Backed out changeset dbffee5cbf0d (bug 1722489) for failures on browser_iframe_test.js. CLOSED TREE

2021-10-06 00:34:43 +03:00 · 2021-10-06 00:34:43 +03:00 · 21bae7d190
--- a/dom/security/test/https-only/browser.ini
+++ b/dom/security/test/https-only/browser.ini
@ -20,6 +20,3 @@ support-files =
 [browser_user_gesture.js]
 support-files =
  file_user_gesture.html
-[browser_hsts_host.js]
-support-files =
-  hsts_headers.sjs
--- a/dom/security/test/https-only/browser_hsts_host.js
+++ b/dom/security/test/https-only/browser_hsts_host.js
@ -1,88 +0,0 @@
-// Bug 1722489 - HTTPS-Only Mode - Tests evaluation order
-// https://bugzilla.mozilla.org/show_bug.cgi?id=1722489
-// This test ensures that an http request to an hsts host
-// gets upgraded by hsts and not by https-only.
-"use strict";
-
-// Test Cases
-// description:    Description of what the tests expects.
-let tests = [
-  {
-    description: "Top-Level upgrade shouldn't get logged",
-  },
-];
-let readMessage = false;
-function observer(subject, topic, state) {
-  info("observer called with " + topic);
-  if (topic == "http-on-examine-response") {
-    onExamineResponse(subject);
-  }
-}
-
-function onExamineResponse(subject) {
-  let channel = subject.QueryInterface(Ci.nsIHttpChannel);
-  info("onExamineResponse with " + channel.URI.spec);
-  try {
-    let hsts = channel.getResponseHeader("Strict-Transport-Security");
-    let csp = channel.getResponseHeader("Content-Security-Policy");
-    // Check that HSTS and CSP upgrade headers are set
-    is(hsts, "max-age=300", "HSTS header is set");
-    is(csp, "upgrade-insecure-requests", "CSP header is set");
-  } catch (e) {
-    ok(false, "No header set");
-  }
-  readMessage = true;
-}
-// Visit a secure site that sends an HSTS header to set up the rest of the
-// test.
-add_task(async function see_hsts_header() {
-  let setHstsUrl =
-    getRootDirectory(gTestPath).replace(
-      "chrome://mochitests/content",
-      "https://example.com"
-    ) + "hsts_headers.sjs";
-  Services.obs.addObserver(observer, "http-on-examine-response");
-  await BrowserTestUtils.loadURI(gBrowser.selectedBrowser, setHstsUrl);
-
-  await BrowserTestUtils.waitForCondition(() => readMessage);
-  // Clean up
-  Services.obs.removeObserver(observer, "http-on-examine-response");
-});
-
-// Test that HTTPS_Only is not performed if HSTS host is visited.
-add_task(async function() {
-  // A longer timeout is necessary for this test than the plain mochitests
-  // due to opening a new tab with the web console.
-  requestLongerTimeout(4);
-
-  // Enable HTTPS-Only Mode and register console-listener
-  await SpecialPowers.pushPrefEnv({
-    set: [["dom.security.https_only_mode", true]],
-  });
-  Services.console.registerListener(on_new_message);
-  const RESOURCE_LINK =
-    getRootDirectory(gTestPath).replace(
-      "chrome://mochitests/content",
-      "http://example.com"
-    ) + "hsts_headers.sjs";
-
-  // 1. Upgrade page to https://
-  await BrowserTestUtils.loadURI(gBrowser.selectedBrowser, RESOURCE_LINK);
-
-  await BrowserTestUtils.waitForCondition(() => tests.length === 0);
-
-  // Clean up
-  Services.console.unregisterListener(on_new_message);
-});
-
-function on_new_message(msgObj) {
-  const message = msgObj.message;
-  // ensure that request is not upgraded HTTPS-Only.
-  if (message.includes("Upgrading insecure request")) {
-    ok(false, tests[0].description);
-    tests.splice(0, 1);
-  } else if (gBrowser.selectedBrowser.currentURI.scheme === "https") {
-    ok(true, tests[0].description);
-    tests.splice(0, 1);
-  }
-}
--- a/dom/security/test/https-only/hsts_headers.sjs
+++ b/dom/security/test/https-only/hsts_headers.sjs
@ -1,17 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-function handleRequest(request, response) {
-  let hstsHeader = "max-age=300";
-  response.setHeader("Strict-Transport-Security", hstsHeader);
-  response.setHeader("Cache-Control", "no-cache", false);
-  response.setHeader("Content-Type", "text/html", false);
-  // Set header for csp upgrade
-  response.setHeader(
-    "Content-Security-Policy",
-    "upgrade-insecure-requests",
-    false
-  );
-  response.setStatusLine(request.httpVersion, 200);
-  response.write("<!DOCTYPE html><html><body><h1>Ok!</h1></body></html>");
-}
--- a/netwerk/base/nsNetUtil.cpp
+++ b/netwerk/base/nsNetUtil.cpp
@ -2867,7 +2867,7 @@ bool NS_IsSrcdocChannel(nsIChannel* aChannel) {
  return false;
 }

-// helper function for NS_ShouldSecureUpgrade for checking HSTS
+// helper function for NS_ShouldHSTSUpgrade
 bool handleResultFunc(bool aAllowSTS, bool aIsStsHost, uint32_t aHstsSource) {
  if (aIsStsHost) {
    LOG(("nsHttpChannel::Connect() STS permissions found\n"));
@ -2897,82 +2897,75 @@ bool handleResultFunc(bool aAllowSTS, bool aIsStsHost, uint32_t aHstsSource) {
  }
  return false;
 };
-// That function is a helper function of NS_ShouldSecureUpgrade to check if
-// CSP upgrade-insecure-requests, Mixed content auto upgrading or HTTPs-Only/-
-// First should upgrade the given request.
-static bool ShouldSecureUpgradeNoHSTS(nsIURI* aURI, nsILoadInfo* aLoadInfo) {
-  // 2. CSP upgrade-insecure-requests
-  if (aLoadInfo->GetUpgradeInsecureRequests()) {
-    // let's log a message to the console that we are upgrading a request
-    nsAutoCString scheme;
-    aURI->GetScheme(scheme);
-    // append the additional 's' for security to the scheme :-)
-    scheme.AppendLiteral("s");
-    NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault());
-    NS_ConvertUTF8toUTF16 reportScheme(scheme);
-    AutoTArray<nsString, 2> params = {reportSpec, reportScheme};
-    uint32_t innerWindowId = aLoadInfo->GetInnerWindowID();
-    CSP_LogLocalizedStr("upgradeInsecureRequest", params,
-                        u""_ns,  // aSourceFile
-                        u""_ns,  // aScriptSample
-                        0,       // aLineNumber
-                        0,       // aColumnNumber
-                        nsIScriptError::warningFlag,
-                        "upgradeInsecureRequest"_ns, innerWindowId,
-                        !!aLoadInfo->GetOriginAttributes().mPrivateBrowsingId);
-    Telemetry::AccumulateCategorical(
-        Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::CSP);
-    return true;
-  }
-  // 3. Mixed content auto upgrading
-  if (aLoadInfo->GetBrowserUpgradeInsecureRequests()) {
-    // let's log a message to the console that we are upgrading a request
-    nsAutoCString scheme;
-    aURI->GetScheme(scheme);
-    // append the additional 's' for security to the scheme :-)
-    scheme.AppendLiteral("s");
-    NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault());
-    NS_ConvertUTF8toUTF16 reportScheme(scheme);
-    AutoTArray<nsString, 2> params = {reportSpec, reportScheme};

-    nsAutoString localizedMsg;
-    nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES,
-                                          "MixedContentAutoUpgrade", params,
-                                          localizedMsg);
+nsresult NS_ShouldHSTSUpgrade(
+    nsIURI* aURI, bool aPrivateBrowsing, bool aAllowSTS,
+    const mozilla::OriginAttributes& aOriginAttributes, bool& aShouldUpgrade,
+    std::function<void(bool, nsresult)>&& aResultCallback,
+    bool& aWillCallback) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(!aURI->SchemeIs("https"));

-    // Prepending ixed Content to the outgoing console message
-    nsString message;
-    message.AppendLiteral(u"Mixed Content: ");
-    message.Append(localizedMsg);
+  // enforce Strict-Transport-Security
+  nsISiteSecurityService* sss = gHttpHandler->GetSSService();
+  NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);

-    uint32_t innerWindowId = aLoadInfo->GetInnerWindowID();
-    nsContentUtils::ReportToConsoleByWindowID(
-        message, nsIScriptError::warningFlag, "Mixed Content Message"_ns,
-        innerWindowId, aURI);
+  bool isStsHost = false;
+  uint32_t hstsSource = 0;
+  uint32_t flags =
+      aPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;

-    // Set this flag so we know we'll upgrade because of
-    // 'security.mixed_content.upgrade_display_content'.
-    aLoadInfo->SetBrowserDidUpgradeInsecureRequests(true);
-    Telemetry::AccumulateCategorical(
-        Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::BrowserDisplay);
+  // Calling |IsSecureURI| before the storage is ready to read will
+  // block the main thread. Once the storage is ready, we can call it
+  // from main thread.
+  static Atomic<bool, Relaxed> storageReady(false);
+  if (!storageReady && gSocketTransportService && aResultCallback) {
+    nsCOMPtr<nsIURI> uri = aURI;
+    nsCOMPtr<nsISiteSecurityService> service = sss;
+    nsresult rv = gSocketTransportService->Dispatch(
+        NS_NewRunnableFunction(
+            "net::NS_ShouldSecureUpgrade",
+            [service{std::move(service)}, uri{std::move(uri)}, flags(flags),
+             originAttributes(aOriginAttributes),
+             handleResultFunc{std::move(handleResultFunc)},
+             resultCallback{std::move(aResultCallback)},
+             allowSTS{std::move(aAllowSTS)}]() mutable {
+              uint32_t hstsSource = 0;
+              bool isStsHost = false;
+              nsresult rv =
+                  service->IsSecureURI(uri, flags, originAttributes, nullptr,
+                                       &hstsSource, &isStsHost);

-    return true;
+              // Successfully get the result from |IsSecureURI| implies that
+              // the storage is ready to read.
+              storageReady = NS_SUCCEEDED(rv);
+              bool shouldUpgrade =
+                  handleResultFunc(allowSTS, isStsHost, hstsSource);
+
+              NS_DispatchToMainThread(NS_NewRunnableFunction(
+                  "net::NS_ShouldSecureUpgrade::ResultCallback",
+                  [rv, shouldUpgrade,
+                   resultCallback{std::move(resultCallback)}]() {
+                    resultCallback(shouldUpgrade, rv);
+                  }));
+            }),
+        NS_DISPATCH_NORMAL);
+    aWillCallback = NS_SUCCEEDED(rv);
+    return rv;
  }

-  // 4. Https-Only / -First
-  if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, aLoadInfo) ||
-      nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(aURI, aLoadInfo)) {
-    return true;
-  }
-  return false;
+  nsresult rv = sss->IsSecureURI(aURI, flags, aOriginAttributes, nullptr,
+                                 &hstsSource, &isStsHost);
+
+  // if the SSS check fails, it's likely because this load is on a
+  // malformed URI or something else in the setup is wrong, so any error
+  // should be reported.
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  aShouldUpgrade = handleResultFunc(aAllowSTS, isStsHost, hstsSource);
+  return NS_OK;
 }

-// Check if channel should be upgraded. check in the following order:
-// 1. HSTS
-// 2. CSP upgrade-insecure-requests
-// 3. Mixed content auto upgrading
-// 4. Https-Only / first
-// (5. Https RR - will be checked in nsHttpChannel)
 nsresult NS_ShouldSecureUpgrade(
    nsIURI* aURI, nsILoadInfo* aLoadInfo, nsIPrincipal* aChannelResultPrincipal,
    bool aPrivateBrowsing, bool aAllowSTS,
@ -2985,7 +2978,6 @@ nsresult NS_ShouldSecureUpgrade(
  }

  aWillCallback = false;
-  aShouldUpgrade = false;

  // Even if we're in private browsing mode, we still enforce existing STS
  // data (it is read-only).
@ -3006,92 +2998,77 @@ nsresult NS_ShouldSecureUpgrade(
    aShouldUpgrade = false;
    return NS_OK;
  }
-  // If no loadInfo exist there is nothing to upgrade here.
-  if (!aLoadInfo) {
-    aShouldUpgrade = false;
-    return NS_OK;
-  }
-  MOZ_ASSERT(!aURI->SchemeIs("https"));
+  if (aLoadInfo) {
+    // Check if the request can get upgraded with the HTTPS-Only mode
+    if (nsHTTPSOnlyUtils::ShouldUpgradeRequest(aURI, aLoadInfo) ||
+        nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(aURI, aLoadInfo)) {
+      aShouldUpgrade = true;
+      return NS_OK;
+    }

-  // enforce Strict-Transport-Security
-  nsISiteSecurityService* sss = gHttpHandler->GetSSService();
-  NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
+    // If any of the documents up the chain to the root document makes use of
+    // the CSP directive 'upgrade-insecure-requests', then it's time to
+    // fulfill the promise to CSP and mixed content blocking to upgrade the
+    // channel from http to https.
+    if (aLoadInfo->GetUpgradeInsecureRequests() ||
+        aLoadInfo->GetBrowserUpgradeInsecureRequests()) {
+      // let's log a message to the console that we are upgrading a request
+      nsAutoCString scheme;
+      aURI->GetScheme(scheme);
+      // append the additional 's' for security to the scheme :-)
+      scheme.AppendLiteral("s");
+      NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault());
+      NS_ConvertUTF8toUTF16 reportScheme(scheme);

-  bool isStsHost = false;
-  uint32_t hstsSource = 0;
-  uint32_t flags =
-      aPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
-  // Calling |IsSecureURI| before the storage is ready to read will
-  // block the main thread. Once the storage is ready, we can call it
-  // from main thread.
-  static Atomic<bool, Relaxed> storageReady(false);
-  if (!storageReady && gSocketTransportService && aResultCallback) {
-    nsCOMPtr<nsILoadInfo> loadInfo = aLoadInfo;
-    nsCOMPtr<nsIURI> uri = aURI;
-    auto callbackWrapper = [resultCallback{std::move(aResultCallback)}, uri,
-                            loadInfo](bool aShouldUpgrade, nsresult aStatus) {
-      MOZ_ASSERT(NS_IsMainThread());
+      if (aLoadInfo->GetUpgradeInsecureRequests()) {
+        AutoTArray<nsString, 2> params = {reportSpec, reportScheme};
+        uint32_t innerWindowId = aLoadInfo->GetInnerWindowID();
+        CSP_LogLocalizedStr(
+            "upgradeInsecureRequest", params,
+            u""_ns,  // aSourceFile
+            u""_ns,  // aScriptSample
+            0,       // aLineNumber
+            0,       // aColumnNumber
+            nsIScriptError::warningFlag, "upgradeInsecureRequest"_ns,
+            innerWindowId,
+            !!aLoadInfo->GetOriginAttributes().mPrivateBrowsingId);
+        Telemetry::AccumulateCategorical(
+            Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::CSP);
+      } else {
+        AutoTArray<nsString, 2> params = {reportSpec, reportScheme};

-      // 1. HSTS upgrade
-      if (aShouldUpgrade || NS_FAILED(aStatus)) {
-        resultCallback(aShouldUpgrade, aStatus);
-        return;
+        nsAutoString localizedMsg;
+        nsContentUtils::FormatLocalizedString(
+            nsContentUtils::eSECURITY_PROPERTIES, "MixedContentAutoUpgrade",
+            params, localizedMsg);
+
+        // Prepending ixed Content to the outgoing console message
+        nsString message;
+        message.AppendLiteral(u"Mixed Content: ");
+        message.Append(localizedMsg);
+
+        uint32_t innerWindowId = aLoadInfo->GetInnerWindowID();
+        nsContentUtils::ReportToConsoleByWindowID(
+            message, nsIScriptError::warningFlag, "Mixed Content Message"_ns,
+            innerWindowId, aURI);
+
+        // Set this flag so we know we'll upgrade because of
+        // 'security.mixed_content.upgrade_display_content'.
+        aLoadInfo->SetBrowserDidUpgradeInsecureRequests(true);
+        Telemetry::AccumulateCategorical(
+            Telemetry::LABELS_HTTP_SCHEME_UPGRADE_TYPE::BrowserDisplay);
      }
-      // Check if we need to upgrade because of other reasons.
-      // 2. CSP upgrade-insecure-requests
-      // 3. Mixed content auto upgrading
-      // 4. Https-Only / first
-      bool shouldUpgrade = ShouldSecureUpgradeNoHSTS(uri, loadInfo);
-      resultCallback(shouldUpgrade, aStatus);
-    };
-    nsCOMPtr<nsISiteSecurityService> service = sss;
-    nsresult rv = gSocketTransportService->Dispatch(
-        NS_NewRunnableFunction(
-            "net::NS_ShouldSecureUpgrade",
-            [service{std::move(service)}, uri{std::move(uri)}, flags(flags),
-             originAttributes(aOriginAttributes),
-             handleResultFunc{std::move(handleResultFunc)},
-             callbackWrapper{std::move(callbackWrapper)},
-             allowSTS{std::move(aAllowSTS)}]() mutable {
-              bool isStsHost = false;
-              uint32_t hstsSource = 0;
-              nsresult rv =
-                  service->IsSecureURI(uri, flags, originAttributes, nullptr,
-                                       &hstsSource, &isStsHost);

-              // Successfully get the result from |IsSecureURI| implies that
-              // the storage is ready to read.
-              storageReady = NS_SUCCEEDED(rv);
-              bool shouldUpgrade =
-                  handleResultFunc(allowSTS, isStsHost, hstsSource);
-              // Check if request should be upgraded.
-              NS_DispatchToMainThread(NS_NewRunnableFunction(
-                  "net::NS_ShouldSecureUpgrade::ResultCallback",
-                  [rv, shouldUpgrade,
-                   callbackWrapper{std::move(callbackWrapper)}]() {
-                    callbackWrapper(shouldUpgrade, rv);
-                  }));
-            }),
-        NS_DISPATCH_NORMAL);
-    aWillCallback = NS_SUCCEEDED(rv);
-    return rv;
+      aShouldUpgrade = true;
+      return NS_OK;
+    }
+    // check if request can be upgraded by hsts
+    return NS_ShouldHSTSUpgrade(aURI, aPrivateBrowsing, aAllowSTS,
+                                aOriginAttributes, aShouldUpgrade,
+                                std::move(aResultCallback), aWillCallback);
  }
-
-  nsresult rv = sss->IsSecureURI(aURI, flags, aOriginAttributes, nullptr,
-                                 &hstsSource, &isStsHost);
-
-  // if the SSS check fails, it's likely because this load is on a
-  // malformed URI or something else in the setup is wrong, so any error
-  // should be reported.
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  aShouldUpgrade = handleResultFunc(aAllowSTS, isStsHost, hstsSource);
-  if (!aShouldUpgrade) {
-    // Check for CSP upgrade-insecure-requests, Mixed content auto upgrading
-    // and Https-Only / -First.
-    aShouldUpgrade = ShouldSecureUpgradeNoHSTS(aURI, aLoadInfo);
-  }
-  return rv;
+  aShouldUpgrade = false;
+  return NS_OK;
 }

 nsresult NS_GetSecureUpgradedURI(nsIURI* aURI, nsIURI** aUpgradedURI) {