs, mayhemer, mkaply, jmaher
bugs1507110
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1507110 - Allow hijacking localhost only if network.proxy.allow_hijacking_localhost is set r=Gijs,mayhemer,mkaply,jmaher Differential Revision: https://phabricator.services.mozilla.com/D19325
browser/base/content/test/siteIdentity/browser_insecureLoginForms.js
browser/components/BrowserGlue.jsm
browser/components/originattributes/test/browser/browser_firstPartyIsolation.js
browser/modules/test/browser/browser_UsageTelemetry_uniqueOriginsVisitedInPast24Hours.js
dom/security/test/csp/test_upgrade_insecure_loopback.html
dom/tests/mochitest/dom-level0/test_setting_document.domain_to_shortened_ipaddr.html
dom/u2f/tests/browser/browser_appid_localhost.js
extensions/cookie/test/test_same_base_domain_6.html
modules/libpref/init/all.js
netwerk/base/nsProtocolProxyService.cpp
netwerk/base/nsProtocolProxyService.h
netwerk/test/gtest/TestProtocolProxyService.cpp
netwerk/test/unit/test_bug770243.js
netwerk/test/unit/test_proxy-failover_canceled.js
netwerk/test/unit/test_proxyconnect.js
testing/raptor/raptor/playback/mitmproxy.py
testing/raptor/raptor/raptor.py
testing/talos/talos/mitmproxy/mitmproxy.py
toolkit/components/extensions/test/xpcshell/test_ext_proxy_config.js
toolkit/components/passwordmgr/test/browser/browser_insecurePasswordConsoleWarning.js
--- a/browser/base/content/test/siteIdentity/browser_insecureLoginForms.js
+++ b/browser/base/content/test/siteIdentity/browser_insecureLoginForms.js
@@ -16,17 +16,17 @@ function waitForInsecureLoginFormsStateC
 /**
  * Checks the insecure login forms logic for the identity block.
  */
 add_task(async function test_simple() {
   await SpecialPowers.pushPrefEnv({
     "set": [
       ["security.insecure_password.ui.enabled", true],
       // By default, proxies don't apply to 127.0.0.1. We need them to for this test, though:
-      ["network.proxy.no_proxies_on", ""],
+      ["network.proxy.allow_hijacking_localhost", true],
     ],
   });
 
   for (let [origin, expectWarning] of [
     ["http://example.com", true],
     ["http://127.0.0.1", false],
     ["https://example.com", false],
   ]) {
--- a/browser/components/BrowserGlue.jsm
+++ b/browser/components/BrowserGlue.jsm
@@ -2234,17 +2234,17 @@ BrowserGlue.prototype = {
       }
     }
   },
 
   // eslint-disable-next-line complexity
   _migrateUI: function BG__migrateUI() {
     // Use an increasing number to keep track of the current migration state.
     // Completely unrelated to the current Firefox release number.
-    const UI_VERSION = 79;
+    const UI_VERSION = 80;
     const BROWSER_DOCURL = AppConstants.BROWSER_CHROME_URL;
 
     let currentUIVersion;
     if (Services.prefs.prefHasUserValue("browser.migration.version")) {
       currentUIVersion = Services.prefs.getIntPref("browser.migration.version");
     } else {
       // This is a new profile, nothing to migrate.
       Services.prefs.setIntPref("browser.migration.version", UI_VERSION);
@@ -2609,16 +2609,24 @@ BrowserGlue.prototype = {
     }
 
     if (currentUIVersion < 79) {
       // The handler app service will read this. We need to wait with migrating
       // until the handler service has started up, so just set a pref here.
       Services.prefs.setCharPref("browser.handlers.migrations", "30boxes");
     }
 
+    if (currentUIVersion < 80) {
+      let hosts = Services.prefs.getCharPref("network.proxy.no_proxies_on");
+      // remove "localhost" and "127.0.0.1" from the no_proxies_on list
+      const kLocalHosts = new Set(["localhost", "127.0.0.1"]);
+      hosts = hosts.split(/[ ,]+/).filter(host => !kLocalHosts.has(host)).join(", ");
+      Services.prefs.setCharPref("network.proxy.no_proxies_on", hosts);
+    }
+
     // Update the migration version.
     Services.prefs.setIntPref("browser.migration.version", UI_VERSION);
   },
 
   _checkForDefaultBrowser() {
     // Perform default browser checking.
     if (!ShellService) {
       return;
--- a/browser/components/originattributes/test/browser/browser_firstPartyIsolation.js
+++ b/browser/components/originattributes/test/browser/browser_firstPartyIsolation.js
@@ -282,19 +282,19 @@ add_task(async function window_open_form
 
 /**
  * A test for using an IP address as the first party domain.
  */
 add_task(async function ip_address_test() {
   const ipAddr = "127.0.0.1";
   const ipHost = `http://${ipAddr}/browser/browser/components/originattributes/test/browser/`;
 
-  Services.prefs.setCharPref("network.proxy.no_proxies_on", "");
+  Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
   registerCleanupFunction(function() {
-    Services.prefs.clearUserPref("network.proxy.no_proxies_on");
+    Services.prefs.clearUserPref("network.proxy.allow_hijacking_localhost");
   });
 
   let tab = BrowserTestUtils.addTab(gBrowser, ipHost + "test_firstParty.html");
   await BrowserTestUtils.browserLoaded(tab.linkedBrowser, true);
 
   await ContentTask.spawn(tab.linkedBrowser, { firstPartyDomain: ipAddr }, async function(attrs) {
     info("document principal: " + content.document.nodePrincipal.origin);
     Assert.equal(content.document.nodePrincipal.originAttributes.firstPartyDomain,
--- a/browser/modules/test/browser/browser_UsageTelemetry_uniqueOriginsVisitedInPast24Hours.js
+++ b/browser/modules/test/browser/browser_UsageTelemetry_uniqueOriginsVisitedInPast24Hours.js
@@ -5,17 +5,17 @@
 
 "use strict";
 
 ChromeUtils.defineModuleGetter(this, "URICountListener",
                                "resource:///modules/BrowserUsageTelemetry.jsm");
 
 add_task(async function test_uniqueDomainsVisitedInPast24Hours() {
   // By default, proxies don't apply to 127.0.0.1. We need them to for this test, though:
-  await SpecialPowers.pushPrefEnv({set: [["network.proxy.no_proxies_on", ""]]});
+  await SpecialPowers.pushPrefEnv({set: [["network.proxy.allow_hijacking_localhost", true]]});
   registerCleanupFunction(async () => {
     info("Cleaning up");
     URICountListener.resetUniqueDomainsVisitedInPast24Hours();
   });
 
   URICountListener.resetUniqueDomainsVisitedInPast24Hours();
   let startingCount = URICountListener.uniqueDomainsVisitedInPast24Hours;
   is(startingCount, 0, "We should have no domains recorded in the history right after resetting");
--- a/dom/security/test/csp/test_upgrade_insecure_loopback.html
+++ b/dom/security/test/csp/test_upgrade_insecure_loopback.html
@@ -52,14 +52,14 @@ function receiveMessage(event) {
   checkResult(event.data);
 }
 
 SimpleTest.waitForExplicitFinish();
 
 // By default, proxies don't apply to 127.0.0.1.
 // We need them to for this test (at least on android), though:
 SpecialPowers.pushPrefEnv({set: [
-  ["network.proxy.no_proxies_on", ""]
+  ["network.proxy.allow_hijacking_localhost", true]
 ]}).then(loadTest);
 
 </script>
 </body>
 </html>
--- a/dom/tests/mochitest/dom-level0/test_setting_document.domain_to_shortened_ipaddr.html
+++ b/dom/tests/mochitest/dom-level0/test_setting_document.domain_to_shortened_ipaddr.html
@@ -27,17 +27,17 @@ function receiveMessage(evt)
 
   SimpleTest.finish();
 }
 window.addEventListener("message", receiveMessage, false);
 
 // By default, proxies don't apply to 127.0.0.1.
 // We need them to for this test (at least on android), though:
 SpecialPowers.pushPrefEnv({set: [
-  ["network.proxy.no_proxies_on", ""]
+  ["network.proxy.allow_hijacking_localhost", true]
 ]}).then(function() {
   var iframe = document.getElementById("childframe");
   iframe.src = "http://127.0.0.1:8888/tests/dom/tests/mochitest/dom-level0/child_ip_address.html";
 });
 </script>
 </pre>
 </body>
 </html>
--- a/dom/u2f/tests/browser/browser_appid_localhost.js
+++ b/dom/u2f/tests/browser/browser_appid_localhost.js
@@ -15,17 +15,17 @@ function promiseU2FRegister(tab, app_id)
       let version = "U2F_V2";
       content.u2f.register(app_id, [{version, challenge}], [], resolve);
     });
   });
 }
 
 add_task(async function () {
   // By default, proxies don't apply to localhost. We need them to for this test, though:
-  await SpecialPowers.pushPrefEnv({set: [["network.proxy.no_proxies_on", ""]]});
+  await SpecialPowers.pushPrefEnv({set: [["network.proxy.allow_hijacking_localhost", true],]});
   // Enable the soft token.
   Services.prefs.setBoolPref("security.webauth.u2f", true);
   Services.prefs.setBoolPref("security.webauth.webauthn_enable_softtoken", true);
   Services.prefs.setBoolPref("security.webauth.webauthn_enable_usbtoken", false);
 
   // Open a new tab.
   let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
 
--- a/extensions/cookie/test/test_same_base_domain_6.html
+++ b/extensions/cookie/test/test_same_base_domain_6.html
@@ -8,17 +8,17 @@
 <body onload="runThisTest()">
 <p id="display"></p>
 <pre id="test">
   <script>
     function runThisTest() {
       // By default, proxies don't apply to 127.0.0.1.
       // We need them to for this test (at least on android), though:
       SpecialPowers.pushPrefEnv({set: [
-        ["network.proxy.no_proxies_on", ""]
+        ["network.proxy.allow_hijacking_localhost", true]
       ]}).then(function() {
         setupTest('http://127.0.0.1:8888/tests/extensions/cookie/test/file_loopback_inner.html', 5, 2);
       });
     }
   </script>
 <script class="testbody" type="text/javascript" src="file_testcommon.js">
 </script>
 </pre>
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2365,17 +2365,19 @@ pref("network.proxy.http",              
 pref("network.proxy.http_port",             0);
 pref("network.proxy.ssl",                   "");
 pref("network.proxy.ssl_port",              0);
 pref("network.proxy.socks",                 "");
 pref("network.proxy.socks_port",            0);
 pref("network.proxy.socks_version",         5);
 pref("network.proxy.socks_remote_dns",      false);
 pref("network.proxy.proxy_over_tls",        true);
-pref("network.proxy.no_proxies_on",         "localhost, 127.0.0.1");
+pref("network.proxy.no_proxies_on",         "");
+// Set true to allow resolving proxy for localhost
+pref("network.proxy.allow_hijacking_localhost", false);
 pref("network.proxy.failover_timeout",      1800); // 30 minutes
 pref("network.online",                      true); //online/offline
 pref("network.cookie.thirdparty.sessionOnly", false);
 pref("network.cookie.thirdparty.nonsecureSessionOnly", false);
 pref("network.cookie.same-site.enabled",    true); // Honor the SameSite cookie attribute
 
 // Cookie lifetime policy. Possible values:
 // 0 - accept all cookies
--- a/netwerk/base/nsProtocolProxyService.cpp
+++ b/netwerk/base/nsProtocolProxyService.cpp
@@ -757,16 +757,17 @@ nsProtocolProxyService::nsProtocolProxyS
       mHTTPProxyPort(-1),
       mFTPProxyPort(-1),
       mHTTPSProxyPort(-1),
       mSOCKSProxyPort(-1),
       mSOCKSProxyVersion(4),
       mSOCKSProxyRemoteDNS(false),
       mProxyOverTLS(true),
       mWPADOverDHCPEnabled(false),
+      mAllowHijackingLocalhost(false),
       mPACMan(nullptr),
       mSessionStart(PR_Now()),
       mFailedProxyTimeout(30 * 60)  // 30 minute default
       ,
       mIsShutdown(false) {}
 
 nsProtocolProxyService::~nsProtocolProxyService() {
   // These should have been cleaned up in our Observe method.
@@ -1004,16 +1005,21 @@ void nsProtocolProxyService::PrefsChange
   }
 
   if (!pref || !strcmp(pref, PROXY_PREF("enable_wpad_over_dhcp"))) {
     proxy_GetBoolPref(prefBranch, PROXY_PREF("enable_wpad_over_dhcp"),
                       mWPADOverDHCPEnabled);
     reloadPAC = reloadPAC || mProxyConfig == PROXYCONFIG_WPAD;
   }
 
+  if (!pref || !strcmp(pref, PROXY_PREF("allow_hijacking_localhost"))) {
+    proxy_GetBoolPref(prefBranch, PROXY_PREF("allow_hijacking_localhost"),
+                      mAllowHijackingLocalhost);
+  }
+
   if (!pref || !strcmp(pref, PROXY_PREF("failover_timeout")))
     proxy_GetIntPref(prefBranch, PROXY_PREF("failover_timeout"),
                      mFailedProxyTimeout);
 
   if (!pref || !strcmp(pref, PROXY_PREF("no_proxies_on"))) {
     rv = prefBranch->GetCharPref(PROXY_PREF("no_proxies_on"), tempString);
     if (NS_SUCCEEDED(rv)) LoadHostFilters(tempString);
   }
@@ -1047,18 +1053,16 @@ void nsProtocolProxyService::PrefsChange
     }
     if (!tempString.IsEmpty() || mProxyConfig == PROXYCONFIG_WPAD) {
       ConfigureFromPAC(tempString, false);
     }
   }
 }
 
 bool nsProtocolProxyService::CanUseProxy(nsIURI *aURI, int32_t defaultPort) {
-  if (mHostFiltersArray.Length() == 0 && !mFilterLocalHosts) return true;
-
   int32_t port;
   nsAutoCString host;
 
   nsresult rv = aURI->GetAsciiHost(host);
   if (NS_FAILED(rv) || host.IsEmpty()) return false;
 
   rv = aURI->GetPort(&port);
   if (NS_FAILED(rv)) return false;
@@ -1079,17 +1083,20 @@ bool nsProtocolProxyService::CanUseProxy
     } else {
       NS_WARNING("unknown address family");
       return true;  // allow proxying
     }
   }
 
   // Don't use proxy for local hosts (plain hostname, no dots)
   if ((!is_ipaddr && mFilterLocalHosts && !host.Contains('.')) ||
-      host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("::1")) {
+      (!mAllowHijackingLocalhost &&
+           (host.EqualsLiteral("127.0.0.1") ||
+            host.EqualsLiteral("::1") ||
+            host.EqualsLiteral("localhost")))) {
     LOG(("Not using proxy for this local host [%s]!\n", host.get()));
     return false;  // don't allow proxying
   }
 
   int32_t index = -1;
   while (++index < int32_t(mHostFiltersArray.Length())) {
     HostInfo *hinfo = mHostFiltersArray[index];
 
@@ -1760,28 +1767,28 @@ void nsProtocolProxyService::LoadHostFil
     return;
   }
 
   // check to see the owners flag? /!?/ TODO
   if (mHostFiltersArray.Length() > 0) {
     mHostFiltersArray.Clear();
   }
 
+  // Reset mFilterLocalHosts - will be set to true if "<local>" is in pref
+  // string
+  mFilterLocalHosts = false;
+
   if (aFilters.IsEmpty()) {
     return;
   }
 
   //
   // filter  = ( host | domain | ipaddr ["/" mask] ) [":" port]
   // filters = filter *( "," LWS filter)
   //
-  // Reset mFilterLocalHosts - will be set to true if "<local>" is in pref
-  // string
-  mFilterLocalHosts = false;
-
   mozilla::Tokenizer t(aFilters);
   mozilla::Tokenizer::Token token;
   bool eof = false;
   // while (*filters) {
   while (!eof) {
     // skip over spaces and ,
     t.SkipWhites();
     while (t.CheckChar(',')) {
--- a/netwerk/base/nsProtocolProxyService.h
+++ b/netwerk/base/nsProtocolProxyService.h
@@ -381,16 +381,17 @@ class nsProtocolProxyService final : pub
   // mSOCKSProxyTarget could be a host, a domain socket path,
   // or a named-pipe name.
   nsCString mSOCKSProxyTarget;
   int32_t mSOCKSProxyPort;
   int32_t mSOCKSProxyVersion;
   bool mSOCKSProxyRemoteDNS;
   bool mProxyOverTLS;
   bool mWPADOverDHCPEnabled;
+  bool mAllowHijackingLocalhost;
 
   RefPtr<nsPACMan> mPACMan;  // non-null if we are using PAC
   nsCOMPtr<nsISystemProxySettings> mSystemProxySettings;
 
   PRTime mSessionStart;
   nsFailedProxyTable mFailedProxies;
   int32_t mFailedProxyTimeout;
 
--- a/netwerk/test/gtest/TestProtocolProxyService.cpp
+++ b/netwerk/test/gtest/TestProtocolProxyService.cpp
@@ -25,16 +25,19 @@ TEST(TestProtocolProxyService, LoadHostF
   auto CheckLoopbackURLs = [&](bool expected) {
     // loopback IPs are always filtered
     spec = "http://127.0.0.1";
     ASSERT_EQ(NS_NewURI(getter_AddRefs(url), spec), NS_OK);
     ASSERT_EQ(pps->CanUseProxy(url, 80), expected);
     spec = "http://[::1]";
     ASSERT_EQ(NS_NewURI(getter_AddRefs(url), spec), NS_OK);
     ASSERT_EQ(pps->CanUseProxy(url, 80), expected);
+    spec = "http://localhost";
+    ASSERT_EQ(NS_NewURI(getter_AddRefs(url), spec), NS_OK);
+    ASSERT_EQ(pps->CanUseProxy(url, 80), expected);
   };
 
   auto CheckURLs = [&](bool expected) {
     spec = "http://example.com";
     ASSERT_EQ(NS_NewURI(getter_AddRefs(url), spec), NS_OK);
     ASSERT_EQ(pps->CanUseProxy(url, 80), expected);
 
     spec = "https://10.2.3.4";
@@ -81,55 +84,80 @@ TEST(TestProtocolProxyService, LoadHostF
   // --------------------------------------------------------------------------
 
   nsAutoCString filter;
 
   // Anything is allowed when there are no filters set
   printf("Testing empty filter: %s\n", filter.get());
   pps->LoadHostFilters(filter);
 
-  CheckLoopbackURLs(true);  // only time when loopbacks can be proxied. bug?
+  CheckLoopbackURLs(false);
   CheckLocalDomain(true);
   CheckURLs(true);
   CheckPortDomain(true);
 
   // --------------------------------------------------------------------------
 
   filter =
       "example.com, 1.2.3.4/16, [2001::1], 10.0.0.0/8, 2.3.0.0/16:7777, "
       "[abcd::1]/64:123, *.test.com";
   printf("Testing filter: %s\n", filter.get());
   pps->LoadHostFilters(filter);
+
+  CheckLoopbackURLs(false);
   // Check URLs can no longer use filtered proxy
   CheckURLs(false);
-  CheckLoopbackURLs(false);
   CheckLocalDomain(true);
   CheckPortDomain(true);
 
   // --------------------------------------------------------------------------
 
   // This is space separated. See bug 1346711 comment 4. We check this to keep
   // backwards compatibility.
   filter = "<local> blabla.com:10";
   printf("Testing filter: %s\n", filter.get());
   pps->LoadHostFilters(filter);
+
+  CheckLoopbackURLs(false);
   CheckURLs(true);
-  CheckLoopbackURLs(false);
   CheckLocalDomain(false);
   CheckPortDomain(false);
 
   // Check that we don't crash on weird input
   filter = "a b c abc:1x2, ,, * ** *.* *:10 :20 :40/12 */12:90";
   printf("Testing filter: %s\n", filter.get());
   pps->LoadHostFilters(filter);
 
   // Check that filtering works properly when the filter is set to "<local>"
   filter = "<local>";
   printf("Testing filter: %s\n", filter.get());
   pps->LoadHostFilters(filter);
+
+  CheckLoopbackURLs(false);
   CheckURLs(true);
-  CheckLoopbackURLs(false);
   CheckLocalDomain(false);
   CheckPortDomain(true);
+
+  // Check that allow_hijacking_localhost works with empty filter
+  Preferences::SetBool("network.proxy.allow_hijacking_localhost", true);
+
+  filter = "";
+  printf("Testing filter: %s\n", filter.get());
+  pps->LoadHostFilters(filter);
+
+  CheckLoopbackURLs(true);
+  CheckLocalDomain(true);
+  CheckURLs(true);
+  CheckPortDomain(true);
+
+  // Check that allow_hijacking_localhost works with non-trivial filter
+  filter = "127.0.0.1, [::1], localhost, blabla.com:10";
+  printf("Testing filter: %s\n", filter.get());
+  pps->LoadHostFilters(filter);
+
+  CheckLoopbackURLs(false);
+  CheckLocalDomain(true);
+  CheckURLs(true);
+  CheckPortDomain(false);
 }
 
 }  // namespace net
 }  // namespace mozilla
--- a/netwerk/test/unit/test_bug770243.js
+++ b/netwerk/test/unit/test_bug770243.js
@@ -194,15 +194,15 @@ function run_test()
   httpserv = new HttpServer();
   httpserv.registerPathHandler("/", handler);
   httpserv.start(-1);
 
   const prefs = Cc["@mozilla.org/preferences-service;1"]
                          .getService(Ci.nsIPrefBranch);
   prefs.setCharPref("network.proxy.http", "localhost");
   prefs.setIntPref("network.proxy.http_port", httpserv.identity.primaryPort);
-  prefs.setCharPref("network.proxy.no_proxies_on", "");
+  prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
   prefs.setIntPref("network.proxy.type", 1);
   prefs.setBoolPref("network.http.rcwn.enabled", false);
 
   tests.shift()();
   do_test_pending();
 }
--- a/netwerk/test/unit/test_proxy-failover_canceled.js
+++ b/netwerk/test/unit/test_proxy-failover_canceled.js
@@ -36,16 +36,17 @@ function run_test()
   var nc = new ChannelEventSink();
   nc._flags = ES_ABORT_REDIRECT;
 
   var prefserv = Cc["@mozilla.org/preferences-service;1"].
                  getService(Ci.nsIPrefService);
   var prefs = prefserv.getBranch("network.proxy.");
     prefs.setIntPref("type", 2);
     prefs.setCharPref("no_proxies_on", "nothing");
+    prefs.setBoolPref("allow_hijacking_localhost", true);
   prefs.setCharPref("autoconfig_url", "data:text/plain," +
     "function FindProxyForURL(url, host) {return 'PROXY a_non_existent_domain_x7x6c572v:80; PROXY localhost:" +
     httpServer.identity.primaryPort + "';}"
   );
 
   var chan = make_channel("http://localhost:" +
                           httpServer.identity.primaryPort + "/content");
   chan.notificationCallbacks = nc;
--- a/netwerk/test/unit/test_proxyconnect.js
+++ b/netwerk/test/unit/test_proxyconnect.js
@@ -277,17 +277,17 @@ function createProxy() {
       onStopListening: stopListening
     });
   } catch(e) { do_throw(e); }
 }
 
 function test_connectonly() {
   Services.prefs.setCharPref("network.proxy.ssl", "localhost");
   Services.prefs.setIntPref("network.proxy.ssl_port", socketserver_port);
-  Services.prefs.setCharPref("network.proxy.no_proxies_on", "");
+  Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
   Services.prefs.setIntPref("network.proxy.type", 1);
 
   var chan = makeChan();
   chan.asyncOpen(listener);
 
   do_test_pending();
 }
 
@@ -299,17 +299,17 @@ function test_connectonly_noproxy() {
   do_test_pending();
 }
 
 function test_connectonly_nonhttp() {
   clearPrefs()
 
   Services.prefs.setCharPref("network.proxy.socks", "localhost")
   Services.prefs.setIntPref("network.proxy.socks_port", socketserver_port)
-  Services.prefs.setCharPref("network.proxy.no_proxies_on", "")
+  Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
   Services.prefs.setIntPref("network.proxy.type", 1)
 
   var chan = makeChan()
   chan.asyncOpen(listener)
 
   do_test_pending()
 }
 
@@ -331,17 +331,17 @@ var tests = [
   test_connectonly_nonhttp
 ];
 
 function clearPrefs() {
   Services.prefs.clearUserPref("network.proxy.ssl");
   Services.prefs.clearUserPref("network.proxy.ssl_port");
   Services.prefs.clearUserPref("network.proxy.socks");
   Services.prefs.clearUserPref("network.proxy.socks_port");
-  Services.prefs.clearUserPref("network.proxy.no_proxies_on");
+  Services.prefs.clearUserPref("network.proxy.allow_hijacking_localhost");
   Services.prefs.clearUserPref("network.proxy.type");
 }
 
 function run_test() {
   createProxy();
 
   registerCleanupFunction(clearPrefs);
 
--- a/testing/raptor/raptor/playback/mitmproxy.py
+++ b/testing/raptor/raptor/playback/mitmproxy.py
@@ -54,17 +54,17 @@ POLICIES_CONTENT_ON = '''{
   "policies": {
     "Certificates": {
       "Install": ["%(cert)s"]
     },
     "Proxy": {
       "Mode": "manual",
       "HTTPProxy": "%(host)s:8080",
       "SSLProxy": "%(host)s:8080",
-      "Passthrough": "localhost, 127.0.0.1, %(host)s",
+      "Passthrough": "%(host)s",
       "Locked": true
     }
   }
 }'''
 
 POLICIES_CONTENT_OFF = '''{
   "policies": {
     "Proxy": {
--- a/testing/raptor/raptor/raptor.py
+++ b/testing/raptor/raptor/raptor.py
@@ -526,24 +526,23 @@ class RaptorAndroid(Raptor):
         self.device.push(self.profile.profile, self.device_profile)
         self.device.chmod(self.device_profile, recursive=True)
 
     def turn_on_android_app_proxy(self):
         # for geckoview/android pageload playback we can't use a policy to turn on the
         # proxy; we need to set prefs instead; note that the 'host' may be different
         # than '127.0.0.1' so we must set the prefs accordingly
         self.log.info("setting profile prefs to turn on the android app proxy")
-        no_proxies_on = "localhost, 127.0.0.1, %s" % self.config['host']
         proxy_prefs = {}
         proxy_prefs["network.proxy.type"] = 1
         proxy_prefs["network.proxy.http"] = self.config['host']
         proxy_prefs["network.proxy.http_port"] = 8080
         proxy_prefs["network.proxy.ssl"] = self.config['host']
         proxy_prefs["network.proxy.ssl_port"] = 8080
-        proxy_prefs["network.proxy.no_proxies_on"] = no_proxies_on
+        proxy_prefs["network.proxy.no_proxies_on"] = self.config['host']
         self.profile.set_preferences(proxy_prefs)
 
     def launch_firefox_android_app(self):
         self.log.info("starting %s" % self.config['app'])
         if self.config['app'] == "fennec":
             self.launch_firefox_fennec()
             return
 
--- a/testing/talos/talos/mitmproxy/mitmproxy.py
+++ b/testing/talos/talos/mitmproxy/mitmproxy.py
@@ -30,17 +30,17 @@ POLICIES_CONTENT_ON = '''{
   "policies": {
     "Certificates": {
       "Install": ["%(cert)s"]
     },
     "Proxy": {
       "Mode": "manual",
       "HTTPProxy": "127.0.0.1:8080",
       "SSLProxy": "127.0.0.1:8080",
-      "Passthrough": "localhost, 127.0.0.1",
+      "Passthrough": "",
       "Locked": true
     }
   }
 }'''
 
 POLICIES_CONTENT_OFF = '''{
   "policies": {
     "Proxy": {
--- a/toolkit/components/extensions/test/xpcshell/test_ext_proxy_config.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_proxy_config.js
@@ -27,17 +27,17 @@ add_task(async function test_browser_set
     "network.proxy.ftp": "",
     "network.proxy.ftp_port": 0,
     "network.proxy.ssl": "",
     "network.proxy.ssl_port": 0,
     "network.proxy.socks": "",
     "network.proxy.socks_port": 0,
     "network.proxy.socks_version": 5,
     "network.proxy.socks_remote_dns": false,
-    "network.proxy.no_proxies_on": "localhost, 127.0.0.1",
+    "network.proxy.no_proxies_on": "",
     "network.proxy.autoconfig_url": "",
     "signon.autologin.proxy": false,
   };
 
   async function background() {
     browser.test.onMessage.addListener(async (msg, value) => {
       let apiObj = browser.proxy.settings;
       let result = await apiObj.set({value});
@@ -94,17 +94,17 @@ add_task(async function test_browser_set
 
     let proxyConfig = {
       proxyType: "none",
       autoConfigUrl: "",
       autoLogin: false,
       proxyDNS: false,
       httpProxyAll: false,
       socksVersion: 5,
-      passthrough: "localhost, 127.0.0.1",
+      passthrough: "",
       http: "",
       ftp: "",
       ssl: "",
       socks: "",
     };
 
     expectedConfig.proxyType = expectedConfig.proxyType || "system";
 
--- a/toolkit/components/passwordmgr/test/browser/browser_insecurePasswordConsoleWarning.js
+++ b/toolkit/components/passwordmgr/test/browser/browser_insecurePasswordConsoleWarning.js
@@ -5,17 +5,17 @@ const WARNING_PATTERN = [{
   msg: 'JavaScript Warning: "Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen."',
 }, {
   key: "INSECURE_PAGE",
   msg: 'JavaScript Warning: "Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen."',
 }];
 
 add_task(async function testInsecurePasswordWarning() {
   // By default, proxies don't apply to 127.0.0.1. We need them to for this test, though:
-  await SpecialPowers.pushPrefEnv({set: [["network.proxy.no_proxies_on", ""]]});
+  await SpecialPowers.pushPrefEnv({set: [["network.proxy.allow_hijacking_localhost", true]]});
   let warningPatternHandler;
 
   function messageHandler(msgObj) {
     function findWarningPattern(msg) {
       return WARNING_PATTERN.find(patternPair => {
         return msg.includes(patternPair.msg);
       });
     }