Backed out changeset 38ce182f68ea (bug 1402530) for build bustages in nsMixedContentBlocker.cpp CLOSED TREE
authorNoemi Erli <nerli@mozilla.com>
Thu, 09 May 2019 17:29:38 +0300
changeset 532033 9f769e825727a431a5412de163382902707a3e1d
parent 532032 11199ccc5f71dc14c819fa780c1732369972f0d5
child 532034 1971986d9cd6a17872eb0698afc23624fef4b19a
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1402530
milestone68.0a1
backs out38ce182f68ea52e21cf4a73ab857d12bd95d1616
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 38ce182f68ea (bug 1402530) for build bustages in nsMixedContentBlocker.cpp CLOSED TREE
browser/base/content/test/siteIdentity/test_no_mcb_for_loopback.html
build/pgo/server-locations.txt
dom/security/nsContentSecurityManager.cpp
dom/security/nsMixedContentBlocker.cpp
dom/security/nsMixedContentBlocker.h
--- a/browser/base/content/test/siteIdentity/test_no_mcb_for_loopback.html
+++ b/browser/base/content/test/siteIdentity/test_no_mcb_for_loopback.html
@@ -1,14 +1,14 @@
 <!-- See browser_no_mcb_for_localhost.js -->
 <!DOCTYPE HTML>
 <html>
   <head>
     <meta charset="utf8">
-    <title>Bug 903966, Bug 1402530</title>
+    <title>Bug 903966</title>
   </head>
 
   <style>
     @font-face {
       font-family: "Font-IPv4";
       src: url("http://127.0.0.1:8/test.ttf");
     }
 
@@ -27,29 +27,24 @@
   </style>
 
   <body>
     <div id="ip-v4">test</div>
     <div id="ip-v6">test</div>
 
     <img src="http://127.0.0.1:8/test.png">
     <img src="http://[::1]:8/test.png">
-    <img src="http://localhost:8/test.png">
 
     <iframe src="http://127.0.0.1:8/test.html"></iframe>
     <iframe src="http://[::1]:8/test.html"></iframe>
-    <iframe src="http://localhost:8/test.html"></iframe>
   </body>
 
   <script src="http://127.0.0.1:8/test.js"></script>
   <script src="http://[::1]:8/test.js"></script>
-  <script src="http://localhost:8/test.js"></script>
-  
+
   <link href="http://127.0.0.1:8/test.css" rel="stylesheet"></link>
   <link href="http://[::1]:8/test.css" rel="stylesheet"></link>
-  <link href="http://localhost:8/test.css" rel="stylesheet"></link>
 
   <script>
     fetch("http://127.0.0.1:8");
-    fetch("http://localhost:8");
     fetch("http://[::1]:8");
   </script>
 </html>
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@@ -293,13 +293,10 @@ https://ssl3rc4.example.com:443     priv
 https://tls1.example.com:443        privileged,tls1
 
 # Hosts for youtube rewrite tests
 https://mochitest.youtube.com:443
 
 # Host for U2F localhost tests
 https://localhost:443
 
-# Bug 1402530
-http://localhost:80                 privileged
-
 # Host for testing APIs whitelisted for mozilla.org
 https://www.mozilla.org:443
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@@ -1074,26 +1074,98 @@ nsContentSecurityManager::IsOriginPotent
   MOZ_ASSERT(NS_IsMainThread());
   NS_ENSURE_ARG_POINTER(aPrincipal);
   NS_ENSURE_ARG_POINTER(aIsTrustWorthy);
 
   if (aPrincipal->IsSystemPrincipal()) {
     *aIsTrustWorthy = true;
     return NS_OK;
   }
+
+  // The following implements:
+  // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+
   *aIsTrustWorthy = false;
+
   if (aPrincipal->GetIsNullPrincipal()) {
     return NS_OK;
   }
 
   MOZ_ASSERT(aPrincipal->GetIsCodebasePrincipal(),
              "Nobody is expected to call us with an nsIExpandedPrincipal");
 
   nsCOMPtr<nsIURI> uri;
   nsresult rv = aPrincipal->GetURI(getter_AddRefs(uri));
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = nsMixedContentBlocker::IsOriginPotentiallyTrustworthy(uri,
-                                                             aIsTrustWorthy);
+  if (NS_FAILED(rv)) {
+    return NS_OK;
+  }
+
+  nsAutoCString scheme;
+  rv = uri->GetScheme(scheme);
   if (NS_FAILED(rv)) {
     return NS_OK;
   }
+
+  // Blobs are expected to inherit their principal so we don't expect to have
+  // a codebase principal with scheme 'blob' here.  We can't assert that though
+  // since someone could mess with a non-blob URI to give it that scheme.
+  NS_WARNING_ASSERTION(!scheme.EqualsLiteral("blob"),
+                       "IsOriginPotentiallyTrustworthy ignoring blob scheme");
+
+  // According to the specification, the user agent may choose to extend the
+  // trust to other, vendor-specific URL schemes. We use this for "resource:",
+  // which is technically a substituting protocol handler that is not limited to
+  // local resource mapping, but in practice is never mapped remotely as this
+  // would violate assumptions a lot of code makes.
+  // We use nsIProtocolHandler flags to determine which protocols we consider a
+  // priori authenticated.
+  bool aPrioriAuthenticated = false;
+  if (NS_FAILED(NS_URIChainHasFlags(
+          uri, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY,
+          &aPrioriAuthenticated))) {
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  if (aPrioriAuthenticated) {
+    *aIsTrustWorthy = true;
+    return NS_OK;
+  }
+
+  nsAutoCString host;
+  rv = uri->GetHost(host);
+  if (NS_FAILED(rv)) {
+    return NS_OK;
+  }
+
+  if (host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("localhost") ||
+      host.EqualsLiteral("::1")) {
+    *aIsTrustWorthy = true;
+    return NS_OK;
+  }
+
+  // If a host is not considered secure according to the default algorithm, then
+  // check to see if it has been whitelisted by the user.  We only apply this
+  // whitelist for network resources, i.e., those with scheme "http" or "ws".
+  // The pref should contain a comma-separated list of hostnames.
+  if (scheme.EqualsLiteral("http") || scheme.EqualsLiteral("ws")) {
+    nsAutoCString whitelist;
+    nsresult rv =
+        Preferences::GetCString("dom.securecontext.whitelist", whitelist);
+    if (NS_SUCCEEDED(rv)) {
+      nsCCharSeparatedTokenizer tokenizer(whitelist, ',');
+      while (tokenizer.hasMoreTokens()) {
+        const nsACString& allowedHost = tokenizer.nextToken();
+        if (host.Equals(allowedHost)) {
+          *aIsTrustWorthy = true;
+          return NS_OK;
+        }
+      }
+    }
+    // Maybe we have a .onion URL. Treat it as whitelisted as well if
+    // `dom.securecontext.whitelist_onions` is `true`.
+    if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(uri)) {
+      *aIsTrustWorthy = true;
+      return NS_OK;
+    }
+  }
+
   return NS_OK;
 }
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@@ -373,19 +373,17 @@ nsMixedContentBlocker::ShouldLoad(nsIURI
 bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
   nsAutoCString host;
   nsresult rv = aURL->GetHost(host);
   NS_ENSURE_SUCCESS(rv, false);
 
   // We could also allow 'localhost' (if we can guarantee that it resolves
   // to a loopback address), but Chrome doesn't support it as of writing. For
   // web compat, lets only allow what Chrome allows.
-  // see also https://bugzilla.mozilla.org/show_bug.cgi?id=1220810
-  return host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("::1") ||
-         host.EqualsLiteral("localhost");
+  return host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("::1");
 }
 
 /* Maybe we have a .onion URL. Treat it as whitelisted as well if
  * `dom.securecontext.whitelist_onions` is `true`.
  */
 bool nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(nsIURI* aURL) {
   static bool sInited = false;
   static bool sWhiteListOnions = false;
@@ -399,95 +397,16 @@ bool nsMixedContentBlocker::IsPotentiall
   }
 
   nsAutoCString host;
   nsresult rv = aURL->GetHost(host);
   NS_ENSURE_SUCCESS(rv, false);
   return StringEndsWith(host, NS_LITERAL_CSTRING(".onion"));
 }
 
-NS_IMETHODIMP
-nsMixedContentBlocker::IsOriginPotentiallyTrustworthy(nsIURI* aURI,
-                                                      bool* aIsTrustWorthy) {
-  // The following implements:
-  // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
-
-  *aIsTrustWorthy = false;
-
-  nsAutoCString scheme;
-  nsresult rv = aURI->GetScheme(scheme);
-  if (NS_FAILED(rv)) {
-    return NS_OK;
-  }
-
-  // Blobs are expected to inherit their principal so we don't expect to have
-  // a codebase principal with scheme 'blob' here.  We can't assert that though
-  // since someone could mess with a non-blob URI to give it that scheme.
-  NS_WARNING_ASSERTION(!scheme.EqualsLiteral("blob"),
-                       "IsOriginPotentiallyTrustworthy ignoring blob scheme");
-
-  // According to the specification, the user agent may choose to extend the
-  // trust to other, vendor-specific URL schemes. We use this for "resource:",
-  // which is technically a substituting protocol handler that is not limited to
-  // local resource mapping, but in practice is never mapped remotely as this
-  // would violate assumptions a lot of code makes.
-  // We use nsIProtocolHandler flags to determine which protocols we consider a
-  // priori authenticated.
-  bool aPrioriAuthenticated = false;
-  if (NS_FAILED(NS_URIChainHasFlags(
-          aURI, nsIProtocolHandler::URI_IS_POTENTIALLY_TRUSTWORTHY,
-          &aPrioriAuthenticated))) {
-    return NS_ERROR_UNEXPECTED;
-  }
-
-  if (aPrioriAuthenticated) {
-    *aIsTrustWorthy = true;
-    return NS_OK;
-  }
-
-  nsAutoCString host;
-  rv = aURI->GetHost(host);
-  if (NS_FAILED(rv)) {
-    return NS_OK;
-  }
-
-  if (IsPotentiallyTrustworthyLoopbackURL(aURI)) {
-    *aIsTrustWorthy = true;
-    return NS_OK;
-  }
-
-  // If a host is not considered secure according to the default algorithm, then
-  // check to see if it has been whitelisted by the user.  We only apply this
-  // whitelist for network resources, i.e., those with scheme "http" or "ws".
-  // The pref should contain a comma-separated list of hostnames.
-
-  if (!scheme.EqualsLiteral("http") && !scheme.EqualsLiteral("ws")) {
-    return NS_OK;
-  }
-  nsAutoCString whitelist;
-  rv = Preferences::GetCString("dom.securecontext.whitelist", whitelist);
-  if (NS_SUCCEEDED(rv)) {
-    nsCCharSeparatedTokenizer tokenizer(whitelist, ',');
-    while (tokenizer.hasMoreTokens()) {
-      const nsACString& allowedHost = tokenizer.nextToken();
-      if (host.Equals(allowedHost)) {
-        *aIsTrustWorthy = true;
-        return NS_OK;
-      }
-    }
-  }
-  // Maybe we have a .onion URL. Treat it as whitelisted as well if
-  // `dom.securecontext.whitelist_onions` is `true`.
-  if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(aURI)) {
-    *aIsTrustWorthy = true;
-    return NS_OK;
-  }
-  return NS_OK;
-}
-
 /* Static version of ShouldLoad() that contains all the Mixed Content Blocker
  * logic.  Called from non-static ShouldLoad().
  */
 nsresult nsMixedContentBlocker::ShouldLoad(
     bool aHadInsecureImageRedirect, uint32_t aContentType,
     nsIURI* aContentLocation, nsIURI* aRequestingLocation,
     nsISupports* aRequestingContext, const nsACString& aMimeGuess,
     nsIPrincipal* aRequestPrincipal, int16_t* aDecision) {
@@ -814,22 +733,27 @@ nsresult nsMixedContentBlocker::ShouldLo
     *aDecision = REJECT_REQUEST;
     return NS_OK;
   }
 
   bool isHttpScheme = false;
   rv = innerContentLocation->SchemeIs("http", &isHttpScheme);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  bool IsPotentiallyTrustworthy = false;
-  rv = IsOriginPotentiallyTrustworthy(innerContentLocation,
-                                      &IsPotentiallyTrustworthy);
-  NS_ENSURE_SUCCESS(rv, rv);
+  // Loopback origins are not considered mixed content even over HTTP. See:
+  // https://w3c.github.io/webappsec-mixed-content/#should-block-fetch
+  if (isHttpScheme &&
+      IsPotentiallyTrustworthyLoopbackURL(innerContentLocation)) {
+    *aDecision = ACCEPT;
+    return NS_OK;
+  }
 
-  if (isHttpScheme && IsPotentiallyTrustworthy) {
+  // .onion URLs are encrypted and authenticated. Don't treat them as mixed
+  // content if potentially trustworthy (i.e. whitelisted).
+  if (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) {
     *aDecision = ACCEPT;
     return NS_OK;
   }
 
   // The page might have set the CSP directive 'upgrade-insecure-requests'. In
   // such a case allow the http: load to succeed with the promise that the
   // channel will get upgraded to https before fetching any data from the
   // netwerk. Please see: nsHttpChannel::Connect()
--- a/dom/security/nsMixedContentBlocker.h
+++ b/dom/security/nsMixedContentBlocker.h
@@ -46,18 +46,16 @@ class nsMixedContentBlocker : public nsI
   NS_DECL_NSICHANNELEVENTSINK
 
   nsMixedContentBlocker();
 
   // See:
   // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
   static bool IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL);
   static bool IsPotentiallyTrustworthyOnion(nsIURI* aURL);
-  static nsresult IsOriginPotentiallyTrustworthy(nsIURI* aURI,
-                                                 bool* aIsTrustWorthy);
 
   /* Static version of ShouldLoad() that contains all the Mixed Content Blocker
    * logic.  Called from non-static ShouldLoad().
    * Called directly from imageLib when an insecure redirect exists in a cached
    * image load.
    * @param aHadInsecureImageRedirect
    *        boolean flag indicating that an insecure redirect through http
    *        occured when this image was initially loaded and cached.