Bug 1411646 prevent oauth redirect requests from happening, r=rpl
authorShane Caraveo <scaraveo@mozilla.com>
Thu, 09 Nov 2017 15:11:13 -0800
changeset 444573 e74c96a287cec01c2441ef6aab4b71cd8a1d28be
parent 444572 741841a69b8758aae99e311a2ae8bfb34cd902f6
child 444574 898bb619f62764a0c73db7324288eb30bc969774
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrpl
bugs1411646
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1411646 prevent oauth redirect requests from happening, r=rpl MozReview-Commit-ID: L8ekyXDeCbp
toolkit/components/extensions/ext-identity.js
toolkit/components/extensions/test/mochitest/test_chrome_ext_identity.html
--- a/toolkit/components/extensions/ext-identity.js
+++ b/toolkit/components/extensions/ext-identity.js
@@ -58,36 +58,35 @@ const openOAuthWindow = (details, redire
                                       args);
 
   return new Promise((resolve, reject) => {
     let wpl;
 
     // If the user just closes the window we need to reject
     function unloadlistener() {
       window.removeEventListener("unload", unloadlistener);
-      window.gBrowser.removeTabsProgressListener(wpl);
+      window.gBrowser.removeProgressListener(wpl);
       reject({message: "User cancelled or denied access."});
     }
 
     wpl = {
-      onLocationChange(browser, webProgress, request, locationURI) {
-        if (locationURI.spec.startsWith(redirectURI)) {
-          resolve(locationURI.spec);
+      onStateChange(progress, request, flags, status) {
+        if (request instanceof Ci.nsIHttpChannel &&
+          request.URI.spec.startsWith(redirectURI)) {
+          request.cancel(Components.results.NS_BINDING_ABORTED);
           window.removeEventListener("unload", unloadlistener);
-          window.gBrowser.removeTabsProgressListener(wpl);
+          window.gBrowser.removeProgressListener(wpl);
           window.close();
+          resolve(request.URI.spec);
         }
       },
-      onProgressChange() {},
-      onStatusChange() {},
-      onSecurityChange() {},
     };
 
     promiseDocumentLoaded(window.document).then(() => {
-      window.gBrowser.addTabsProgressListener(wpl);
+      window.gBrowser.addProgressListener(wpl);
       window.addEventListener("unload", unloadlistener);
     });
   });
 };
 
 this.identity = class extends ExtensionAPI {
   getAPI(context) {
     return {
--- a/toolkit/components/extensions/test/mochitest/test_chrome_ext_identity.html
+++ b/toolkit/components/extensions/test/mochitest/test_chrome_ext_identity.html
@@ -139,16 +139,23 @@ function background_launchWebAuthFlow(in
   let base_uri = "https://example.com/chrome/toolkit/components/extensions/test/mochitest/";
   let redirect_uri = browser.identity.getRedirectURL("/identity_cb");
   browser.test.assertEq(expected_redirect, redirect_uri, "expected redirect uri matches hash");
   let url = `${base_uri}${path}?redirect_uri=${encodeURIComponent(redirect_uri)}`;
   if (!redirect) {
     url = `${url}&no_redirect=1`;
   }
 
+  // Ensure we do not start the actual request for the redirect url.
+  browser.webRequest.onBeforeRequest.addListener(details => {
+    if (details.url.startsWith(expected_redirect)) {
+      browser.test.fail("onBeforeRequest called for redirect url");
+    }
+  }, {urls: ["https://35b64b676900f491c00e7f618d43f7040e88422e.example.com/*"]});
+
   browser.identity.launchWebAuthFlow({interactive, url}).then((redirectURL) => {
     browser.test.assertTrue(redirectURL.startsWith(redirect_uri), `correct redirect url ${redirectURL}`);
     if (redirect) {
       let url = new URL(redirectURL);
       browser.test.assertEq("here ya go", url.searchParams.get("access_token"), "Handled auto redirection");
     }
     browser.test.sendMessage("done");
   }).catch((error) => {
@@ -167,18 +174,19 @@ add_task(async function test_autoRedirec
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
       "applications": {
         "gecko": {
           "id": "identity@mozilla.org",
         },
       },
       "permissions": [
+        "webRequest",
         "identity",
-        "https://example.com/",
+        "https://*.example.com/*",
       ],
     },
     background: `(${background_launchWebAuthFlow})(false, "redirect_auto.sjs")`,
   });
 
   await extension.startup();
   await extension.awaitMessage("done");
   await extension.unload();
@@ -189,18 +197,19 @@ add_task(async function test_noRedirect(
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
       "applications": {
         "gecko": {
           "id": "identity@mozilla.org",
         },
       },
       "permissions": [
+        "webRequest",
         "identity",
-        "https://example.com/",
+        "https://*.example.com/*",
       ],
     },
     background: `(${background_launchWebAuthFlow})(false, "redirect_auto.sjs", false)`,
   });
 
   await extension.startup();
   await extension.awaitMessage("done");
   await extension.unload();
@@ -214,18 +223,19 @@ add_task(async function test_interaction
   let extension = ExtensionTestUtils.loadExtension({
     manifest: {
       "applications": {
         "gecko": {
           "id": "identity@mozilla.org",
         },
       },
       "permissions": [
+        "webRequest",
         "identity",
-        "https://example.com/",
+        "https://*.example.com/*",
       ],
     },
     background: `(${background_launchWebAuthFlow})(true, "oauth.html")`,
   });
 
   await extension.startup();
   await extension.awaitMessage("done");
   await extension.unload();