зеркало из https://github.com/mozilla/gecko-dev.git
Backed out changeset 6b495a62f535 (bug 1658594) for causing failures in test_cors_mixedcontent.html
CLOSED TREE
This commit is contained in:
Родитель
8770c8a332
Коммит
96d8ee8908
|
@ -268,18 +268,6 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption(
|
||||||
loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
|
loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* static */
|
|
||||||
bool nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(
|
|
||||||
nsILoadInfo* aLoadInfo) {
|
|
||||||
// Check if the request is exempt from upgrades
|
|
||||||
if ((aLoadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
// Check if HTTPS-Only Mode is enabled for this request
|
|
||||||
bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
|
|
||||||
return nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* ------ Logging ------ */
|
/* ------ Logging ------ */
|
||||||
|
|
||||||
/* static */
|
/* static */
|
||||||
|
|
|
@ -79,14 +79,6 @@ class nsHTTPSOnlyUtils {
|
||||||
static void TestSitePermissionAndPotentiallyAddExemption(
|
static void TestSitePermissionAndPotentiallyAddExemption(
|
||||||
nsIChannel* aChannel);
|
nsIChannel* aChannel);
|
||||||
|
|
||||||
/**
|
|
||||||
* Checks whether CORS or mixed content requests are safe because they'll get
|
|
||||||
* upgraded to HTTPS
|
|
||||||
* @param aLoadInfo nsILoadInfo of request
|
|
||||||
* @return true if it's safe to accept
|
|
||||||
*/
|
|
||||||
static bool IsSafeToAcceptCORSOrMixedContent(nsILoadInfo* aLoadInfo);
|
|
||||||
|
|
||||||
private:
|
private:
|
||||||
/**
|
/**
|
||||||
* Logs localized message to either content console or browser console
|
* Logs localized message to either content console or browser console
|
||||||
|
|
|
@ -645,8 +645,9 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if https-only mode upgrades this later anyway
|
// If https-only mode is enabled we'll upgrade this later anyway
|
||||||
if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo)) {
|
bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;
|
||||||
|
if (nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
|
||||||
*aDecision = ACCEPT;
|
*aDecision = ACCEPT;
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
<!DOCTYPE HTML>
|
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<meta charset="utf-8">
|
|
||||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
<script class="testbody" type="text/javascript">
|
|
||||||
|
|
||||||
Promise.all([
|
|
||||||
tryFetch("http://example.com/"),
|
|
||||||
tryFetch("http://example.org/")
|
|
||||||
]).then(result => {
|
|
||||||
const [sameOrigin, crossOrigin] = result;
|
|
||||||
window.parent.postMessage({ sameOrigin, crossOrigin });
|
|
||||||
});
|
|
||||||
|
|
||||||
async function tryFetch(url) {
|
|
||||||
let failed
|
|
||||||
try {
|
|
||||||
const response = await fetch(url);
|
|
||||||
failed = !response.ok
|
|
||||||
} catch(e) {
|
|
||||||
failed = true
|
|
||||||
}
|
|
||||||
return failed;
|
|
||||||
}
|
|
||||||
</script>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -1,15 +1,14 @@
|
||||||
[test_resource_upgrade.html]
|
[DEFAULT]
|
||||||
scheme=https
|
|
||||||
support-files =
|
support-files =
|
||||||
|
file_redirect.sjs
|
||||||
file_upgrade_insecure.html
|
file_upgrade_insecure.html
|
||||||
file_upgrade_insecure_server.sjs
|
file_upgrade_insecure_server.sjs
|
||||||
file_upgrade_insecure_wsh.py
|
file_upgrade_insecure_wsh.py
|
||||||
|
prefs =
|
||||||
|
security.mixed_content.upgrade_display_content=false
|
||||||
|
|
||||||
|
[test_resource_upgrade.html]
|
||||||
|
scheme=https
|
||||||
[test_redirect_upgrade.html]
|
[test_redirect_upgrade.html]
|
||||||
scheme=https
|
scheme=https
|
||||||
fail-if = xorigin
|
fail-if = xorigin
|
||||||
support-files =
|
|
||||||
file_redirect.sjs
|
|
||||||
[test_cors_mixedcontent.html]
|
|
||||||
scheme=https
|
|
||||||
support-files =
|
|
||||||
file_insecure_fetch.html
|
|
||||||
|
|
|
@ -1,84 +0,0 @@
|
||||||
<!DOCTYPE HTML>
|
|
||||||
<html>
|
|
||||||
|
|
||||||
<head>
|
|
||||||
<meta charset="utf-8">
|
|
||||||
<title>HTTPS-Only Mode - CORS & Mixed Content</title>
|
|
||||||
<!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
|
|
||||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
||||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
||||||
</head>
|
|
||||||
|
|
||||||
<body>
|
|
||||||
<h1>HTTPS-Only Mode</h1>
|
|
||||||
<p>CORS and Mixed Content blocking tests</p>
|
|
||||||
<p></p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1658594">Bug 1658594</a></p>
|
|
||||||
|
|
||||||
<iframe id="testFrame"></iframe>
|
|
||||||
|
|
||||||
<script class="testbody" type="text/javascript">
|
|
||||||
const iframe = document.getElementById("testFrame");
|
|
||||||
SimpleTest.waitForExplicitFinish();
|
|
||||||
|
|
||||||
(async function() {
|
|
||||||
// Test 1: If HTTPS-Only Mode is disabled the insecure, same-origin
|
|
||||||
// request should fail
|
|
||||||
await SpecialPowers.pushPrefEnv({
|
|
||||||
set: [["dom.security.https_only_mode", false]],
|
|
||||||
});
|
|
||||||
await runTest(true, true);
|
|
||||||
|
|
||||||
// Test 2: If HTTPS-Only Mode is enabled the insecure, same-origin
|
|
||||||
// request should succeed because it gets upgraded
|
|
||||||
await SpecialPowers.pushPrefEnv({
|
|
||||||
set: [["dom.security.https_only_mode", true]],
|
|
||||||
});
|
|
||||||
await runTest(false, true);
|
|
||||||
|
|
||||||
// Test 3: If HTTPS-Only Mode is enabled but the website exempt from
|
|
||||||
// upgrades the insecure, same-origin request should fail again
|
|
||||||
await SpecialPowers.pushPermissions([
|
|
||||||
{ type: "https-only-load-insecure", allow: true, context: document },
|
|
||||||
]);
|
|
||||||
await runTest(true, true);
|
|
||||||
|
|
||||||
SimpleTest.finish();
|
|
||||||
})();
|
|
||||||
|
|
||||||
|
|
||||||
function runTest(shouldFailSameOrigin, shouldFailCrossOrigin) {
|
|
||||||
return new Promise(resolve => {
|
|
||||||
const handler = msg => {
|
|
||||||
if (msg.data.sameOrigin !== undefined) {
|
|
||||||
// Same-Origin check
|
|
||||||
ok(
|
|
||||||
shouldFailSameOrigin == msg.data.sameOrigin,
|
|
||||||
`Sending a request ${
|
|
||||||
msg.data.sameOrigin ? "failed" : "did not fail"
|
|
||||||
} but should ${shouldFailSameOrigin ? "" : "not"} have.`
|
|
||||||
);
|
|
||||||
// Cross-Origin check
|
|
||||||
ok(
|
|
||||||
shouldFailCrossOrigin == msg.data.crossOrigin,
|
|
||||||
`Sending a request ${
|
|
||||||
msg.data.crossOrigin ? "failed" : "did not fail"
|
|
||||||
} but should ${shouldFailCrossOrigin ? "" : "not"} have.`
|
|
||||||
);
|
|
||||||
|
|
||||||
// Remove handler function and reset src and resolve promise
|
|
||||||
window.removeEventListener("message", handler);
|
|
||||||
iframe.src = "about:blank";
|
|
||||||
resolve();
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
// Register handler function and set src
|
|
||||||
window.addEventListener("message", handler);
|
|
||||||
iframe.src =
|
|
||||||
"https://example.com/tests/dom/security/test/https-only/file_insecure_fetch.html";
|
|
||||||
});
|
|
||||||
}
|
|
||||||
</script>
|
|
||||||
</body>
|
|
||||||
|
|
||||||
</html>
|
|
|
@ -892,9 +892,11 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
|
||||||
// then the xhr request will be upgraded to https before it fetches any data
|
// then the xhr request will be upgraded to https before it fetches any data
|
||||||
// from the netwerk, hence we shouldn't require CORS in that specific case.
|
// from the netwerk, hence we shouldn't require CORS in that specific case.
|
||||||
if (CheckInsecureUpgradePreventsCORS(mRequestingPrincipal, aChannel)) {
|
if (CheckInsecureUpgradePreventsCORS(mRequestingPrincipal, aChannel)) {
|
||||||
// Check if https-only mode upgrades this later anyway
|
// Check if HTTPS-Only Mode is enabled
|
||||||
nsCOMPtr<nsILoadInfo> loadinfo = aChannel->LoadInfo();
|
nsCOMPtr<nsILoadInfo> loadinfo = aChannel->LoadInfo();
|
||||||
if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(loadinfo)) {
|
bool isPrivateWin = loadinfo->GetOriginAttributes().mPrivateBrowsingId > 0;
|
||||||
|
if (!(loadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT) &&
|
||||||
|
nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) {
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
// Check if 'upgrade-insecure-requests' is used
|
// Check if 'upgrade-insecure-requests' is used
|
||||||
|
|
Загрузка…
Ссылка в новой задаче