Bug 1642667 - Isolate alt-srv and connection pool per first-party when privacy.partition.network_state is set to true - part 2 - tests, r=dragana,necko-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D78083

browser/components/originattributes/test/browser/browser_clientAuth.js

@@ -15,7 +15,10 @@ registerCleanupFunction(() => {
 
 async function setup() {
   await SpecialPowers.pushPrefEnv({
-    set: [["security.default_personal_cert", "Ask Every Time"]],
+    set: [
+      ["security.default_personal_cert", "Ask Every Time"],
+      ["privacy.partition.network_state", false],
+    ],
   });
 }
 

dom/media/tests/mochitest/test_peerConnection_basicAudioNATRelay.html

@@ -23,7 +23,8 @@ if (!("mediaDevices" in navigator)) {
         ['media.peerconnection.ice.obfuscate_host_addresses', false],
         ['media.peerconnection.nat_simulator.filtering_type', 'PORT_DEPENDENT'],
         ['media.peerconnection.nat_simulator.mapping_type', 'PORT_DEPENDENT'],
-        ['media.getusermedia.insecure.enabled', true]);
+        ['media.getusermedia.insecure.enabled', true],
+        ['privacy.partition.network_state', false])
     options.expectedLocalCandidateType = "srflx";
     options.expectedRemoteCandidateType = "relay";
     // If both have TURN, it is a toss-up which one will end up using a

modules/libpref/init/StaticPrefList.yaml

@@ -8601,6 +8601,13 @@
   value: @IS_NIGHTLY_BUILD@
   mirror: always
 
+# By default, the network state isolation is not active when there is a proxy
+# setting. This pref forces the network isolation even in these scenarios.
+- name: privacy.partition.network_state.connection_with_proxy
+  type: bool
+  value: false
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "prompts."
 #---------------------------------------------------------------------------

netwerk/protocol/http/nsHttpChannel.cpp

@@ -2434,7 +2434,8 @@ void nsHttpChannel::ProcessAltService() {
 
   OriginAttributes originAttributes;
   // Regular principal in case we have a proxy.
-  if (proxyInfo) {
+  if (proxyInfo &&
+      !StaticPrefs::privacy_partition_network_state_connection_with_proxy()) {
     StoragePrincipalHelper::GetOriginAttributes(
         this, originAttributes, StoragePrincipalHelper::eRegularPrincipal);
   } else {
@@ -6769,7 +6770,8 @@ nsresult nsHttpChannel::BeginConnect() {
 
   OriginAttributes originAttributes;
   // Regular principal in case we have a proxy.
-  if (proxyInfo) {
+  if (proxyInfo &&
+      !StaticPrefs::privacy_partition_network_state_connection_with_proxy()) {
     StoragePrincipalHelper::GetOriginAttributes(
         this, originAttributes, StoragePrincipalHelper::eRegularPrincipal);
   } else {

netwerk/test/unit/test_http2-proxy.js

@@ -335,6 +335,10 @@ add_task(async function setup() {
   Services.prefs.setBoolPref("network.http.spdy.enabled", true);
   Services.prefs.setBoolPref("network.http.spdy.enabled.http2", true);
 
+  // Even with network state isolation active, we don't end up using the
+  // partitioned principal.
+  Services.prefs.setBoolPref("privacy.partition.network_state", true);
+
   // make all native resolve calls "secretly" resolve localhost instead
   Services.prefs.setBoolPref("network.dns.native-is-localhost", true);
 

toolkit/components/antitracking/test/browser/browser.ini

@@ -153,3 +153,4 @@ support-files =
   !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.request.html
   !/browser/components/originattributes/test/browser/file_thirdPartyChild.worker.xhr.html
   !/browser/components/originattributes/test/browser/file_thirdPartyChild.xhr.html
+[browser_staticPartition_network.js]

toolkit/components/antitracking/test/browser/browser_networkIsolation.js

@@ -45,6 +45,7 @@ add_task(async function() {
       ["privacy.trackingprotection.enabled", false],
       ["privacy.trackingprotection.pbmode.enabled", false],
       ["privacy.trackingprotection.annotate_channels", true],
+      ["privacy.partition.network_state", false],
     ],
   });
 

toolkit/components/antitracking/test/browser/browser_staticPartition_network.js

@@ -0,0 +1,108 @@
+function altSvcCacheKeyIsolated(parsed) {
+  return parsed.length > 5 && parsed[5] == "I";
+}
+
+function altSvcPartitionKey(key) {
+  let parts = key.split(":");
+  return parts[parts.length - 1];
+}
+
+const gHttpHandler = Cc["@mozilla.org/network/protocol;1?name=http"].getService(
+  Ci.nsIHttpProtocolHandler
+);
+
+add_task(async function() {
+  info("Starting tlsSessionTickets test");
+
+  await SpecialPowers.flushPrefEnv();
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["browser.cache.disk.enable", false],
+      ["browser.cache.memory.enable", false],
+      ["network.cookie.cookieBehavior", Ci.nsICookieService.BEHAVIOR_ACCEPT],
+      ["network.http.altsvc.proxy_checks", false],
+      ["privacy.trackingprotection.enabled", false],
+      ["privacy.trackingprotection.pbmode.enabled", false],
+      ["privacy.trackingprotection.annotate_channels", false],
+      ["privacy.partition.network_state", true],
+      ["privacy.partition.network_state.connection_with_proxy", true],
+    ],
+  });
+
+  info("Creating a new tab");
+  let tab = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE);
+  gBrowser.selectedTab = tab;
+
+  let browser = gBrowser.getBrowserForTab(tab);
+  await BrowserTestUtils.browserLoaded(browser);
+
+  const thirdPartyURL =
+    "https://tlsresumptiontest.example.org/browser/toolkit/components/antitracking/test/browser/empty-altsvc.js";
+  const partitionKey1 = "^partitionKey=%28http%2Cexample.net%29";
+  const partitionKey2 = "^partitionKey=%28http%2Cmochi.test%29";
+
+  function checkAltSvcCache(keys) {
+    let arr = gHttpHandler.altSvcCacheKeys;
+    is(
+      arr.length,
+      keys.length,
+      "Found the expected number of items in the cache"
+    );
+    for (let i = 0; i < arr.length; ++i) {
+      is(
+        altSvcPartitionKey(arr[i]),
+        keys[i],
+        "Expected top window origin found in the Alt-Svc cache key"
+      );
+    }
+  }
+
+  checkAltSvcCache([]);
+
+  info("Loading something in the tab");
+  await SpecialPowers.spawn(browser, [{ thirdPartyURL }], async function(obj) {
+    dump("AAA: " + content.window.location.href + "\n");
+    let src = content.document.createElement("script");
+    let p = new content.Promise(resolve => {
+      src.onload = resolve;
+    });
+    content.document.body.appendChild(src);
+    src.src = obj.thirdPartyURL;
+    await p;
+  });
+
+  checkAltSvcCache([partitionKey1]);
+
+  info("Creating a second tab");
+  let tab2 = BrowserTestUtils.addTab(gBrowser, TEST_TOP_PAGE_6);
+  gBrowser.selectedTab = tab2;
+
+  let browser2 = gBrowser.getBrowserForTab(tab2);
+  await BrowserTestUtils.browserLoaded(browser2);
+
+  info("Loading something in the second tab");
+  await SpecialPowers.spawn(browser2, [{ thirdPartyURL }], async function(obj) {
+    let src = content.document.createElement("script");
+    let p = new content.Promise(resolve => {
+      src.onload = resolve;
+    });
+    content.document.body.appendChild(src);
+    src.src = obj.thirdPartyURL;
+    await p;
+  });
+
+  checkAltSvcCache([partitionKey2, partitionKey1]);
+
+  info("Removing the tabs");
+  BrowserTestUtils.removeTab(tab);
+  BrowserTestUtils.removeTab(tab2);
+});
+
+add_task(async function() {
+  info("Cleaning up.");
+  await new Promise(resolve => {
+    Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value =>
+      resolve()
+    );
+  });
+});