Bug 1248564 - Pref to send default NTLM creds in PB, Always send default creds to proxies in PB. r=jduell
☠☠ backed out by 27e505e44a64 ☠ ☠
authorHonza Bambas <honzab.moz@firemni.cz>
Fri, 11 Nov 2016 03:45:00 -0500
changeset 352202 d1ef75d52b01dbd1f3185084836f48fda8262691
parent 352201 0c62b9c32517f75912b9c4b8d602cabab7dd5f85
child 352203 49d1c7361c57ac096cf28b76a0d9cf887c83a417
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjduell
bugs1248564
milestone52.0a1
Bug 1248564 - Pref to send default NTLM creds in PB, Always send default creds to proxies in PB. r=jduell
extensions/auth/nsHttpNegotiateAuth.cpp
modules/libpref/init/all.js
netwerk/protocol/http/nsHttpNTLMAuth.cpp
--- a/extensions/auth/nsHttpNegotiateAuth.cpp
+++ b/extensions/auth/nsHttpNegotiateAuth.cpp
@@ -48,46 +48,56 @@
 //-----------------------------------------------------------------------------
 
 static const char kNegotiate[] = "Negotiate";
 static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
 static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
 static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
 static const char kNegotiateAuthAllowNonFqdn[] = "network.negotiate-auth.allow-non-fqdn";
 static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
+static const char kSSOinPBmode[] = "network.auth.private-browsing-sso";
 
 #define kNegotiateLen  (sizeof(kNegotiate)-1)
 #define DEFAULT_THREAD_TIMEOUT_MS 30000
 
 //-----------------------------------------------------------------------------
 
 // Return false when the channel comes from a Private browsing window.
 static bool
-TestNotInPBMode(nsIHttpAuthenticableChannel *authChannel)
+TestNotInPBMode(nsIHttpAuthenticableChannel *authChannel, bool proxyAuth)
 {
+    // Proxy should go all the time, it's not considered a privacy leak
+    // to send default credentials to a proxy.
+    if (proxyAuth) {
+        return true;
+    }
+
     nsCOMPtr<nsIChannel> bareChannel = do_QueryInterface(authChannel);
     MOZ_ASSERT(bareChannel);
 
     if (!NS_UsePrivateBrowsing(bareChannel)) {
         return true;
     }
 
     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
-    if (!prefs) {
-        return true;
-    }
+    if (prefs) {
+        bool ssoInPb;
+        if (NS_SUCCEEDED(prefs->GetBoolPref(kSSOinPBmode, &ssoInPb)) && ssoInPb) {
+            return true;
+        }
 
-    // When the "Never remember history" option is set, all channels are
-    // set PB mode flag, but here we want to make an exception, users
-    // want their credentials go out.
-    bool dontRememberHistory;
-    if (NS_SUCCEEDED(prefs->GetBoolPref("browser.privatebrowsing.autostart",
-                                        &dontRememberHistory)) &&
-        dontRememberHistory) {
-        return true;
+        // When the "Never remember history" option is set, all channels are
+        // set PB mode flag, but here we want to make an exception, users
+        // want their credentials go out.
+        bool dontRememberHistory;
+        if (NS_SUCCEEDED(prefs->GetBoolPref("browser.privatebrowsing.autostart",
+                                            &dontRememberHistory)) &&
+            dontRememberHistory) {
+            return true;
+        }
     }
 
     return false;
 }
 
 NS_IMETHODIMP
 nsHttpNegotiateAuth::GetAuthFlags(uint32_t *flags)
 {
@@ -144,17 +154,17 @@ nsHttpNegotiateAuth::ChallengeReceived(n
         req_flags |= nsIAuthModule::REQ_PROXY_AUTH;
         nsCOMPtr<nsIProxyInfo> proxyInfo;
         authChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
         NS_ENSURE_STATE(proxyInfo);
 
         proxyInfo->GetHost(service);
     }
     else {
-        bool allowed = TestNotInPBMode(authChannel) &&
+        bool allowed = TestNotInPBMode(authChannel, isProxyAuth) &&
                        (TestNonFqdn(uri) ||
                        TestPref(uri, kNegotiateAuthTrustedURIs));
         if (!allowed) {
             LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
             return NS_ERROR_ABORT;
         }
 
         bool delegation = TestPref(uri, kNegotiateAuthDelegationURIs);
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1959,16 +1959,28 @@ pref("network.generic-ntlm-auth.workstat
 // Sub-resources HTTP-authentication:
 //   0 - don't allow sub-resources to open HTTP authentication credentials
 //       dialogs
 //   1 - allow sub-resources to open HTTP authentication credentials dialogs,
 //       but don't allow it for cross-origin sub-resources
 //   2 - allow the cross-origin authentication as well.
 pref("network.auth.subresource-http-auth-allow", 2);
 
+// This preference controls whether to allow sending default credentials (SSO) to
+// NTLM/Negotiate servers allowed in the "trusted uri" list when navigating them
+// in a Private Browsing window.
+// If set to false, Private Browsing windows will not use default credentials and ask
+// for credentials from the user explicitly.
+// If set to true, and a server URL conforms other conditions for sending default
+// credentials, those will be sent automatically in Private Browsing windows.
+//
+// This preference has no effect when the browser is set to "Never Remember History",
+// in that case default credentials will always be used.
+pref("network.auth.private-browsing-sso", false);
+
 pref("permissions.default.image",           1); // 1-Accept, 2-Deny, 3-dontAcceptForeign
 
 pref("network.proxy.type",                  5);
 pref("network.proxy.ftp",                   "");
 pref("network.proxy.ftp_port",              0);
 pref("network.proxy.http",                  "");
 pref("network.proxy.http_port",             0);
 pref("network.proxy.ssl",                   "");
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -32,16 +32,17 @@
 
 namespace mozilla {
 namespace net {
 
 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kAllowNonFqdn[] = "network.automatic-ntlm-auth.allow-non-fqdn";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
+static const char kSSOinPBmode[] = "network.auth.private-browsing-sso";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
 // bug 236865 addresses this problem.
 
 static bool
 MatchesBaseURI(const nsCSubstring &matchScheme,
                const nsCSubstring &matchHost,
@@ -183,45 +184,51 @@ ForceGenericNTLM()
 }
 
 // Check to see if we should use default credentials for this host or proxy.
 static bool
 CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
                          bool isProxyAuth)
 {
     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
-
-    // Prevent using default credentials for authentication when we are in the
-    // private browsing mode.  It would cause a privacy data leak.
-    nsCOMPtr<nsIChannel> bareChannel = do_QueryInterface(channel);
-    MOZ_ASSERT(bareChannel);
-
-    if (NS_UsePrivateBrowsing(bareChannel)) {
-        // But allow when in the "Never remember history" mode.
-        bool dontRememberHistory;
-        if (prefs &&
-            NS_SUCCEEDED(prefs->GetBoolPref("browser.privatebrowsing.autostart",
-                                            &dontRememberHistory)) &&
-            !dontRememberHistory) {
-            return false;
-        }
-    }
-
     if (!prefs) {
         return false;
     }
 
+    // Proxy should go all the time, it's not considered a privacy leak
+    // to send default credentials to a proxy.
     if (isProxyAuth) {
         bool val;
         if (NS_FAILED(prefs->GetBoolPref(kAllowProxies, &val)))
             val = false;
         LOG(("Default credentials allowed for proxy: %d\n", val));
         return val;
     }
 
+    // Prevent using default credentials for authentication when we are in the
+    // private browsing mode (but not in "never remember history" mode) and when
+    // not explicitely allowed.  Otherwise, it would cause a privacy data leak.
+    nsCOMPtr<nsIChannel> bareChannel = do_QueryInterface(channel);
+    MOZ_ASSERT(bareChannel);
+
+    if (NS_UsePrivateBrowsing(bareChannel)) {
+        bool ssoInPb;
+        if (NS_SUCCEEDED(prefs->GetBoolPref(kSSOinPBmode, &ssoInPb)) &&
+            ssoInPb) {
+            return true;
+        }
+
+        bool dontRememberHistory;
+        if (NS_SUCCEEDED(prefs->GetBoolPref("browser.privatebrowsing.autostart",
+                                            &dontRememberHistory)) &&
+            !dontRememberHistory) {
+            return false;
+        }
+    }
+
     nsCOMPtr<nsIURI> uri;
     channel->GetURI(getter_AddRefs(uri));
 
     bool allowNonFqdn;
     if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn)))
         allowNonFqdn = false;
     if (allowNonFqdn && uri && IsNonFqdn(uri)) {
         LOG(("Host is non-fqdn, default credentials are allowed\n"));