mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1226928 - dochsell changes for content-signing on remote about:newtab, r=bz,mconley

This commit is contained in:
Franziskus Kiefer 2016-03-14 11:57:03 +01:00
Родитель 0d2149893d
Коммит ad50543437
4 изменённых файлов: 93 добавлений и 10 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

18
browser/components/about/AboutRedirector.cpp
Просмотреть файл

@ -155,6 +155,7 @@ AboutRedirector::NewChannel(nsIURI* aURI,
for (int i = 0; i < kRedirTotal; i++) {
if (!strcmp(path.get(), kRedirMap[i].id)) {
nsAutoCString url;
nsLoadFlags loadFlags = static_cast<nsLoadFlags>(nsIChannel::LOAD_NORMAL);
if (path.EqualsLiteral("newtab")) {
// let the aboutNewTabService decide where to redirect
@ -163,6 +164,17 @@ AboutRedirector::NewChannel(nsIURI* aURI,
NS_ENSURE_SUCCESS(rv, rv);
rv = aboutNewTabService->GetDefaultURL(url);
NS_ENSURE_SUCCESS(rv, rv);
// if about:newtab points to an external resource we have to make sure
// the content is signed and trusted
bool remoteEnabled = false;
rv = aboutNewTabService->GetRemoteEnabled(&remoteEnabled);
NS_ENSURE_SUCCESS(rv, rv);
if (remoteEnabled) {
NS_ENSURE_ARG_POINTER(aLoadInfo);
aLoadInfo->SetVerifySignedContent(true);
loadFlags = static_cast<nsLoadFlags>(nsIChannel::LOAD_REPLACE);
}
}
// fall back to the specified url in the map
if (url.IsEmpty()) {
@ -183,9 +195,9 @@ AboutRedirector::NewChannel(nsIURI* aURI,
&isUIResource);
NS_ENSURE_SUCCESS(rv, rv);
nsLoadFlags loadFlags =
isUIResource ? static_cast<nsLoadFlags>(nsIChannel::LOAD_NORMAL)
: static_cast<nsLoadFlags>(nsIChannel::LOAD_REPLACE);
loadFlags = isUIResource
? static_cast<nsLoadFlags>(nsIChannel::LOAD_NORMAL)
: static_cast<nsLoadFlags>(nsIChannel::LOAD_REPLACE);
rv = NS_NewChannelInternal(getter_AddRefs(tempChannel),
tempURI,

31
browser/components/newtab/aboutNewTabService.js
Просмотреть файл

@ -32,6 +32,9 @@ const ABOUT_URL = "about:newtab";
// Pref that tells if remote newtab is enabled
const PREF_REMOTE_ENABLED = "browser.newtabpage.remote";
// Pref branch necesssary for testing
const PREF_REMOTE_CS_TEST = "browser.newtabpage.remote.content-signing-test";
// The preference that tells whether to match the OS locale
const PREF_MATCH_OS_LOCALE = "intl.locale.matchOS";
@ -126,8 +129,13 @@ AboutNewTabService.prototype = {
return false;
}
let csTest = Services.prefs.getBoolPref(PREF_REMOTE_CS_TEST);
if (stateEnabled) {
this._remoteURL = this.generateRemoteURL();
if (!csTest) {
this._remoteURL = this.generateRemoteURL();
} else {
this._remoteURL = this._newTabURL;
}
NewTabPrefsProvider.prefs.on(
PREF_SELECTED_LOCALE,
this._updateRemoteMaybe);
@ -144,7 +152,9 @@ AboutNewTabService.prototype = {
NewTabPrefsProvider.prefs.off(PREF_REMOTE_MODE, this._updateRemoteMaybe);
this._remoteEnabled = false;
}
this._newTabURL = ABOUT_URL;
if (!csTest) {
this._newTabURL = ABOUT_URL;
}
return true;
},
@ -170,10 +180,13 @@ AboutNewTabService.prototype = {
* This URL only depends on the browser.newtabpage.remote pref. Overriding
* the newtab page has no effect on the result of this function.
*
* The result is also the remote URL if this is in a test (PREF_REMOTE_CS_TEST)
*
* @returns {String} the default newtab URL, remote or local depending on browser.newtabpage.remote
*/
get defaultURL() {
if (this._remoteEnabled) {
let csTest = Services.prefs.getBoolPref(PREF_REMOTE_CS_TEST);
if (this._remoteEnabled || csTest) {
return this._remoteURL;
}
return LOCAL_NEWTAB_URL;
@ -219,6 +232,7 @@ AboutNewTabService.prototype = {
},
set newTabURL(aNewTabURL) {
let csTest = Services.prefs.getBoolPref(PREF_REMOTE_CS_TEST);
aNewTabURL = aNewTabURL.trim();
if (aNewTabURL === ABOUT_URL) {
// avoid infinite redirects in case one sets the URL to about:newtab
@ -233,14 +247,19 @@ AboutNewTabService.prototype = {
let isResetRemote = prefRemoteEnabled && aNewTabURL === remoteURL;
if (isResetLocal || isResetRemote) {
if (this._overriden) {
// only trigger a reset if previously overridden
if (this._overriden && !csTest) {
// only trigger a reset if previously overridden and this is no test
this.resetNewTabURL();
}
return;
}
// turn off remote state if needed
this.toggleRemote(false);
if (!csTest) {
this.toggleRemote(false);
} else {
// if this is a test, we want the remoteURL to be set
this._remoteURL = aNewTabURL;
}
this._newTabURL = aNewTabURL;
this._overridden = true;
Services.obs.notifyObservers(null, "newtab-url-changed", this._newTabURL);

51
docshell/base/nsDocShell.cpp
Просмотреть файл

@ -7579,6 +7579,17 @@ nsDocShell::EndPageLoad(nsIWebProgress* aProgress,
aStatus == NS_ERROR_INVALID_CONTENT_ENCODING) {
DisplayLoadError(aStatus, url, nullptr, aChannel);
return NS_OK;
} else if (aStatus == NS_ERROR_INVALID_SIGNATURE) {
// NS_ERROR_INVALID_SIGNATURE indicates a content-signature error.
// This currently only happens in case a remote about page fails.
// We have to load a fallback in this case.
// XXX: We always load about blank here, firefox has to overwrite this if
// it wants to display something else.
return LoadURI(MOZ_UTF16("about:blank"), // URI string
nsIChannel::LOAD_NORMAL, // Load flags
nullptr, // Referring URI
nullptr, // Post data stream
nullptr); // Headers stream
}
// Handle iframe document not loading error because source was
@ -9549,6 +9560,27 @@ nsDocShell::CreatePrincipalFromReferrer(nsIURI* aReferrer,
return *aResult ? NS_OK : NS_ERROR_FAILURE;
}
bool
nsDocShell::IsAboutNewtab(nsIURI* aURI)
{
if (!aURI) {
return false;
}
bool isAbout;
if (NS_WARN_IF(NS_FAILED(aURI->SchemeIs("about", &isAbout)))) {
return false;
}
if (!isAbout) {
return false;
}
nsAutoCString module;
if (NS_WARN_IF(NS_FAILED(NS_GetAboutModuleName(aURI, module)))) {
return false;
}
return module.Equals("newtab");
}
NS_IMETHODIMP
nsDocShell::InternalLoad(nsIURI* aURI,
nsIURI* aOriginalURI,
@ -10218,8 +10250,16 @@ nsDocShell::InternalLoad(nsIURI* aURI,
// used to cancel attempts to load URIs in the wrong process.
nsCOMPtr<nsIWebBrowserChrome3> browserChrome3 = do_GetInterface(mTreeOwner);
if (browserChrome3) {
// In case this is a remote newtab load, set aURI to aOriginalURI (newtab).
// This ensures that the verifySignedContent flag is set on loadInfo in
// DoURILoad.
nsIURI* uriForShouldLoadCheck = aURI;
if (IsAboutNewtab(aOriginalURI)) {
uriForShouldLoadCheck = aOriginalURI;
}
bool shouldLoad;
rv = browserChrome3->ShouldLoadURI(this, aURI, aReferrer, &shouldLoad);
rv = browserChrome3->ShouldLoadURI(this, uriForShouldLoadCheck, aReferrer,
&shouldLoad);
if (NS_SUCCEEDED(rv) && !shouldLoad) {
return NS_OK;
}
@ -10869,6 +10909,15 @@ nsDocShell::DoURILoad(nsIURI* aURI,
// Referrer is currenly only set for link clicks here.
httpChannel->SetReferrerWithPolicy(aReferrerURI, aReferrerPolicy);
}
// set Content-Signature enforcing bit if aOriginalURI == about:newtab
if (aOriginalURI && httpChannel) {
if (IsAboutNewtab(aOriginalURI)) {
nsCOMPtr<nsILoadInfo> loadInfo = httpChannel->GetLoadInfo();
if (loadInfo) {
loadInfo->SetVerifySignedContent(true);
}
}
}
}
nsCOMPtr<nsIScriptChannel> scriptChannel = do_QueryInterface(channel);

3
docshell/base/nsDocShell.h
Просмотреть файл

@ -728,6 +728,9 @@ protected:
nsIDocShellLoadInfo* aLoadInfo,
bool aFirstParty);
// Check if aURI is about:newtab.
bool IsAboutNewtab(nsIURI* aURI);
protected:
nsresult GetCurScrollPos(int32_t aScrollOrientation, int32_t* aCurPos);
nsresult SetCurScrollPosEx(int32_t aCurHorizontalPos,