Граф коммитов

588 Коммитов

Автор SHA1 Сообщение Дата
Yoshi Huang 9ff74a50f4 Bug 1373513 - Part 3: Revert Bug 1363634. r=ckerschb
Revert what we did in Bug 1363634, from the spec, data:text/css should be same origin.
2017-07-12 11:00:34 +08:00
Christoph Kerschbaumer 250d4b1ff8 Bug 1377426 - Set CSP on freshly created nullprincipal when iframe is sandboxed. r=dveditz 2017-07-11 08:48:37 +02:00
Sylvestre Ledru 4e9cf83ee8 Bug 1378712 - Remove all trailing whitespaces r=Ehsan
MozReview-Commit-ID: Kdz2xtTF9EG

--HG--
extra : rebase_source : 7235b3802f25bab29a8c6ba40a181a722f3df0ce
2017-07-06 14:00:35 +02:00
Bill McCloskey f115503a0b Bug 1372405 - Provide names for all runnables in the tree (r=froydnj)
MozReview-Commit-ID: DKR6ROiHRS7
2017-06-26 14:19:58 -07:00
Joel Maher a039d5288b Bug 1311239 - Intermittent dom/security/test/hsts/browser_hsts-priming_hsts_after_mixed.js. temporarily disable. r=gbrown
MozReview-Commit-ID: EWCAOjebfcH
2017-06-23 15:12:34 -04:00
Nicholas Nethercote f1364a75ea Bug 1374580 (part 3) - Remove ns{,C}Substring typedefs. r=froydnj.
All the instances are converted as follows.

- nsSubstring  --> nsAString
- nsCSubstring --> nsACString

--HG--
extra : rebase_source : cfd2238c52e3cb4d13e3bd5ddb80ba6584ab6d91
2017-06-20 19:19:52 +10:00
Nicholas Nethercote fe9268c4cd Bug 1374580 (part 2) - Remove nsAFlat{,C}String typedefs. r=froydnj.
All the instances are converted as follows.

- nsAFlatString  --> nsString
- nsAFlatCString --> nsCString

--HG--
extra : rebase_source : b37350642c58a85a08363df2e7c610873faa6e41
2017-06-20 19:19:05 +10:00
Florian Quèze 66f6d259bc Bug 1374282 - script generated patch to remove Task.jsm calls, r=Mossop. 2017-06-22 12:51:42 +02:00
Paolo Amadini 10ee6a5c4e Bug 1362970 - Part 2 - Script-generated patch to convert .then(null, ...) to .catch(...). r=florian
Changes to Promise tests designed to test .then(null) have been reverted, and the browser/extensions directory was excluded because the projects it contains have a separate process for accepting changes.

MozReview-Commit-ID: 1buqgX1EP4P

--HG--
extra : rebase_source : 3a9ea310d3e4a8642aabbc10636c04bfe2e77070
2017-06-19 11:32:37 +01:00
Kate McKinley 396962011a Bug 1363546 - Store and report HSTS upgrade source r=francois,keeler,mayhemer p=francois
Add a field to the HSTS cache which indicates the source of the HSTS
entry if known, from the preload list, organically seen header, or HSTS
priming, or unknown otherwise. Also adds telemetry to collect the source
when upgrading in NS_ShouldSecureUpgrade.

MozReview-Commit-ID: 3IwyYe3Cn73

--HG--
extra : rebase_source : 9b8daac3aa02bd7a1b4285fb1e5731a817a76b7f
2017-05-23 15:31:37 -07:00
Christoph Kerschbaumer 829704554e Bug 1370788 - Move XFO out of nsDSURIContentListener.cpp into dom/security. r=smaug 2017-06-19 06:59:44 +02:00
Yoshi Huang 5dcdd16255 Bug 1267075 - Part 1: call SetBlockedRequest when CSP check failed. r=bz
As a follow-up from bug 1206961, we will remove calling CanLoadImage in
this bug. Also in the case of CSP check failed, we will call
SetBlockedRequest in those cases.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1267075#c30 for the
analysis between the old and new setup.
2017-06-16 10:12:08 +08:00
Kate McKinley 37a7ace256 Bug 1359987 - Update HSTS priming telemetry r=ckerschb,francois,mayhemer p=francois
Collect telemetry for all requests to get an exact percentage of
requests that are subject to HSTS priming, and how many result in an
HSTS Priming request being sent. Clean up telemetry to remove instances
of double counting requests if a priming request was sent.

HSTSPrimingListener::ReportTiming was using mCallback to calculate
timing telemetry, but we were calling swap() on the nsCOMPtr. Give it an
explicit argument for the callback.

Add tests for telemetry values to all of the HSTS priming tests. This
tests for the minimum as telemetry may be gathered on background or
other requests.

MozReview-Commit-ID: 5V2Nf0Ugc3r

--HG--
extra : rebase_source : daa357219a77d912a78b95a703430f39d884c6ab
2017-05-09 15:36:07 -07:00
Christoph Kerschbaumer 0d10a7c233 Bug 1024557 - Test XFO is ignored when frame-ancestors is present. r=smaug 2017-06-07 10:12:55 +02:00
Christoph Kerschbaumer 632fd14dfa Bug 1024557 - Ignore x-frame-options if CSP with frame-ancestors exists. r=smaug 2017-06-07 21:17:49 +02:00
Christoph Kerschbaumer b6b3bb161d Bug 1367531: Update CSP frame ancestors test to make sure paths are ignored. r=dveditz 2017-06-06 09:12:32 +02:00
Christoph Kerschbaumer 4956d67907 Bug 1367531: CSP should only check host (not including path) when performing frame ancestors checks. r=dveditz 2017-06-06 09:12:13 +02:00
Yoshi Huang 7aef584058 Bug 1363634 - rewrite test_style_crossdomain.html. r=ckerschb
data:text/css should be considered as a CORS request, and should be
blocked if crossorigin is not specified.
Also move the original test to test_style-crossdomain_legacy.html


--HG--
rename : dom/security/test/sri/iframe_style_crossdomain.html => dom/security/test/sri/iframe_style_crossdomain_legacy.html
2017-05-23 09:02:06 +08:00
Francois Marier c10dd4c73c Bug 1364262 - Convert SRI metadata to ASCII before parsing it. r=ckerschb
MozReview-Commit-ID: Ekw8lNzDvou

--HG--
extra : rebase_source : a2fe92e804b5b690856c44783e88d815e38e2922
2017-05-16 17:33:22 -07:00
Christoph Kerschbaumer e4f38c8d7c Bug 1362993 - Rewrite gBrowser.addTab() to use BrowserTestUtils.addTab(). r=florian 2017-05-15 21:49:50 +02:00
Birunthan Mohanathas 5e41427024 Bug 903966 - Stop blocking 'http://127.0.0.1/' as mixed content. r=ckerschb,kmckinley
According to the spec, content from loopback addresses should no longer
be treated as mixed content even in secure origins. See:
- 349501cdaa
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Note that we only whitelist '127.0.0.1' and '::1' to match Chrome 53 and
later. See:
- 130ee686fa

It is unclear if HTTPS origins should be able to use workers and WebSocket
connections through a loopback HTTP address. They are not supported in Chrome
(whether this is intentional or not is uncertain) so lets just ignore them for
now.

See also: https://github.com/w3c/web-platform-tests/pull/5304
2017-05-10 20:50:00 +03:00
Christoph Kerschbaumer 917075833b Bug 1359204 - Do not query nested URI within CheckChannel in ContentSecurityManager. r=smaug 2017-05-10 18:40:57 +02:00
Christoph Kerschbaumer b9a841105c Bug 1355801: Nonce should not apply to images tests. r=dveditz 2017-05-10 08:53:27 +02:00
Christoph Kerschbaumer e5865a7980 Bug 1355801: Nonce should only apply to script and style. r=dveditz 2017-05-10 08:52:24 +02:00
Christoph Kerschbaumer 58bdcd15b5 Bug 1345615: Disable websocket tests on android. r=test-fix 2017-04-27 17:28:13 +02:00
Dragana Damjanovic 9a3cfa6017 Bug 1334776 - Store header names into nsHttpHeaderArray. r=mcmanus 2017-04-27 16:48:36 +02:00
Christoph Kerschbaumer 62c0c912c8 Bug 1345615: Test websocket schemes when using 'self' in CSP. r=freddyb,dveditz 2017-04-27 09:59:35 +02:00
Christoph Kerschbaumer f18a8897be Bug 1345615: Allow websocket schemes when using 'self' in CSP. r=freddyb,dveditz 2017-04-27 09:59:16 +02:00
Cykesiopka 7c0b9e9d34 Bug 1356522 - Remove unnecessary nsICryptoHash output CRLF filtering in nsCSPUtils.cpp. r=ckerschb
This filtering is no longer necessary now that the fix for Bug 1338897 has landed and has gotten rid of the CRLF behaviour.

MozReview-Commit-ID: 9OKmrtQN3Cq

--HG--
extra : transplant_source : %C2%CD%AC%F6j%F5%D0%00%7E%AC%D2j%ACW%83%60%3B%F0%ED%CC
2017-04-17 17:34:18 +08:00
Florian Queze 37ff4fc7cc Bug 1356569 - Remove addObserver's last parameter when it is false, r=jaws. 2017-04-14 21:51:38 +02:00
Sebastian Hengst a07223d699 Backed out changeset 322fde2d53bf (bug 1356569) so bug 1355161 can be backed out. r=backout 2017-04-14 23:39:22 +02:00
Florian Queze 95d4d20c17 Bug 1356569 - Remove addObserver's last parameter when it is false, r=jaws. 2017-04-14 21:51:38 +02:00
Dan Banner cdf987089d Bug 1107904 - Remove packed.js and references to it as it is unused. r=standard8
MozReview-Commit-ID: K5TLF92pHq4

--HG--
extra : rebase_source : 295bf325a07fa8ec4c55a8babf5418588308dca6
2017-04-12 11:10:00 +01:00
Joel Maher 694ea4ea3b Bug 1183300 - Intermittent dom/security/test/csp/test_upgrade_insecure.html. disable on win7. r=ckerschb,gbrown
MozReview-Commit-ID: AslnFrYGOVw
2017-04-09 05:43:47 -04:00
Kate McKinley d082c41757 Bug 1322044 - Only mark a subdomain cached when includeSubDomains is true r=ckerschb,keeler
MozReview-Commit-ID: 3lFkuLauyGg

--HG--
extra : rebase_source : c356f1d4bef73b634eed6ca4d8078281ebc3ce3c
2017-02-13 13:36:01 +09:00
Thomas Nguyen afaba58d52 Bug 1339004 - Do DocGroup labeling in dom/security. r=ckerschb,smaug
MozReview-Commit-ID: 3QoH8P4J85I

--HG--
extra : rebase_source : 6f62454001fc02380f8aea99a56eff38de0e9fb6
2017-03-29 10:20:32 +08:00
Andrea Marchesini 2c716cd273 Bug 1347817 - Principal must always have a valid origin - part 6 - fixing tests, r=ehsan 2017-03-29 15:28:46 +02:00
Sebastian Hengst eadf7b5c6e Backed out changeset 4af10700c64c (bug 1347817) 2017-03-29 11:17:04 +02:00
Andrea Marchesini 4b77f4a4b9 Bug 1347817 - Principal must always have a valid origin - part 6 - fixing tests, r=ehsan 2017-03-29 08:27:17 +02:00
Christoph Kerschbaumer f49ee1fdca Bug 1316305 - Explicilty call .close() for websocket in test. r=baku 2017-03-22 13:04:02 +01:00
Andrea Marchesini 507c00cb9f Bug 1343933 - Renaming Principal classes - part 4 - ContentPrincipal, r=qdot
--HG--
rename : caps/nsPrincipal.cpp => caps/ContentPrincipal.cpp
rename : caps/nsPrincipal.h => caps/ContentPrincipal.h
2017-03-22 11:39:31 +01:00
Frederik Braun 56207a1b8b Bug 1073952: tests for iframe sandbox srcdoc and data URIs with CSP r=ckerschb,Tomcat
MozReview-Commit-ID: 5Q8XIJPrRPk

--HG--
extra : rebase_source : 391431d3585173d096ab58747a854542dfd3adca
2017-01-30 14:12:15 +01:00
Frederik Braun 17c2bf2604 Bug 1224225: Tests for punycode/unicode in CSP source matching code r=ckerschb,KWierso
MozReview-Commit-ID: 21Mr9ekUvnk

--HG--
extra : rebase_source : be5d673efaa31e322fea5da5ff4e7e6fa749daca
2017-03-15 13:22:55 +01:00
Frederik Braun cef461241c Bug 1224225: Use GetAsciiHost in CSP source matching code r=ckerschb,KWierso
MozReview-Commit-ID: B7SwUEMiVwc

--HG--
extra : rebase_source : d5dbec9f6aac4a627c35fb93f85f8e922fa695dd
2017-03-15 13:22:06 +01:00
Carsten "Tomcat" Book dba578960e merge mozilla-inbound to mozilla-central a=merge 2017-03-14 14:23:03 +01:00
Christoph Kerschbaumer 658552e990 Bug 1316305 - Add debug information for test_upgrade_insecure_requests. r=jmaher 2017-03-13 12:00:46 +01:00
David Major dc67bfc9a3 Bug 1344629 - Part 6: Rewrite unnecessary uses of nsLiteralString. r=dbaron
There's an antipattern where nsLiteralString is used as an unnecessary intermediary in converting from CharT* to CharT*,
e.g. CallAFunctionThatTakesACharPointer(NS_LITERAL_CSTRING("foo").get());
or
NS_NAMED_LITERAL_STRING(foo, "abc");
CallAFunctionThatTakesACharPointer(foo.get());

This patch rewrites the callsites that can be trivially changed to use char*/char16_t*.

I'd somewhat like to remove nsTLiteralString::get() altogether, but in code that's less straightforward than these examples, get() is useful enough to keep.

MozReview-Commit-ID: Kh1rUziVllo

--HG--
extra : rebase_source : c21a65694d6e1c42fd88f73632f7ac8f38d005ae
2017-03-14 15:26:27 +13:00
Iris Hsiao 5cece96e1c Backed out 12 changesets (bug 1344629) for stylo build bustage
Backed out changeset cf4273d3ac30 (bug 1344629)
Backed out changeset a96390e044e0 (bug 1344629)
Backed out changeset d9b330f9bc24 (bug 1344629)
Backed out changeset 2b460fe020af (bug 1344629)
Backed out changeset 0ada91b0452e (bug 1344629)
Backed out changeset 083304fcd6bd (bug 1344629)
Backed out changeset 53d7d1ce2c97 (bug 1344629)
Backed out changeset 55eee7078ae4 (bug 1344629)
Backed out changeset 7d3c06b3eca9 (bug 1344629)
Backed out changeset e5df14c3db61 (bug 1344629)
Backed out changeset 636095ff2815 (bug 1344629)
Backed out changeset 0be052ad24c1 (bug 1344629)
2017-03-14 11:52:24 +08:00
David Major 40f4821701 Bug 1344629 - Part 6: Rewrite unnecessary uses of nsLiteralString. r=dbaron
There's an antipattern where nsLiteralString is used as an unnecessary intermediary in converting from CharT* to CharT*,
e.g. CallAFunctionThatTakesACharPointer(NS_LITERAL_CSTRING("foo").get());
or
NS_NAMED_LITERAL_STRING(foo, "abc");
CallAFunctionThatTakesACharPointer(foo.get());

This patch rewrites the callsites that can be trivially changed to use char*/char16_t*.

I'd somewhat like to remove nsTLiteralString::get() altogether, but in code that's less straightforward than these examples, get() is useful enough to keep.

MozReview-Commit-ID: Kh1rUziVllo

--HG--
extra : rebase_source : c21a65694d6e1c42fd88f73632f7ac8f38d005ae
2017-03-14 15:26:27 +13:00
Andrea Marchesini e9195daa8d Bug 1345168 - Get rid of OriginAttributes::Inherit, r=tjr 2017-03-08 07:41:51 +01:00