Bug 1190623 - Add a pref to consider object sub requests as active. r=tanvi, r=ckerschb

MozReview-Commit-ID: Br2F89IfWng
2017-11-11 01:15:06 +00:00 · 2017-11-11 01:15:06 +00:00 · 6986c42dfa
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -53,6 +53,8 @@ enum nsMixedContentBlockerMessageType {
 // iframes, websockets, XHR) enabled?
 bool nsMixedContentBlocker::sBlockMixedScript = false;

+bool nsMixedContentBlocker::sBlockMixedObjectSubrequest = false;
+
 // Is mixed display content blocking (images, audio, video, <a ping>) enabled?
 bool nsMixedContentBlocker::sBlockMixedDisplay = false;

@ -256,6 +258,9 @@ nsMixedContentBlocker::nsMixedContentBlocker()
  Preferences::AddBoolVarCache(&sBlockMixedScript,
                               "security.mixed_content.block_active_content");

+  Preferences::AddBoolVarCache(&sBlockMixedObjectSubrequest,
+                               "security.mixed_content.block_object_subrequest");
+
  // Cache the pref for mixed display blocking
  Preferences::AddBoolVarCache(&sBlockMixedDisplay,
                               "security.mixed_content.block_display_content");
@ -590,9 +595,15 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
    // these will be blocked according to the mixed display preference
    case TYPE_IMAGE:
    case TYPE_MEDIA:
-    case TYPE_OBJECT_SUBREQUEST:
      classification = eMixedDisplay;
      break;
+    case TYPE_OBJECT_SUBREQUEST:
+      if (sBlockMixedObjectSubrequest) {
+        classification = eMixedScript;
+      } else {
+        classification = eMixedDisplay;
+      }
+      break;

    // Active content (or content with a low value/risk-of-blocking ratio)
    // that has been explicitly evaluated; listed here for documentation
--- a/dom/security/nsMixedContentBlocker.h
+++ b/dom/security/nsMixedContentBlocker.h
@ -100,6 +100,7 @@ public:


  static bool sBlockMixedScript;
+  static bool sBlockMixedObjectSubrequest;
  static bool sBlockMixedDisplay;
  // Do we move HSTS before mixed-content
  static bool sUseHSTS;
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2535,6 +2535,13 @@ pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'
 pref("security.mixed_content.block_active_content", false);
 pref("security.mixed_content.block_display_content", false);

+// Block sub requests that happen within an object
+#ifdef EARLY_BETA_OR_EARLIER
+pref("security.mixed_content.block_object_subrequest", true);
+#else
+pref("security.mixed_content.block_object_subrequest", false);
+#endif
+
 // Sub-resource integrity
 pref("security.sri.enable", true);