Bug 1800971 - Limit windows-sso to the default container tab by default r=mkaply,edgul

This patch adds a check for the pref `network.http.windows-sso.container-enabled.{containerID}`. We also default the pref for the no-container userContextId to true. Differential Revision: https://phabricator.services.mozilla.com/D174751
2023-04-05 14:54:26 +00:00 · 2023-04-05 14:54:26 +00:00 · ebd2be7cc1
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -11441,6 +11441,14 @@
  value: false
  mirror: always

+# Whether windows-sso is enabled for the default (0) container.
+# To enable SSO for additional containers, add a new pref like
+# `network.http.windows-sso.container-enabled.${containerId}` = true
+- name: network.http.windows-sso.container-enabled.0
+  type: bool
+  value: true
+  mirror: never
+
 # The factor by which to increase the keepalive timeout when the
 # NS_HTTP_LARGE_KEEPALIVE flag is used for a connection
 - name: network.http.largeKeepaliveFactor
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -431,6 +431,22 @@ nsresult nsHttpChannel::PrepareToConnect() {
  AddCookiesToRequest();

 #ifdef XP_WIN
+
+  auto prefEnabledForCurrentContainer = [&]() {
+    uint32_t containerId = mLoadInfo->GetOriginAttributes().mUserContextId;
+    // Make sure that the default container ID is 0
+    static_assert(nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID == 0);
+    nsPrintfCString prefName("network.http.windows-sso.container-enabled.%u",
+                             containerId);
+
+    bool enabled = false;
+    Preferences::GetBool(prefName.get(), &enabled);
+
+    LOG(("Pref for %s is %d\n", prefName.get(), enabled));
+
+    return enabled;
+  };
+
  // If Windows 10 SSO is enabled, we potentially add auth information to
  // secure top level loads (DOCUMENTs) and iframes (SUBDOCUMENTs) that
  // aren't anonymous or private browsing.
@ -438,8 +454,9 @@ nsresult nsHttpChannel::PrepareToConnect() {
      mURI->SchemeIs("https") && !(mLoadFlags & LOAD_ANONYMOUS) &&
      !mPrivateBrowsing) {
    ExtContentPolicyType type = mLoadInfo->GetExternalContentPolicyType();
-    if (type == ExtContentPolicy::TYPE_DOCUMENT ||
-        type == ExtContentPolicy::TYPE_SUBDOCUMENT) {
+    if ((type == ExtContentPolicy::TYPE_DOCUMENT ||
+         type == ExtContentPolicy::TYPE_SUBDOCUMENT) &&
+        prefEnabledForCurrentContainer()) {
      AddWindowsSSO(this);
    }
  }