Carsten "Tomcat" Book
921f2dc51d
Merge mozilla-central to mozilla-inbound
...
--HG--
extra : amend_source : 754a1f5236bea4ec4fcaac985945aa89f6c29769
2016-10-20 16:50:23 +02:00
Kate McKinley
26490f6904
Bug 1310955 - Fix nsSiteSecurityService cache retrieval r=ckerschb,keeler
...
MozReview-Commit-ID: 55DpKrqcL1x
--HG--
extra : rebase_source : 5e068cc70c45dd1844a0e59559875cde659f202a
2016-10-18 20:09:15 +09:00
Phil Ringnalda
6c91017f20
Merge m-i to m-c, a=merge
...
MozReview-Commit-ID: FA9OZyjP59N
2016-10-18 19:36:18 -07:00
Ehsan Akhgari
f13c011369
Bug 1310895 - Remove support for app default and manifest CSP enforcement; r=baku
2016-10-18 09:40:41 -04:00
Kate McKinley
5b82359aa3
Bug 1305993 - Break tests up to avoid timeouts r=philor
...
MozReview-Commit-ID: 8y2gwNjnEnT
--HG--
extra : rebase_source : c24354dd7c60064b38bbbad067806d3c0a52c690
2016-10-07 17:19:38 +09:00
Christoph Kerschbaumer
066a3827af
Bug 1307321 - Use correct length of CSP report when sending violations. r=jrgm,freddyb
2016-10-14 20:07:32 +02:00
Sebastian Hengst
24324313f6
Backed out changeset f443b21ba9de (bug 1307321) for unexpected passing of scripthash-unicode-normalization.sub.html. r=backout
2016-10-14 17:51:22 +02:00
Christoph Kerschbaumer
0341cd9771
Bug 1307321 - Use correct length of CSP report when sending violations. r=jrgm,freddyb
2016-10-14 15:23:24 +02:00
Ehsan Akhgari
9de6bbbaec
Bug 1261019 - Part 3: Remove Navigator.mozApps and code depending on it; r=myk,jryans,fabrice,mcmanus,peterv
2016-10-13 13:18:41 -04:00
Andrea Marchesini
793b227795
Bug 1309818 - Fixing some warning when compiling dom/*, r=smaug
2016-10-13 14:33:07 +02:00
Steven Englehardt
f4e92ab657
Bug 1277803 - Part 5 : A test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-10-13 15:44:00 +08:00
Tim Huang
372ec56ff4
Bug 1277803 - Part 1 : Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-10-13 15:43:54 +08:00
Wes Kocher
2142de26c1
Backed out 8 changesets (bug 1277803) for browser-chrome test failures a=backout
...
Backed out changeset 477890efdb88 (bug 1277803)
Backed out changeset 49da326bfe68 (bug 1277803)
Backed out changeset 2d17a40a9077 (bug 1277803)
Backed out changeset b1cb0a195ca1 (bug 1277803)
Backed out changeset c7d82459d152 (bug 1277803)
Backed out changeset 3be9a06248af (bug 1277803)
Backed out changeset 8d119ca96999 (bug 1277803)
Backed out changeset be767a6f7ecd (bug 1277803)
2016-10-12 14:26:00 -07:00
Steven Englehardt
226661a0bc
Bug 1277803 - Part 5 : A test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-10-12 17:32:11 +08:00
Tim Huang
0ceca5575d
Bug 1277803 - Part 1 : Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-10-12 17:32:03 +08:00
Richard Barnes
ea829544cd
Bug 1308951 - Add a pref to whitelist specific domains as SecureContexts r=ckerschb,jcj
...
MozReview-Commit-ID: AxihCLsBNRw
--HG--
extra : rebase_source : bd2800c65af839ef67f4ca9a841f08884ac9c539
2016-10-10 11:32:24 -04:00
Yoshi Huang
06ba09a073
Bug 1264137 - Part 3: perform ContentPolicy check if the load is happening on this docshell. r=bz, smaug
2016-10-07 17:40:21 +08:00
Iris Hsiao
e6ab0adc40
Backed out changeset d283c59402ce (bug 1277803)
...
CLOSED TREE
2016-10-07 11:24:08 +08:00
Iris Hsiao
596b8e86ce
Backed out changeset 76788d4f83ce (bug 1277803)
...
CLOSED TREE
2016-10-07 11:23:40 +08:00
Steven Englehardt
1925944f12
Bug 1277803 - Part 5: Add a test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-09-13 00:33:00 -04:00
Tim Huang
85a1cb6b99
Bug 1277803 - Part 1: Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-09-07 00:38:00 -04:00
Nicolas B. Pierron
395abf823f
Bug 1288104 part 2 - Instrument SRICheckDataVerifier to load/save the computed hash from the bytecode cache. r=francois
2016-10-20 09:44:33 +00:00
Frederik Braun
ae7fb1e8d0
Bug 1279139 - require-sri-for needs to govern scriptloading for workers. r=baku
...
MozReview-Commit-ID: 3m21kbiV5qK
--HG--
extra : rebase_source : 30c784392e96c1b28c55d38959cc529093b9b568
2016-10-04 02:36:00 +02:00
Christoph Kerschbaumer
b0951acfc5
Bug 1302539 - X-Content-Type-Options: nosniff should not apply to images (temporarily). r=dveditz
2016-09-30 09:38:44 +02:00
Edgar Chen
cf7304c3c6
Bug 1306007 - Part 1: Remove srcset/picture feature control preference; r=jdm,smaug
...
MozReview-Commit-ID: BsyTHeqiGZL
--HG--
extra : rebase_source : 2add2510dbe16c641fe997a8349c1a36009bec20
2016-04-16 18:07:56 -04:00
Samriddhi Jain
40e1a53f35
Bug 1303682 - Add deprecation warning before removing 'referrer' directive from CSP. r=ckerschb
2016-09-28 20:17:18 +05:30
Thomas Wisniewski
c190891418
Bug 1303121 - Do not fire one last progress event on XHR errors, to match a spec change. r=annevk
...
--HG--
extra : rebase_source : 9a59934cfe8fc7f2ee8ef7788813f97e2355ce2a
2016-09-28 13:05:32 -04:00
Kate McKinley
c57d400961
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
...
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 11:27:00 -04:00
Xidorn Quan
f196d451ef
Bug 1304302 part 7 - Break cycle reference between SRIMetadata.h and SRICheck.h. r=smaug
...
MozReview-Commit-ID: 8UpAEXURuSg
--HG--
extra : source : 50604098e9e374611b02d82d765fa0b230d71373
2016-09-26 22:03:25 +10:00
Iris Hsiao
767e1e9b11
merge mozilla-inbound to mozilla-central a=merge
2016-09-26 18:34:20 +08:00
Kate McKinley
694c12c743
Bug 1242019 - Truncate data URIs in CSP log messages. r=ckerschb
...
MozReview-Commit-ID: DaiGESRI1rb
--HG--
extra : transplant_source : %EC%7B%3F%20O%3A%A7g%BAl%82%BC-Xg%23%84%E2%3C%EE
2016-09-12 14:30:43 -07:00
Kate McKinley
ed0b5f06ee
Bug 1271796 use raw bytes to calculate SRI hash r=francois
...
MozReview-Commit-ID: F62t5CnsYlJ
--HG--
extra : rebase_source : 9c2148ffe99a51db5541ec6d9961597b578157ae
2016-09-05 12:55:25 +02:00
Gabor Krizsanits
9f5afabda0
Bug 1294381
- Delayed process script for test_bug803225.html. r=mrbkap
2016-09-22 09:26:26 +02:00
Christoph Kerschbaumer
f41283f981
Bug 1298680 - Use uint64_t consistently for windowID within CSP. r=freddyb
2016-09-19 12:57:20 +02:00
Christoph Kerschbaumer
9f2e941749
Bug 1296027
- CSP: Include 'Source' within error message when logging to the console. r=freddyb,bgrins
2016-09-19 10:18:55 +02:00
Frederik Braun
fd99ac5cc2
Bug 1277248 - Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb
...
MozReview-Commit-ID: 1knIYZ93UeY
--HG--
extra : rebase_source : 4c1385382ecdddf80ec45d46d440b37bf4ad47c1
2016-09-13 11:05:37 +02:00
Tom Tung
db38e2111a
Bug 1187335 - P6 - Support script/css to set integrity metadata to serviceWorker. r=bkelly. r=francois.
2016-09-07 10:30:21 +08:00
Tom Tung
6f314fb375
Bug 1187335 - P3 - modify SRI test to match current behavior. r=bkelly, r=francois.
2016-05-30 12:26:56 +08:00
Tom Tung
78670a91d5
Bug 1187335 - P2 - Modify the way to report to console for worker and use LoadTainting to decide CORS or not. r=bkelly. r=francois.
2016-09-08 09:59:40 +08:00
Henry Chang
6ea7c1b598
Bug 1229639 - Part 2: Test case. r=ckerschb
...
MozReview-Commit-ID: GbofB6JoFil
--HG--
extra : rebase_source : dc4ac339817a052f687179988e28ec02764bd3e7
2016-09-06 18:30:12 +08:00
Henry Chang
f9eeeb2620
Bug 1229639 - Part 1: Match CSP host source with percent-decoded URI. r=ckerschb
...
MozReview-Commit-ID: CSGeoSR2qw8
--HG--
extra : rebase_source : f64cb0b9cab61ec09faa29139f72d28272fbbedb
2016-09-06 18:29:26 +08:00
Tom Schuster
885c81fd09
Bug 1299267 - Test for wrong mime types. r=ckerschb
2016-09-05 20:02:52 +02:00
Nicholas Nethercote
b71747b2ac
Bug 1299727 - Rename NS_WARN_IF_FALSE as NS_WARNING_ASSERTION. r=erahm.
...
The new name makes the sense of the condition much clearer. E.g. compare:
NS_WARN_IF_FALSE(!rv.Failed());
with:
NS_WARNING_ASSERTION(!rv.Failed());
The new name also makes it clearer that it only has effect in debug builds,
because that's standard for assertions.
--HG--
extra : rebase_source : 886e57a9e433e0cb6ed635cc075b34b7ebf81853
2016-09-01 15:01:16 +10:00
Nicholas Nethercote
742fc7eb48
Bug 1297961 (part 1) - Introduce nsURI::GetSpecOrDefault(). r=hurley.
...
This function is an infallible alternative to nsIURI::GetSpec(). It's useful
when it's appropriate to handle a GetSpec() failure with a failure string, e.g.
for log/warning/error messages. It allows code like this:
nsAutoCString spec;
uri->GetSpec(spec);
printf("uri: %s", spec.get());
to be changed to this:
printf("uri: %s", uri->GetSpecOrDefault().get());
This introduces a slight behavioural change. Previously, if GetSpec() failed,
an empty string would be used here. Now, "[nsIURI::GetSpec failed]" will be
produced instead. In most cases this failure string will make for a clearer
log/warning/error message than the empty string.
* * *
Bug 1297961 (part 1b) - More GetSpecOrDefault() additions. r=hurley.
I will fold this into part 1 before landing.
--HG--
extra : rebase_source : ddc19a5624354ac098be019ca13cc24b99b80ddc
2016-08-26 16:02:31 +10:00
Christoph Kerschbaumer
a80531eeb1
Bug 1298505 - CSP: Update StripURIForReporting to rely on NS_SecurityCompareURIs. r=dveditz
...
--HG--
extra : rebase_source : b3cd4f3ebed2ee079d88c896aa08e2e99e5c20a5
2016-08-27 08:30:43 +02:00
Christoph Kerschbaumer
9489473322
Bug 1297051 - Test CSPRO should not block mixed content. r=dveditz
2016-08-24 09:24:20 +02:00
Christoph Kerschbaumer
653bf080a7
Bug 1297051 - CSPRO should not block mixed content. r=dveditz
2016-08-24 09:24:55 +02:00
Christoph Kerschbaumer
4261d2f1f7
Bug 1288361 - Test block script with wrong MIME type. r=dveditz
2016-08-22 08:56:32 +02:00
Christoph Kerschbaumer
19b246a586
Bug 1290560 - Update TestCSPParser to include 'sandbox', 'require-sri' and 'report-uri' with no valid srcs. r=dveditz
2016-08-19 18:45:04 +02:00
Christoph Kerschbaumer
df1432e805
Bug 1290560 - Update CSPParser to handle 'sandbox', 'require-sri' and 'report-uri' with no valid srcs correctly. r=dveditz
2016-08-19 18:41:45 +02:00