Bug 1397740 - Removed security.xcto_nosniff_block_images from about:config r=ckerschb,fkiefer

MozReview-Commit-ID: HTalMWq694W --HG-- extra : rebase_source : 0ce03ae0ed6bb754791f7aadb52bc6c55aa6c7cd
2018-01-05 10:43:17 +01:00 · 2018-01-05 10:43:17 +01:00 · 7b23ba9165
--- a/dom/security/test/general/test_nosniff.html
+++ b/dom/security/test/general/test_nosniff.html
@ -16,10 +16,6 @@
 <script id="scriptCorrectType"></script>
 <script id="scriptWrongType"></script>

-<!-- add the two img tests -->
-<img id="imgCorrectType" />
-<img id="imgWrongType" />
-
 <script class="testbody" type="text/javascript">
 /* Description of the test:
 * We load 2 css files, 2 script files and 2 image files, where
@ -28,7 +24,7 @@
 */

 SimpleTest.waitForExplicitFinish();
-const NUM_TESTS = 6;
+const NUM_TESTS = 4;

 var testCounter = 0;
 function checkFinish() {
@ -38,8 +34,6 @@ function checkFinish() {
 	}
 }

-SpecialPowers.pushPrefEnv({set: [["security.xcto_nosniff_block_images", true]]}, function() {
-
  // 1) Test CSS with correct mime type
  var cssCorrectType = document.getElementById("cssCorrectType");
  cssCorrectType.onload = function() {
@ -88,30 +82,6 @@ SpecialPowers.pushPrefEnv({set: [["security.xcto_nosniff_block_images", true]]},
  }
  scriptWrongType.src = "file_nosniff_testserver.sjs?scriptWrongType";

-  // 5) Test IMG with correct mime type
-  var imgCorrectType = document.getElementById("imgCorrectType");
-  imgCorrectType.onload = function() {
-    ok(true, "img nosniff correct type should load");
-    checkFinish();
-  }
-  imgCorrectType.onerror = function() {
-    ok(false, "img nosniff correct type should load");
-    checkFinish();
-  }
-  imgCorrectType.src = "file_nosniff_testserver.sjs?imgCorrectType";
-
-  // 6) Test IMG with wrong mime type
-  var imgWrongType = document.getElementById("imgWrongType");
-  imgWrongType.onload = function() {
-    ok(false, "img nosniff wrong type should not load");
-    checkFinish();
-  }
-  imgWrongType.onerror = function() {
-    ok(true, "img nosniff wrong type should not load");
-    checkFinish();
-  }
-  imgWrongType.src = "file_nosniff_testserver.sjs?imgWrongType";
-});

 </script>
 </body>
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2617,9 +2617,6 @@ pref("security.sri.enable", true);
 // Block scripts with wrong MIME type such as image/ or video/.
 pref("security.block_script_with_wrong_mime", true);

-// Block images of wrong MIME for XCTO: nosniff.
-pref("security.xcto_nosniff_block_images", false);
-
 // OCSP must-staple
 pref("security.ssl.enable_ocsp_must_staple", true);

--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -1295,28 +1295,6 @@ ProcessXCTO(nsIURI* aURI, nsHttpResponseHead* aResponseHead, nsILoadInfo* aLoadI
        return NS_ERROR_CORRUPTED_CONTENT;
    }

-    if (aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGE) {
-        if (StringBeginsWith(contentType, NS_LITERAL_CSTRING("image/"))) {
-            Accumulate(Telemetry::XCTO_NOSNIFF_BLOCK_IMAGE, 0);
-            return NS_OK;
-        }
-        Accumulate(Telemetry::XCTO_NOSNIFF_BLOCK_IMAGE, 1);
-        // Instead of consulting Preferences::GetBool() all the time we
-        // can cache the result to speed things up.
-        static bool sXCTONosniffBlockImages = false;
-        static bool sIsInited = false;
-        if (!sIsInited) {
-            sIsInited = true;
-            Preferences::AddBoolVarCache(&sXCTONosniffBlockImages,
-            "security.xcto_nosniff_block_images");
-        }
-        if (!sXCTONosniffBlockImages) {
-            return NS_OK;
-        }
-        ReportTypeBlocking(aURI, aLoadInfo, "MimeTypeMismatch");
-        return NS_ERROR_CORRUPTED_CONTENT;
-    }
-
    if (aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_SCRIPT) {
        if (nsContentUtils::IsScriptType(contentType)) {
            return NS_OK;
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -7811,15 +7811,6 @@
    "n_values": 15,
    "description": "Whether the script load has a MIME type of ...?  (0=unknown, 1=js, 2=image, 3=audio, 4=video, 5=text/plain, 6=text/csv, 7=text/xml, 8=application/octet-stream, 9=application/xml, 10=text/html, 11=empty)"
  },
-  "XCTO_NOSNIFF_BLOCK_IMAGE": {
-    "record_in_processes": ["main", "content"],
-    "alert_emails": ["ckerschbaumer@mozilla.com"],
-    "bug_numbers": [1302539],
-    "expires_in_version": "56",
-    "kind": "enumerated",
-    "n_values": 3,
-    "description": "Whether XCTO: nosniff would allow/block an image load? (0=allow, 1=block)"
-  },
  "NEWTAB_PAGE_ENABLED": {
    "record_in_processes": ["main", "content"],
    "expires_in_version": "default",