There's no use case for stateful comparators, so they can be just plain
function pointers.
This is used in some hot places like CSS selector matching.
Differential Revision: https://phabricator.services.mozilla.com/D77084
Before 1496578, URIFixup::keywordToURI used to do a synchronous IPC call to be
able to access search engines from the content process. Consumers of URIFixup
didn't care. Bug 1496578 moved the IPC messaging to the callers, in particular
nsDocShell, but assumed nsDocShellLoadState wasn't loading from content.
It looks like in some cases it does, so this adds another sync IPC call for
GetFixupURIInfo.
The total numer of sync IPCs should not change from before Bug 1496578, URIFIxup
was just doing it internally, while now it happens at the call point.
Note the long term plan would be for these docshell objects callers to just
handle URIs, while the UI code should do fixup.
Bug 1375244 tracks the removal of these sync IPC messages.
Differential Revision: https://phabricator.services.mozilla.com/D70607
--HG--
extra : moz-landing-system : lando
Disables FTP protocol handler on nightly. FTP scheme is handled by external protocol handler if it isn't explicitly disabled with preference network.protocol-handler.external.ftp = false.
Differential Revision: https://phabricator.services.mozilla.com/D68974
--HG--
extra : moz-landing-system : lando
Adds an infallable boolean attribute to nsIPrincipal that indicates whether
the principal's host is an IP address.
Adds a gtest to exercise that part of the nsIPrincipal.
/**
* Returns if the principal is an IP address.
*/
[infallible] readonly attribute boolean isIpAddress;
Differential Revision: https://phabricator.services.mozilla.com/D63966
--HG--
extra : moz-landing-system : lando
After this change we can restrict contentSecurityPolicyAllows callbacks to just strings, because everything
else is excluded before calling that callback.
Differential Revision: https://phabricator.services.mozilla.com/D62794
--HG--
extra : moz-landing-system : lando
After this change we can restrict contentSecurityPolicyAllows callbacks to just strings, because everything
else is excluded before calling that callback.
Differential Revision: https://phabricator.services.mozilla.com/D62794
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
CheckMayLoadAndReport takes a window ID. This allows us to report
errors from it to the web console as needed. Most consumers know statically
whether they want reporting or not, so there's no reason to force the ones that
don't to provide window ids.
Differential Revision: https://phabricator.services.mozilla.com/D56388
--HG--
extra : moz-landing-system : lando
This will allow the errors reported via this method to show up in the web console as needed.
Differential Revision: https://phabricator.services.mozilla.com/D56386
--HG--
extra : moz-landing-system : lando
I falsely did set the ReportError flag to aRes instead of false, which was flooding the console.
Differential Revision: https://phabricator.services.mozilla.com/D56379
--HG--
extra : moz-landing-system : lando
CheckMayLoadAndReport takes a window ID. This allows us to report
errors from it to the web console as needed. Most consumers know statically
whether they want reporting or not, so there's no reason to force the ones that
don't to provide window ids.
Differential Revision: https://phabricator.services.mozilla.com/D56388
--HG--
extra : moz-landing-system : lando
This will allow the errors reported via this method to show up in the web console as needed.
Differential Revision: https://phabricator.services.mozilla.com/D56386
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
The inclusions were removed with the following very crude script and the
resulting breakage was fixed up by hand. The manual fixups did either
revert the changes done by the script, replace a generic header with a more
specific one or replace a header with a forward declaration.
find . -name "*.idl" | grep -v web-platform | grep -v third_party | while read path; do
interfaces=$(grep "^\(class\|interface\).*:.*" "$path" | cut -d' ' -f2)
if [ -n "$interfaces" ]; then
if [[ "$interfaces" == *$'\n'* ]]; then
regexp="\("
for i in $interfaces; do regexp="$regexp$i\|"; done
regexp="${regexp%%\\\|}\)"
else
regexp="$interfaces"
fi
interface=$(basename "$path")
rg -l "#include.*${interface%%.idl}.h" . | while read path2; do
hits=$(grep -v "#include.*${interface%%.idl}.h" "$path2" | grep -c "$regexp" )
if [ $hits -eq 0 ]; then
echo "Removing ${interface} from ${path2}"
grep -v "#include.*${interface%%.idl}.h" "$path2" > "$path2".tmp
mv -f "$path2".tmp "$path2"
fi
done
fi
done
Differential Revision: https://phabricator.services.mozilla.com/D55443
--HG--
extra : moz-landing-system : lando
`CreateSuffix` is irreversible by `PopulateFromSuffix` because it uses a multi-to-one mapping.
Since only ':' will happen in a IPv6 format, we can make it a 1-to-1 mapping so that the `firstPartyDomain` is consistent after `CreateSuffix` and `PopulateFromSuffix`.
Differential Revision: https://phabricator.services.mozilla.com/D47910
--HG--
extra : moz-landing-system : lando
This change means fewer temporary objects, particularly `nsCString` objects.
Depends on D55688
Differential Revision: https://phabricator.services.mozilla.com/D55689
--HG--
extra : moz-landing-system : lando
By declaring the individual enum types to fit in a `uint8_t`, and
rearranging the templated `KeyValT` struct, we can pack `KeyValT`
to save a word of storage.
Differential Revision: https://phabricator.services.mozilla.com/D55687
--HG--
extra : moz-landing-system : lando
XPConnect calls this method during shutdown after the pointer to the
singleton nsScriptSecurityManager has been cleared, so it is actually
calling it with a null |this|. Nobody noticed this because it isn't
actually using |this|. This patch turns it into a static method to
make the sanitizers happy.
Differential Revision: https://phabricator.services.mozilla.com/D54846
--HG--
extra : moz-landing-system : lando
This way we get the correct values for start-up prefs in the parent process.
Differential Revision: https://phabricator.services.mozilla.com/D51061
--HG--
extra : moz-landing-system : lando
This way we get the correct values for start-up prefs in the parent process.
Differential Revision: https://phabricator.services.mozilla.com/D51061
--HG--
extra : moz-landing-system : lando
Lots of these callbacks have a non-`void*` final parameter, which UBSAN
complains about. This commit changes them to have a `void*` parameter.
This requires undoing the machinery added in the first two commits of bug
1473631: `TypePrefChangeFunc` and `PREF_CHANGE_METHOD`. The resulting code is
simpler (which is good) and more boilerplate-y (which is bad) but avoids the
undefined behaviour (which is good).
Differential Revision: https://phabricator.services.mozilla.com/D50901
--HG--
extra : moz-landing-system : lando
This patch adds support for including content_scripts CSP in the extensions
manifest, along with all interfaces necessary to access the CSP value. This does not
implement actual use of the CSP for content scripts.
Differential Revision: https://phabricator.services.mozilla.com/D46824
--HG--
extra : moz-landing-system : lando
In this patch, we add the propagation of the first party domain through
the tabContext while creating OOP browsers. In the window.open() case,
we will propagate the first party domain from the opener's browser parent.
And in the frame case, we will propagate it from the manager of the
browserBridgeParent of the OOP frame.
Differential Revision: https://phabricator.services.mozilla.com/D49886
--HG--
extra : moz-landing-system : lando
`CreateSuffix` is irreversible by `PopulateFromSuffix` because it uses a multi-to-one mapping.
Since only ':' will happen in a IPv6 format, we can make it a 1-to-1 mapping so that the `firstPartyDomain` is consistent after `CreateSuffix` and `PopulateFromSuffix`.
Differential Revision: https://phabricator.services.mozilla.com/D47910
--HG--
extra : moz-landing-system : lando
Please note that it is the first reformat with clang-format 9
I only saw a fix in the .mm file
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D49056
--HG--
extra : moz-landing-system : lando
Add a new FIXUP_FLAG_PRIVATE_CONTEXT to nsIURIFixup, make it use the default
private search engine when it's set.
Update consumers to pass the new flag when necessary.
Differential Revision: https://phabricator.services.mozilla.com/D48741
--HG--
extra : moz-landing-system : lando
This patch does several things. Because Workers aren't on the main thread,
many of the things done are in the name of off main thread access.
1) Changes a parameter in IsEvalAllowed from a nsIPrincipal to a bool.
We only used the principal to determined if it was the System Principal.
Principals aren't thread safe and can only be accessed on Main Thread, so
if we passed a Principal in, we would be in error. Instead only pass in
the bool which - for workers - comes from a thread-safe location.
2) Separates out the Telemetry Event Recording and sending a message to the
console into a new function nsContentSecurityUtils::NotifyEvalUsage. (And
creates a runnable that calls it.)
We do this because we will need to only call this method on the main thread.
Telemetry Event Recording has only ever been called on the Main Thread.
While I possibly-successfully cut it over to happen Off Main Thread (OMT)
by porting preferences to StaticPrefs, I don't know if there were other
threading assumptions in the Telemetry Code. So it would be much safer to
just continue recording Event Telemetry on the main thread.
Sending a message to the console requires calling GetStringBundleService()
which requires main thread. I didn't investigate if this could be made
thread-safe, I just threw it onto the main thread too.
If, in IsEvalAllowed, we are on the main thread - we call NotifyEvalUsage
directly. If we are not, we create a runnable which will then call
NotifyEvalUsage for us on the main thread.
3) Ports allow_eval_with_system_principal and allow_eval_in_parent_process
from bools to RelaxedAtomicBool - because we now check these prefs OMT.
4) In RuntimeService.cpp, adds the call to IsEvalAllowed.
5) Add resource://gre/modules/workers/require.js to the allowlist of eval
usage. This was the script that identified this gap in the first place.
It uses eval (twice) for structural reasons (scope and line number
massaging.) The contents of the eval are the result of a request to a
uri (which may be internal, like resource://). The whole point of this
is to implement a CommonJS require() api.
This usage of eval is safe because the only way an attacker can inject
into it is by either controlling the response of the uri request or
controlling (or appending to) the argument. If they can do that, they
are able to inject script into Firefox even if we cut this usage of eval
over to some other type of safe(r) script loader.
Bug 1584564 tracks making sure calls to require.js are safe.
6) Adds cld-worker.js to the allowlist. Bug 1584605 is for refactoring that
eval usage, which is decidedly non-trivial.
7) Does _not_ enforce the eval restrictions for workers. While I've gotten
try to be green and not throw up any instances of eval-usage by workers,
it is much safer to deploy this is Telemetry-only mode for Workers for
a little bit to see if anything pops up from the Nightly population.
Bug 1584602 is for enforcing the checks.
Differential Revision: https://phabricator.services.mozilla.com/D47480
--HG--
extra : moz-landing-system : lando
Andrea Marchesini
Masatoshi Kimura
Emilio Cobos Álvarez
Liang-Heng Chen
Sebastian Streich
Mihai Alexandru Michis
Dimi Lee
ssengupta
Sebastian Hengst
Dorel Luca
Stefan Hindli
Andreea Pavel
Noemi Erli
Christoph Kerschbaumer
Marco Bonardo
Cosmin Sabou
Michal Novotny
Mike Conley
Oana Pop Rus
sonakshi
Razvan Maries
Brindusan Cristian
Daniel Varga
Mark Banner
J.C. Jones
Tom Schuster
Bogdan Tara
Tom Ritter
Simon Giesecke
Sylvestre Ledru
Jonathan Kingston
Kris Maglione
Boris Zbarsky
Ciure Andrei
Gabriele Svelto
Emma Malysz
Nathan Froyd
Andrew McCreight
Gurzau Raul
Jan de Mooij
Nicholas Nethercote
Shane Caraveo
Paul Zuehlcke
Tim Huang