Backed out 2 changesets (bug 1613609) for failures on nsXPConnect.cpp. CLOSED TREE

Backed out changeset c593a7296df4 (bug 1613609) Backed out changeset 72199fc4ea2b (bug 1613609)
2020-05-18 13:05:12 +03:00 · 2020-05-18 13:05:12 +03:00 · 5162f86676
--- a/dom/push/PushServiceWebSocket.jsm
+++ b/dom/push/PushServiceWebSocket.jsm
@ -500,8 +500,6 @@ var PushServiceWebSocket = {
      Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
      Ci.nsIContentPolicy.TYPE_WEBSOCKET
    );
-    // Allow deprecated HTTP request from SystemPrincipal
-    socket.loadInfo.allowDeprecatedSystemRequests = true;

    return socket;
  },
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@ -19,11 +19,9 @@
 #include "nsIStreamListener.h"
 #include "nsIRedirectHistoryEntry.h"
 #include "nsReadableUtils.h"
-#include "nsIXPConnect.h"

 #include "mozilla/BasePrincipal.h"
 #include "mozilla/ClearOnShutdown.h"
-#include "mozilla/CmdLineAndEnvUtils.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/nsMixedContentBlocker.h"
 #include "mozilla/dom/BrowserChild.h"
@ -733,9 +731,6 @@ static void DebugDoContentSecurityCheck(nsIChannel* aChannel,
    MOZ_LOG(sCSMLog, LogLevel::Verbose,
            ("  initalSecurityChecksDone: %s\n",
             aLoadInfo->GetInitialSecurityCheckDone() ? "true" : "false"));
-    MOZ_LOG(sCSMLog, LogLevel::Verbose,
-            ("  allowDeprecatedSystemRequests: %s\n",
-             aLoadInfo->GetAllowDeprecatedSystemRequests() ? "true" : "false"));

    // Log CSPrequestPrincipal
    nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadInfo->GetCsp();
@ -771,77 +766,54 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
      !loadInfo->GetLoadingPrincipal()->IsSystemPrincipal()) {
    return NS_OK;
  }
-  // loads with the allow flag are waived through
-  // until refactored (e.g., Shavar, OCSP)
+
+  nsCOMPtr<nsIURI> finalURI;
+  NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI));
+
  if (loadInfo->GetAllowDeprecatedSystemRequests()) {
    return NS_OK;
  }
+  // nothing to do here if we are not loading a resource using http:, https:,
+  // etc.
+  if (!nsContentUtils::SchemeIs(finalURI, "http") &&
+      !nsContentUtils::SchemeIs(finalURI, "https") &&
+      !nsContentUtils::SchemeIs(finalURI, "ftp")) {
+    return NS_OK;
+  }

  nsContentPolicyType contentPolicyType =
      loadInfo->GetExternalContentPolicyType();
-  // allowing data fetches due to their lowered risk
-  // i.e., limited parsing, no rendering
-  if ((contentPolicyType == nsIContentPolicy::TYPE_FETCH) ||
-      (contentPolicyType == nsIContentPolicy::TYPE_XMLHTTPREQUEST) ||
-      (contentPolicyType == nsIContentPolicy::TYPE_WEBSOCKET)) {
-    return NS_OK;
-  }

-  // Allow the user interface (e.g., schemes like chrome, resource)
-  nsCOMPtr<nsIURI> finalURI;
-  NS_GetFinalChannelURI(aChannel, getter_AddRefs(finalURI));
-  bool isUiResource = false;
-  if (NS_SUCCEEDED(NS_URIChainHasFlags(
-          finalURI, nsIProtocolHandler::URI_IS_UI_RESOURCE, &isUiResource)) &&
-      isUiResource) {
-    return NS_OK;
-  }
-  // For about: and extension-based URIs, which don't get
-  // URI_IS_UI_RESOURCE, first remove layers of view-source:, if present.
-  while (finalURI && finalURI->SchemeIs("view-source")) {
-    nsCOMPtr<nsINestedURI> nested = do_QueryInterface(finalURI);
-    if (nested) {
-      nested->GetInnerURI(getter_AddRefs(finalURI));
-    }
-  }
-  // This is our escape hatch, if things break in release.
-  // We expect to remove the pref in bug 1638770
-  bool cancelNonLocalSystemPrincipal =
-      Preferences::GetBool("security.cancel_non_local_systemprincipal");
-
-  // GetInnerURI can return null for malformed nested URIs like moz-icon:trash
-  if (!finalURI && cancelNonLocalSystemPrincipal) {
-    aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
-    return NS_ERROR_CONTENT_BLOCKED;
-  }
-  // loads of userContent.css during startup and tests that show up as file:
-  if (finalURI->SchemeIs("file")) {
-    if ((contentPolicyType == nsIContentPolicy::TYPE_STYLESHEET) ||
-        (contentPolicyType == nsIContentPolicy::TYPE_OTHER)) {
+  // We distinguish between 2 cases:
+  // a) remote scripts
+  //    which should never be loaded into system privileged contexts
+  // b) remote documents/frames
+  //    which generally should also never be loaded into system
+  //    privileged contexts but with some exceptions.
+  if (contentPolicyType == nsIContentPolicy::TYPE_SCRIPT) {
+    if (StaticPrefs::
+            dom_security_skip_remote_script_assertion_in_system_priv_context()) {
      return NS_OK;
    }
-  }
-  // loads from within omni.ja and system add-ons use jar:
-  // this is safe to allow, because we do not support remote jar.
-  // about: resources are always allowed: they are part of the build.
-  if (finalURI->SchemeIs("jar") || finalURI->SchemeIs("about")) {
+    nsAutoCString scriptSpec;
+    finalURI->GetSpec(scriptSpec);
+    MOZ_LOG(
+        sCSMLog, LogLevel::Warning,
+        ("Do not load remote scripts into system privileged contexts, url: %s",
+         scriptSpec.get()));
+    MOZ_ASSERT(false,
+               "Do not load remote scripts into system privileged contexts");
+    // Bug 1607673: Do not only assert but cancel the channel and
+    // return NS_ERROR_CONTENT_BLOCKED.
    return NS_OK;
  }
-  // images need less stricter checks
-  if (contentPolicyType == nsIContentPolicy::TYPE_IMAGE) {
-    if (finalURI->SchemeIs("moz-extension") ||
-        finalURI->SchemeIs("page-icon") || finalURI->SchemeIs("data")) {
-      return NS_OK;
-    }
+
+  if ((contentPolicyType != nsIContentPolicy::TYPE_DOCUMENT) &&
+      (contentPolicyType != nsIContentPolicy::TYPE_SUBDOCUMENT)) {
+    return NS_OK;
  }

-  // Relaxing restrictions for our test suites:
-  // (1) AreNonLocalConnectionsDisabled() disables network, so http://mochitest
-  // is actually local and allowed. (2) The marionette test framework uses
-  // injections and data URLs to execute scripts, checking for the environment
-  // variable breaks the attack but not the tests.
-  if (xpc::AreNonLocalConnectionsDisabled() ||
-      mozilla::EnvHasValue("MOZ_MARIONETTE")) {
+  if (xpc::AreNonLocalConnectionsDisabled()) {
    bool disallowSystemPrincipalRemoteDocuments = Preferences::GetBool(
        "security.disallow_non_local_systemprincipal_in_tests");
    if (disallowSystemPrincipalRemoteDocuments) {
@ -860,13 +832,9 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
      sCSMLog, LogLevel::Warning,
      ("SystemPrincipal must not load remote documents. URL: %s", requestedURL)
          .get());
-
  MOZ_ASSERT(false, "SystemPrincipal must not load remote documents.");
-  if (cancelNonLocalSystemPrincipal) {
-    aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
-    return NS_ERROR_CONTENT_BLOCKED;
-  }
-  return NS_OK;
+  aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+  return NS_ERROR_CONTENT_BLOCKED;
 }

 /*
--- a/dom/system/NetworkGeolocationProvider.jsm
+++ b/dom/system/NetworkGeolocationProvider.jsm
@ -455,8 +455,6 @@ NetworkGeolocationProvider.prototype = {
    xhr.setRequestHeader("Content-Type", "application/json; charset=UTF-8");
    xhr.responseType = "json";
    xhr.mozBackgroundRequest = true;
-    // Allow deprecated HTTP request from SystemPrincipal
-    xhr.channel.loadInfo.allowDeprecatedSystemRequests = true;
    xhr.timeout = Services.prefs.getIntPref("geo.provider.network.timeout");
    xhr.ontimeout = () => {
      LOG("Location request XHR timed out.");
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2294,8 +2294,6 @@ pref("security.notification_enable_delay", 500);
  // Disallow web documents loaded with the SystemPrincipal
  pref("security.disallow_non_local_systemprincipal_in_tests", false);
 #endif
-// Cancel outgoing requests with SystemPrincipal
-pref("security.cancel_non_local_systemprincipal", true)

 // Sub-resource integrity
 pref("security.sri.enable", true);
--- a/netwerk/base/NetUtil.jsm
+++ b/netwerk/base/NetUtil.jsm
@ -308,7 +308,7 @@ var NetUtil = {
      contentPolicyType = Ci.nsIContentPolicy.TYPE_OTHER;
    }

-    let channel = Services.io.newChannelFromURI(
+    return Services.io.newChannelFromURI(
      uri,
      loadingNode || null,
      loadingPrincipal || null,
@ -316,10 +316,6 @@ var NetUtil = {
      securityFlags,
      contentPolicyType
    );
-    if (loadUsingSystemPrincipal) {
-      channel.loadInfo.allowDeprecatedSystemRequests = true;
-    }
-    return channel;
  },

  /**
--- a/netwerk/base/NetworkConnectivityService.cpp
+++ b/netwerk/base/NetworkConnectivityService.cpp
@ -205,9 +205,6 @@ static inline already_AddRefed<nsIChannel> SetupIPCheckChannel(bool ipv4) {
    uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus();
    httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT;
    loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
-
-    // allow deprecated HTTP request from SystemPrincipal
-    loadInfo->SetAllowDeprecatedSystemRequests(true);
  }

  NS_ENSURE_SUCCESS(rv, nullptr);
--- a/netwerk/base/nsPACMan.cpp
+++ b/netwerk/base/nsPACMan.cpp
@ -662,10 +662,6 @@ void nsPACMan::ContinueLoadingAfterPACUriKnown() {
      }

      if (channel) {
-        // allow deprecated HTTP request from SystemPrincipal
-        nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo();
-        loadInfo->SetAllowDeprecatedSystemRequests(true);
-
        channel->SetLoadFlags(nsIRequest::LOAD_BYPASS_CACHE);
        channel->SetNotificationCallbacks(this);
        if (NS_SUCCEEDED(channel->AsyncOpen(mLoader))) return;
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@ -272,9 +272,6 @@ OCSPRequest::Run() {
  httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT;
  loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);

-  // allow deprecated HTTP request from SystemPrincipal
-  loadInfo->SetAllowDeprecatedSystemRequests(true);
-
  // For OCSP requests, only the first party domain and private browsing id
  // aspects of origin attributes are used. This means that:
  // a) if first party isolation is enabled, OCSP requests will be isolated
--- a/toolkit/components/captivedetect/CaptiveDetect.jsm
+++ b/toolkit/components/captivedetect/CaptiveDetect.jsm
@ -39,8 +39,6 @@ function URLFetcher(url, timeout) {
  xhr.channel.loadFlags |= Ci.nsIChannel.LOAD_BYPASS_URL_CLASSIFIER;
  // Prevent HTTPS-Only Mode from upgrading the request.
  xhr.channel.loadInfo.httpsOnlyStatus |= Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
-  // Allow deprecated HTTP request from SystemPrincipal
-  xhr.channel.loadInfo.allowDeprecatedSystemRequests = true;

  // We don't want to follow _any_ redirects
  xhr.channel.QueryInterface(Ci.nsIHttpChannel).redirectionLimit = 0;
--- a/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
@ -148,8 +148,6 @@ nsresult nsUrlClassifierStreamUpdater::FetchUpdate(
  mozilla::OriginAttributes attrs;
  attrs.mFirstPartyDomain.AssignLiteral(NECKO_SAFEBROWSING_FIRST_PARTY_DOMAIN);
  loadInfo->SetOriginAttributes(attrs);
-  // allow deprecated HTTP request from SystemPrincipal
-  loadInfo->SetAllowDeprecatedSystemRequests(true);

  mBeganStream = false;

--- a/toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm
+++ b/toolkit/mozapps/extensions/internal/ProductAddonChecker.jsm
@ -318,7 +318,6 @@ function downloadLocalConfig() {
 function downloadFile(url, options = { httpsOnlyNoUpgrade: false }) {
  return new Promise((resolve, reject) => {
    let xhr = new XMLHttpRequest();
-
    xhr.onload = function(response) {
      logger.info("downloadXHR File download. status=" + xhr.status);
      if (xhr.status != 200 && xhr.status != 206) {
@ -360,8 +359,6 @@ function downloadFile(url, options = { httpsOnlyNoUpgrade: false }) {
        xhr.channel.loadInfo.httpsOnlyStatus |=
          Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
      }
-      // Allow deprecated HTTP request from SystemPrincipal
-      xhr.channel.loadInfo.allowDeprecatedSystemRequests = true;
      // Use conservative TLS settings. See bug 1325501.
      // TODO move to ServiceRequest.
      if (xhr.channel instanceof Ci.nsIHttpChannelInternal) {