Bug 1702417: Do not subject webrtc media connections to mixed content blocking. r=mixedpuppy,freddyb

Differential Revision: https://phabricator.services.mozilla.com/D124201
2021-09-13 18:20:10 +00:00 · 2021-09-13 18:20:10 +00:00 · f163bbb0d8
--- a/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp
+++ b/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp
@ -417,7 +417,8 @@ nsresult WebrtcTCPSocket::OpenWithHttpProxy() {
          // We need this flag to allow loads from any origin since this channel
          // is being used to CONNECT to an HTTP proxy.
          nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
-      nsIContentPolicy::TYPE_OTHER, getter_AddRefs(localChannel));
+      nsIContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA,
+      getter_AddRefs(localChannel));
  if (NS_FAILED(rv)) {
    LOG(("WebrtcTCPSocket %p: bad open channel\n", this));
    return rv;
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -503,6 +503,11 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
  // properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
  // amplifies these concerns.
  //
+  // TYPE_PROXIED_WEBRTC_MEDIA: Ordinarily, webrtc uses low-level sockets for
+  // peer-to-peer media, which bypasses this code entirely. However, when a
+  // web proxy is being used, the TCP and TLS webrtc connections are routed
+  // through the web proxy (using HTTP CONNECT), which causes these connections
+  // to be checked. We just skip mixed content blocking in that case.

  switch (contentType) {
    // The top-level document cannot be mixed content by definition
@ -529,6 +534,13 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
      return NS_OK;
      break;

+    // It does not make sense to subject webrtc media connections to mixed
+    // content blocking, since those connections are peer-to-peer and will
+    // therefore almost never match the origin.
+    case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA:
+      *aDecision = ACCEPT;
+      return NS_OK;
+
    // Static display content is considered moderate risk for mixed content so
    // these will be blocked according to the mixed display preference
    case ExtContentPolicy::TYPE_IMAGE:
@ -563,7 +575,6 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
    case ExtContentPolicy::TYPE_XSLT:
    case ExtContentPolicy::TYPE_OTHER:
    case ExtContentPolicy::TYPE_SPECULATIVE:
-    case ExtContentPolicy::TYPE_PROXIED_WEBRTC_MEDIA:
      break;

    case ExtContentPolicy::TYPE_INVALID: