HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
Most calls to MaybeDestroy() have their return value checked, but those that
take a T__None argument legitimately don't. Coverity gets upset by this, so
let's cast those calls to void to make Coverity happier.
--HG--
extra : rebase_source : 798c852371a682372c61cae953cc13c160b9ff9a
Passes the profile dir to the content process as a -profile CLI
option so that the correct profile dir can be used in the OS X content
sandbox rules. Only enabled on OS X for now.
On Nightly, profile directories will now be read/write protected
from the content process (apart from a few profile subdirectories) even
when they don't reside in ~/Library.
xpcshell tests invoke the content process without providing a
profile directory. In that case, we don't need to add filesystem
profile dir. read/write exclusion rules to the sandbox.
This patch adds two new macros to the content sandbox rule set:
|profileDir| holds the path to the profile or the emptry string;
|hasProfileDir| is a boolean (1 or 0) that indicates whether or
not the profile directory rules should be added. If |hasProfileDir|
is 0, profile directory exclusion rules don't need to be added
and |profileDir| is not used.
MozReview-Commit-ID: rrTcQwTNdT
--HG--
extra : rebase_source : 3d5b612c8eb3a1d0da028eba277cd9d6f0c9ac00
This change avoids lots of false positives for Coverity's CHECKED_RETURN
warning, caused by NS_WARN_IF's current use in both statement-style and
expression-style.
In the case where the code within the NS_WARN_IF has side-effects, I made the
following change.
> NS_WARN_IF(NS_FAILED(FunctionWithSideEffects()));
> -->
> Unused << NS_WARN_IF(NS_FAILED(FunctionWithSideEffects()));
In the case where the code within the NS_WARN_IF lacks side-effects, I made the
following change.
> NS_WARN_IF(!condWithoutSideEffects);
> -->
> NS_WARNING_ASSERTION(condWithoutSideEffects, "msg");
This has two improvements.
- The condition is not evaluated in non-debug builds.
- The sense of the condition is inverted to the familiar "this condition should
be true" sense used in assertions.
A common variation on the side-effect-free case is the following.
> nsresult rv = Fn();
> NS_WARN_IF_(NS_FAILED(rv));
> -->
> DebugOnly<nsresult rv> = Fn();
> NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Fn failed");
--HG--
extra : rebase_source : 58788245021096efa8372a9dc1d597a611d45611
The IPDL compiler generates code like this in DestroySubtree methods:
// Recursively shutting down PAPZ kids
nsTArray<PAPZChild*> kids((mManagedPAPZChild).Count());
// Accumulate kids into a stable structure to iterate over
ManagedPAPZChild(kids);
for (uint32_t i = 0; (i) < ((kids).Length()); (++(i))) {
// Guarding against a child removing a sibling from the list during the iteration.
if ((mManagedPAPZChild).Contains(kids[i])) {
(kids[i])->DestroySubtree(subtreewhy);
}
}
There are three problems with this code:
1) We initialize |kids| with a capacity, which is wasted work;
ManagedPAPZChild() is going to resize the array for us anyway.
2) We're constantly reading from |kids.Length()| in the loop, when we
only really need to read from it once.
3) We're repeatedly accessing kids[i], and doing needless bounds checks.
Let's fix those three problems.
For better or worse, the IPDL compiler, for protocols that send or
receive arrays, generates Write methods for transferring those arrays,
rather than going through the standard ParamTraits specializations.
These generated methods perform unnecessary bounds checks when accessing
elements; such checks can be safely bypassed because we know the exact
length of all the arrays involved. (Some compilers are not smart enough
to eliminate the bounds checks on their own.)
For better or worse, the IPDL compiler, for protocols that send or
receive arrays, generates Read methods for transferring those arrays,
rather than going through the standard ParamTraits specializations.
These generated methods perform unnecessary bounds checks when accessing
elements; such checks can be safely bypassed because we know the exact
length of all the arrays involved. (Some compilers are not smart enough
to eliminate the bounds checks on their own.)
This addition makes many of the upcoming patches significantly easier to
write, and enables us to avoid unpleasantness trying to fiddle with
ipdl.py's notions of C++ types. (For instance, there's no good way,
when you have a type in-hand, to say the moral equivalent of
std::add_pointer<T>::type.)
The only thing we needed opened actor tracking for was the ability to
clone all the actors. But now that we no longer have support for
cloning actors, we no longer need to track the actors that we've cloned,
which makes a number of things significantly simpler.
CloneOpenedToplevels, which is never called, is the only interesting
caller of CloneToplevel. And CloneToplevel, in turn, is the only
interesting caller of CloneManagees. Which means we can ditch all this
code for a decent amount of space savings, both in code and writable
static data (no more useless virtual function entries in vtables).
The new name makes the sense of the condition much clearer. E.g. compare:
NS_WARN_IF_FALSE(!rv.Failed());
with:
NS_WARNING_ASSERTION(!rv.Failed());
The new name also makes it clearer that it only has effect in debug builds,
because that's standard for assertions.
--HG--
extra : rebase_source : 886e57a9e433e0cb6ed635cc075b34b7ebf81853
Check if the buffers iterator was never consumed. This is a regression
introduced when converting ipc to use BufferList in bug 1262671.
MozReview-Commit-ID: LWAoVlI5CKJ
--HG--
extra : rebase_source : c4f16f4f90f56153c10cf1d9113c4c55748595f0
Changing classes to `final` avoids complaints about deleting a class with
virtual functions. Making destructors private avoids static_asserts from
XPCOM code about refcounted classes with public destructors.
MozReview-Commit-ID: IiPrZln1wvj
--HG--
extra : rebase_source : 5d70eea909e9d8c7f191c465b700b778b7ff564c
Passes the profile dir to the content process as a -profile CLI option so
that the correct profile dir can be used in the OS X content sandbox rules.
Only enabled on OS X for now.
On Nightly, profile directories will now be read/write protected from the
content process (apart from a few profile subdirectories) even when they
don't reside in ~/Library.
MozReview-Commit-ID: rrTcQwTNdT
--HG--
extra : rebase_source : d91d8939cabb0eed36b640766756548a790a301c
We install mozilla/mscom/Utils.h, but include it with an all-lowercased
path in some places. clang-cl warns about this, and even though this is
Windows-only code and will therefore work, it's better to make
everything consistent.
The standard placement new function requires a null check, implicitly
generated by the compiler, on its returned value. For places we know
don't deal with null pointers, such as all the generated methods of IPDL
code, we can use an overloaded operator new that doesn't require the
null check.
Josh Matthews
Carsten "Tomcat" Book
Tooru Fujisawa
Wes Kocher
Nathan Froyd
Aaron Klotz
Kate McKinley
Makoto Kato
Ehsan Akhgari
David Anderson
Andrea Marchesini
Ting-Yu Chou
Christoph Kerschbaumer
Nicholas Nethercote
Bill McCloskey
Haik Aftandilian
Kacper Michajlow
Alexandre Lissy
Bob Owen
Cykesiopka
Nathan Froyd
Kan-Ru Chen
Ryan VanderMeulen