From 911a5882509dc7561d2a0dd86904e49a37cbe20d Mon Sep 17 00:00:00 2001
From: Frederik Braun <fb@frederik-braun.com>
Date: Wed, 6 Dec 2023 14:07:34 +0000
Subject: [PATCH] Bug 1276918 - restrict multipart/x-mixed-replace to
 non-document loads r=necko-reviewers,valentin,kershaw

Ideally, I would like to remove this for all types except images, but there
is some uncertainty wrt to other media load types and making small steps is
easier than huge strides. Especially when it's risking compatibility.

Differential Revision: https://phabricator.services.mozilla.com/D194917
---
 docshell/test/browser/browser_viewsource_multipart.js  | 5 +++++
 docshell/test/mochitest/test_bug1747033.html           | 8 +++++++-
 docshell/test/mochitest/test_bug660404.html            | 3 ++-
 docshell/test/mochitest/test_compressed_multipart.html | 6 ++++--
 dom/base/test/test_x-frame-options.html                | 4 +++-
 modules/libpref/init/StaticPrefList.yaml               | 6 ++++++
 netwerk/protocol/http/nsHttpChannel.cpp                | 5 ++++-
 7 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/docshell/test/browser/browser_viewsource_multipart.js b/docshell/test/browser/browser_viewsource_multipart.js
index 748cf4bce0f1..bc40704c4e91 100644
--- a/docshell/test/browser/browser_viewsource_multipart.js
+++ b/docshell/test/browser/browser_viewsource_multipart.js
@@ -8,6 +8,11 @@ const TEST_PATH = getRootDirectory(gTestPath).replace(
 );
 const MULTIPART_URI = `${TEST_PATH}file_basic_multipart.sjs`;
 
+add_setup(async () => {
+  await SpecialPowers.pushPrefEnv({
+    set: [["network.multipart-mixed-replace.enabled_for_document", true]],
+  });
+});
 add_task(async function viewsource_multipart_uri() {
   await BrowserTestUtils.withNewTab("about:blank", async browser => {
     BrowserTestUtils.startLoadingURIString(browser, MULTIPART_URI);
diff --git a/docshell/test/mochitest/test_bug1747033.html b/docshell/test/mochitest/test_bug1747033.html
index 539b78fec05a..d8ee579addf9 100644
--- a/docshell/test/mochitest/test_bug1747033.html
+++ b/docshell/test/mochitest/test_bug1747033.html
@@ -87,9 +87,15 @@
         SimpleTest.finish();
       });
     }
+    SpecialPowers.pushPrefEnv({set:
+      [["network.multipart-mixed-replace.enabled_for_document", true]]},
+      () => {
+        runTest();
+      }
+    );
   </script>
 </head>
-<body onload="runTest();">
+<body>
 <p id="display"></p>
 <div id="content" style="display: none"></div>
 <pre id="test"></pre>
diff --git a/docshell/test/mochitest/test_bug660404.html b/docshell/test/mochitest/test_bug660404.html
index 94e3f67aa1b4..ef6840e85d32 100644
--- a/docshell/test/mochitest/test_bug660404.html
+++ b/docshell/test/mochitest/test_bug660404.html
@@ -65,7 +65,8 @@ bc.onmessage = (msgEvent) => {
 }
 
 // If Fission is disabled, the pref is no-op.
-SpecialPowers.pushPrefEnv({set: [["fission.bfcacheInParent", true]]}, () => {
+SpecialPowers.pushPrefEnv({set: [["fission.bfcacheInParent", true],
+  ["network.multipart-mixed-replace.enabled_for_document", true]]}, () => {
   // Have to open a new window, since there's no bfcache in subframes
   window.open("file_bug660404-1.html", "", "noopener");
 });
diff --git a/docshell/test/mochitest/test_compressed_multipart.html b/docshell/test/mochitest/test_compressed_multipart.html
index 438819b643f0..bff97762c93c 100644
--- a/docshell/test/mochitest/test_compressed_multipart.html
+++ b/docshell/test/mochitest/test_compressed_multipart.html
@@ -33,8 +33,10 @@ function finishTest() {
   SimpleTest.finish();
 }
 
-w = window.open("file_compressed_multipart");
-
+SpecialPowers.pushPrefEnv({set:
+  [["network.multipart-mixed-replace.enabled_for_document", true]]}, () => {
+  w = window.open("file_compressed_multipart");
+});
 </script>
 </pre>
 </body>
diff --git a/dom/base/test/test_x-frame-options.html b/dom/base/test/test_x-frame-options.html
index d8586e7974b7..07d5d595b028 100644
--- a/dom/base/test/test_x-frame-options.html
+++ b/dom/base/test/test_x-frame-options.html
@@ -183,7 +183,9 @@ SimpleTest.waitForExplicitFinish();
 
 // load the test harness
 SpecialPowers.pushPrefEnv({
-  "set": [["security.data_uri.block_toplevel_data_uri_navigations", false],]
+  "set": [["security.data_uri.block_toplevel_data_uri_navigations", false],
+  ["network.multipart-mixed-replace.enabled_for_document", true],
+]
 }, function() {
   document.getElementById("harness").src = "file_x-frame-options_main.html";
 });
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index f5c78fe1a891..a51ab8817dc7 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -11711,6 +11711,12 @@
   value: true
   mirror: always
 
+# Re-enables multipart/x-mixed-replace for DOCUMENT types
+- name: network.multipart-mixed-replace.enabled_for_document
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 # Enables `<link rel="modulepreload">` tag and `Link: rel=modulepreload`
 # response header handling.
 - name: network.modulepreload
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index ef2b06f45cdc..c80471918664 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -1703,7 +1703,10 @@ nsresult nsHttpChannel::CallOnStartRequest() {
     nsAutoCString contentType;
     mResponseHead->ContentType(contentType);
 
-    if (contentType.Equals("multipart/x-mixed-replace"_ns)) {
+    if (contentType.Equals("multipart/x-mixed-replace"_ns) &&
+        ((mLoadInfo->GetExternalContentPolicyType() !=
+          ExtContentPolicyType::TYPE_DOCUMENT) ||
+         StaticPrefs::network_multipart_mixed_replace_enabled_for_document())) {
       nsCOMPtr<nsIStreamConverterService> convServ(
           do_GetService("@mozilla.org/streamConverters;1", &rv));
       if (NS_SUCCEEDED(rv)) {