Backed out changeset 6b495a62f535 (bug 1658594) for causing failures in test_cors_mixedcontent.html

CLOSED TREE
2020-08-14 18:43:43 +03:00 · 2020-08-14 18:43:43 +03:00 · 96d8ee8908
--- a/dom/security/nsHTTPSOnlyUtils.cpp
+++ b/dom/security/nsHTTPSOnlyUtils.cpp
@ -268,18 +268,6 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption(
  loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
 }

-/* static */
-bool nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(
-    nsILoadInfo* aLoadInfo) {
-  // Check if the request is exempt from upgrades
-  if ((aLoadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
-    return false;
-  }
-  // Check if HTTPS-Only Mode is enabled for this request
-  bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
-  return nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin);
-}
-
 /* ------ Logging ------ */

 /* static */
--- a/dom/security/nsHTTPSOnlyUtils.h
+++ b/dom/security/nsHTTPSOnlyUtils.h
@ -79,14 +79,6 @@ class nsHTTPSOnlyUtils {
  static void TestSitePermissionAndPotentiallyAddExemption(
      nsIChannel* aChannel);

-  /**
-   * Checks whether CORS or mixed content requests are safe because they'll get
-   * upgraded to HTTPS
-   * @param  aLoadInfo nsILoadInfo of request
-   * @return           true if it's safe to accept
-   */
-  static bool IsSafeToAcceptCORSOrMixedContent(nsILoadInfo* aLoadInfo);
-
 private:
  /**
   * Logs localized message to either content console or browser console
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -645,8 +645,9 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
    return NS_OK;
  }

-  // Check if https-only mode upgrades this later anyway
-  if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo)) {
+  // If https-only mode is enabled we'll upgrade this later anyway
+  bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
+  if (nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
    *aDecision = ACCEPT;
    return NS_OK;
  }
--- a/dom/security/test/https-only/file_insecure_fetch.html
+++ b/dom/security/test/https-only/file_insecure_fetch.html
@ -1,30 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <script src="/tests/SimpleTest/SimpleTest.js"></script>
-</head>
-<body>
-  <script class="testbody" type="text/javascript">
-
-    Promise.all([
-      tryFetch("http://example.com/"),
-      tryFetch("http://example.org/")
-    ]).then(result => {
-      const [sameOrigin, crossOrigin] = result;
-      window.parent.postMessage({ sameOrigin, crossOrigin });
-    });
-
-    async function tryFetch(url) {
-      let failed
-      try {
-        const response = await fetch(url);
-        failed = !response.ok
-      } catch(e) {
-        failed = true
-      }
-      return failed;
-    }
-  </script>
-</body>
-</html>
--- a/dom/security/test/https-only/mochitest.ini
+++ b/dom/security/test/https-only/mochitest.ini
@ -1,15 +1,14 @@
-[test_resource_upgrade.html]
-scheme=https
+[DEFAULT]
 support-files =
+  file_redirect.sjs
  file_upgrade_insecure.html
  file_upgrade_insecure_server.sjs
  file_upgrade_insecure_wsh.py
+prefs =
+  security.mixed_content.upgrade_display_content=false
+
+[test_resource_upgrade.html]
+scheme=https
 [test_redirect_upgrade.html]
 scheme=https
 fail-if = xorigin
-support-files =
-  file_redirect.sjs
-[test_cors_mixedcontent.html]
-scheme=https
-support-files =
-  file_insecure_fetch.html
--- a/dom/security/test/https-only/test_cors_mixedcontent.html
+++ b/dom/security/test/https-only/test_cors_mixedcontent.html
@ -1,84 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
-  <meta charset="utf-8">
-  <title>HTTPS-Only Mode - CORS & Mixed Content</title>
-  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
-  <script src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-
-<body>
-  <h1>HTTPS-Only Mode</h1>
-  <p>CORS and Mixed Content blocking tests</p>
-  <p></p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1658594">Bug 1658594</a></p>
-
-  <iframe id="testFrame"></iframe>
-
-  <script class="testbody" type="text/javascript">
-    const iframe = document.getElementById("testFrame");
-    SimpleTest.waitForExplicitFinish();
-
-    (async function() {
-      // Test 1: If HTTPS-Only Mode is disabled the insecure, same-origin
-      // request should fail
-      await SpecialPowers.pushPrefEnv({
-        set: [["dom.security.https_only_mode", false]],
-      });
-      await runTest(true, true);
-
-      // Test 2: If HTTPS-Only Mode is enabled the insecure, same-origin
-      // request should succeed because it gets upgraded
-      await SpecialPowers.pushPrefEnv({
-        set: [["dom.security.https_only_mode", true]],
-      });
-      await runTest(false, true);
-
-      // Test 3: If HTTPS-Only Mode is enabled but the website exempt from
-      // upgrades the insecure, same-origin request should fail again
-      await SpecialPowers.pushPermissions([
-        { type: "https-only-load-insecure", allow: true, context: document },
-      ]);
-      await runTest(true, true);
-
-      SimpleTest.finish();
-    })();
-
-
-    function runTest(shouldFailSameOrigin, shouldFailCrossOrigin) {
-      return new Promise(resolve => {
-        const handler = msg => {
-          if (msg.data.sameOrigin !== undefined) {
-            // Same-Origin check
-            ok(
-              shouldFailSameOrigin == msg.data.sameOrigin,
-              `Sending a request ${
-                msg.data.sameOrigin ? "failed" : "did not fail"
-              } but should ${shouldFailSameOrigin ? "" : "not"} have.`
-              );
-            // Cross-Origin check
-            ok(
-              shouldFailCrossOrigin == msg.data.crossOrigin,
-              `Sending a request ${
-                msg.data.crossOrigin ? "failed" : "did not fail"
-              } but should ${shouldFailCrossOrigin ? "" : "not"} have.`
-            );
-
-            // Remove handler function and reset src and resolve promise
-            window.removeEventListener("message", handler);
-            iframe.src = "about:blank";
-            resolve();
-          }
-        };
-
-        // Register handler function and set src
-        window.addEventListener("message", handler);
-        iframe.src =
-          "https://example.com/tests/dom/security/test/https-only/file_insecure_fetch.html";
-      });
-    }
-  </script>
-</body>
-
-</html>
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@ -892,9 +892,11 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
  // then the xhr request will be upgraded to https before it fetches any data
  // from the netwerk, hence we shouldn't require CORS in that specific case.
  if (CheckInsecureUpgradePreventsCORS(mRequestingPrincipal, aChannel)) {
-    // Check if https-only mode upgrades this later anyway
+    // Check if HTTPS-Only Mode is enabled
    nsCOMPtr<nsILoadInfo> loadinfo = aChannel->LoadInfo();
-    if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(loadinfo)) {
+    bool isPrivateWin = loadinfo->GetOriginAttributes().mPrivateBrowsingId > 0;
+    if (!(loadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT) &&
+        nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
      return NS_OK;
    }
    // Check if 'upgrade-insecure-requests' is used