From f163bbb0d8470f7ba10ed0d3080ea8739392f075 Mon Sep 17 00:00:00 2001 From: Byron Campen Date: Mon, 13 Sep 2021 18:20:10 +0000 Subject: [PATCH] Bug 1702417: Do not subject webrtc media connections to mixed content blocking. r=mixedpuppy,freddyb Differential Revision: https://phabricator.services.mozilla.com/D124201 --- dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp | 3 ++- dom/security/nsMixedContentBlocker.cpp | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp b/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp index 57b6b65141bc..26a883cece75 100644 --- a/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp +++ b/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp @@ -417,7 +417,8 @@ nsresult WebrtcTCPSocket::OpenWithHttpProxy() { // We need this flag to allow loads from any origin since this channel // is being used to CONNECT to an HTTP proxy. nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL, - nsIContentPolicy::TYPE_OTHER, getter_AddRefs(localChannel)); + nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA, + getter_AddRefs(localChannel)); if (NS_FAILED(rv)) { LOG(("WebrtcTCPSocket %p: bad open channel\n", this)); return rv; diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index 88c8dd0ec28d..9b199a5d9b56 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -503,6 +503,11 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, // properties as WebSockets w.r.t. mixed content. XHR's handling of redirects // amplifies these concerns. // + // TYPE_PROXIED_WEBRTC_MEDIA: Ordinarily, webrtc uses low-level sockets for + // peer-to-peer media, which bypasses this code entirely. However, when a + // web proxy is being used, the TCP and TLS webrtc connections are routed + // through the web proxy (using HTTP CONNECT), which causes these connections + // to be checked. We just skip mixed content blocking in that case. switch (contentType) { // The top-level document cannot be mixed content by definition @@ -529,6 +534,13 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; break; + // It does not make sense to subject webrtc media connections to mixed + // content blocking, since those connections are peer-to-peer and will + // therefore almost never match the origin. + case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA: + *aDecision = ACCEPT; + return NS_OK; + // Static display content is considered moderate risk for mixed content so // these will be blocked according to the mixed display preference case ExtContentPolicy::TYPE_IMAGE: @@ -563,7 +575,6 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, case ExtContentPolicy::TYPE_XSLT: case ExtContentPolicy::TYPE_OTHER: case ExtContentPolicy::TYPE_SPECULATIVE: - case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA: break; case ExtContentPolicy::TYPE_INVALID: