From 96d8ee8908179c2e8f9cebf33975d20f7ae4566f Mon Sep 17 00:00:00 2001
From: Mihai Alexandru Michis <malexandru@mozilla.com>
Date: Fri, 14 Aug 2020 18:43:43 +0300
Subject: [PATCH] Backed out changeset 6b495a62f535 (bug 1658594) for causing
 failures in test_cors_mixedcontent.html

CLOSED TREE
---
 dom/security/nsHTTPSOnlyUtils.cpp             | 12 ---
 dom/security/nsHTTPSOnlyUtils.h               |  8 --
 dom/security/nsMixedContentBlocker.cpp        |  5 +-
 .../test/https-only/file_insecure_fetch.html  | 30 -------
 dom/security/test/https-only/mochitest.ini    | 15 ++--
 .../https-only/test_cors_mixedcontent.html    | 84 -------------------
 netwerk/protocol/http/nsCORSListenerProxy.cpp |  6 +-
 7 files changed, 14 insertions(+), 146 deletions(-)
 delete mode 100644 dom/security/test/https-only/file_insecure_fetch.html
 delete mode 100644 dom/security/test/https-only/test_cors_mixedcontent.html

diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp
index bb5c2ed0f1d0..5c32d49e917f 100644
--- a/dom/security/nsHTTPSOnlyUtils.cpp
+++ b/dom/security/nsHTTPSOnlyUtils.cpp
@@ -268,18 +268,6 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption(
   loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
 }
 
-/* static */
-bool nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(
-    nsILoadInfo* aLoadInfo) {
-  // Check if the request is exempt from upgrades
-  if ((aLoadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
-    return false;
-  }
-  // Check if HTTPS-Only Mode is enabled for this request
-  bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
-  return nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin);
-}
-
 /* ------ Logging ------ */
 
 /* static */
diff --git a/dom/security/nsHTTPSOnlyUtils.h b/dom/security/nsHTTPSOnlyUtils.h
index 477c35fbe705..864c17dd8a72 100644
--- a/dom/security/nsHTTPSOnlyUtils.h
+++ b/dom/security/nsHTTPSOnlyUtils.h
@@ -79,14 +79,6 @@ class nsHTTPSOnlyUtils {
   static void TestSitePermissionAndPotentiallyAddExemption(
       nsIChannel* aChannel);
 
-  /**
-   * Checks whether CORS or mixed content requests are safe because they'll get
-   * upgraded to HTTPS
-   * @param  aLoadInfo nsILoadInfo of request
-   * @return           true if it's safe to accept
-   */
-  static bool IsSafeToAcceptCORSOrMixedContent(nsILoadInfo* aLoadInfo);
-
  private:
   /**
    * Logs localized message to either content console or browser console
diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp
index 03272205ecde..dad6b36e8353 100644
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@@ -645,8 +645,9 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
     return NS_OK;
   }
 
-  // Check if https-only mode upgrades this later anyway
-  if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo)) {
+  // If https-only mode is enabled we'll upgrade this later anyway
+  bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
+  if (nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
     *aDecision = ACCEPT;
     return NS_OK;
   }
diff --git a/dom/security/test/https-only/file_insecure_fetch.html b/dom/security/test/https-only/file_insecure_fetch.html
deleted file mode 100644
index 002aa934d0b0..000000000000
--- a/dom/security/test/https-only/file_insecure_fetch.html
+++ /dev/null
@@ -1,30 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <meta charset="utf-8">
-  <script src="/tests/SimpleTest/SimpleTest.js"></script>
-</head>
-<body>
-  <script class="testbody" type="text/javascript">
-
-    Promise.all([
-      tryFetch("http://example.com/"),
-      tryFetch("http://example.org/")
-    ]).then(result => {
-      const [sameOrigin, crossOrigin] = result;
-      window.parent.postMessage({ sameOrigin, crossOrigin });
-    });
-
-    async function tryFetch(url) {
-      let failed
-      try {
-        const response = await fetch(url);
-        failed = !response.ok
-      } catch(e) {
-        failed = true
-      }
-      return failed;
-    }
-  </script>
-</body>
-</html>
diff --git a/dom/security/test/https-only/mochitest.ini b/dom/security/test/https-only/mochitest.ini
index d759c03be590..72b80a7ca91c 100644
--- a/dom/security/test/https-only/mochitest.ini
+++ b/dom/security/test/https-only/mochitest.ini
@@ -1,15 +1,14 @@
-[test_resource_upgrade.html]
-scheme=https
+[DEFAULT]
 support-files =
+  file_redirect.sjs
   file_upgrade_insecure.html
   file_upgrade_insecure_server.sjs
   file_upgrade_insecure_wsh.py
+prefs =
+  security.mixed_content.upgrade_display_content=false
+
+[test_resource_upgrade.html]
+scheme=https
 [test_redirect_upgrade.html]
 scheme=https
 fail-if = xorigin
-support-files =
-  file_redirect.sjs
-[test_cors_mixedcontent.html]
-scheme=https
-support-files =
-  file_insecure_fetch.html
diff --git a/dom/security/test/https-only/test_cors_mixedcontent.html b/dom/security/test/https-only/test_cors_mixedcontent.html
deleted file mode 100644
index f1c7f0b29ae5..000000000000
--- a/dom/security/test/https-only/test_cors_mixedcontent.html
+++ /dev/null
@@ -1,84 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
-  <meta charset="utf-8">
-  <title>HTTPS-Only Mode - CORS & Mixed Content</title>
-  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
-  <script src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-
-<body>
-  <h1>HTTPS-Only Mode</h1>
-  <p>CORS and Mixed Content blocking tests</p>
-  <p></p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1658594">Bug 1658594</a></p>
-
-  <iframe id="testFrame"></iframe>
-
-  <script class="testbody" type="text/javascript">
-    const iframe = document.getElementById("testFrame");
-    SimpleTest.waitForExplicitFinish();
-
-    (async function() {
-      // Test 1: If HTTPS-Only Mode is disabled the insecure, same-origin
-      // request should fail
-      await SpecialPowers.pushPrefEnv({
-        set: [["dom.security.https_only_mode", false]],
-      });
-      await runTest(true, true);
-
-      // Test 2: If HTTPS-Only Mode is enabled the insecure, same-origin
-      // request should succeed because it gets upgraded
-      await SpecialPowers.pushPrefEnv({
-        set: [["dom.security.https_only_mode", true]],
-      });
-      await runTest(false, true);
-
-      // Test 3: If HTTPS-Only Mode is enabled but the website exempt from
-      // upgrades the insecure, same-origin request should fail again
-      await SpecialPowers.pushPermissions([
-        { type: "https-only-load-insecure", allow: true, context: document },
-      ]);
-      await runTest(true, true);
-
-      SimpleTest.finish();
-    })();
-
-
-    function runTest(shouldFailSameOrigin, shouldFailCrossOrigin) {
-      return new Promise(resolve => {
-        const handler = msg => {
-          if (msg.data.sameOrigin !== undefined) {
-            // Same-Origin check
-            ok(
-              shouldFailSameOrigin == msg.data.sameOrigin,
-              `Sending a request ${
-                msg.data.sameOrigin ? "failed" : "did not fail"
-              } but should ${shouldFailSameOrigin ? "" : "not"} have.`
-              );
-            // Cross-Origin check
-            ok(
-              shouldFailCrossOrigin == msg.data.crossOrigin,
-              `Sending a request ${
-                msg.data.crossOrigin ? "failed" : "did not fail"
-              } but should ${shouldFailCrossOrigin ? "" : "not"} have.`
-            );
-
-            // Remove handler function and reset src and resolve promise
-            window.removeEventListener("message", handler);
-            iframe.src = "about:blank";
-            resolve();
-          }
-        };
-
-        // Register handler function and set src
-        window.addEventListener("message", handler);
-        iframe.src =
-          "https://example.com/tests/dom/security/test/https-only/file_insecure_fetch.html";
-      });
-    }
-  </script>
-</body>
-
-</html>
diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp
index 0da61b71d1ee..7af59acc2b5f 100644
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@@ -892,9 +892,11 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
   // then the xhr request will be upgraded to https before it fetches any data
   // from the netwerk, hence we shouldn't require CORS in that specific case.
   if (CheckInsecureUpgradePreventsCORS(mRequestingPrincipal, aChannel)) {
-    // Check if https-only mode upgrades this later anyway
+    // Check if HTTPS-Only Mode is enabled
     nsCOMPtr<nsILoadInfo> loadinfo = aChannel->LoadInfo();
-    if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(loadinfo)) {
+    bool isPrivateWin = loadinfo->GetOriginAttributes().mPrivateBrowsingId > 0;
+    if (!(loadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT) &&
+        nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
       return NS_OK;
     }
     // Check if 'upgrade-insecure-requests' is used