040a162daf
Backed out changeset 828efd8ce683 (bug 1329288)
2017-01-22 13:09:53 +01:00
a692f05c85
Backed out changeset 69fb2fc61535 (bug 1329288)
2017-01-22 13:09:48 +01:00
130fcb1f75
Bug 1329288: Allow content policy consumers to identify contentPolicy checks from docshell. r=bz,kmaglione
2017-01-22 07:30:26 +01:00
5b0e184329
Bug 1329288 - Test ContentPolicy blocks opening a new window. r=smaug
2017-01-22 07:30:10 +01:00
16e6d381ac
Bug 503613 - Remove old 'tail =' lines from xpcshell.ini files; r=gps
...
MozReview-Commit-ID: 62Hp5ISxowJ
--HG--
extra : rebase_source : daa8efb3409031fea553f4fd0c9d0746e38dc308
extra : histedit_source : b4c23aacf678ba0d0ac9c09191a7c494ead11a08
2017-01-18 10:30:39 +00:00
4ef7762311
Bug 1331838 - Remove support for app URIs in CSP directives; r=ckerschb
2017-01-18 15:18:29 -05:00
ee5969e9c2
Backout changeset 7040329487e9 (bug 1331838) because it was the wrong patch
2017-01-18 15:18:29 -05:00
842ce9fb2d
Bug 1331838 - Remove support for app URIs in CSP directives; r=ckerschb
2017-01-18 13:11:42 -05:00
5baf0e453e
Backed out changeset 8acb67f2e136 (bug 1331838) for failing GTest CSPParser.SimplePolicies. r=backout on a CLOSED TREE
2017-01-18 17:28:03 +01:00
42a8bbcbb1
Bug 1331838 - Remove support for app URIs in CSP directives; r=ckerschb
2017-01-18 08:57:13 -05:00
85611a7b6d
Bug 1331081 - script generated patch to omit addEventListener/removeEventListener's third parameter when it's false, r=jaws.
...
--HG--
extra : rebase_source : a22344ee1569f58f1f0a01017bfe0d46a6a14602
2017-01-17 11:50:25 +01:00
265b3a3710
Bug 1303685: Add telemetry for CSP referrer directive. r=ckerschb,francois
2016-11-04 21:36:25 +05:30
054061a872
Merge mozilla-central to mozilla-inbound
2017-01-12 10:36:29 +01:00
0c9692f60f
Bug 1330035 - Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz
2017-01-12 09:42:23 +01:00
b815edc5b6
Backed out changeset d5ba64015065 (bug 1329288)
2017-01-11 15:41:43 +01:00
ca27de3795
Bug 1329288 - Update test_contentpolicytype_targeted_link_iframe to not call finish several times. r=me
2017-01-11 14:44:52 +01:00
edae411c07
Bug 1313595 - Lower HSTS priming timeout r=mayhemer
...
MozReview-Commit-ID: 5wOqtYM1MfD
--HG--
extra : rebase_source : 78cb81a9223c80b93b2c574846111eb3bad91c03
2016-12-08 11:07:55 -10:00
ab089bc866
Bug 1324870 - Skip test_bug803225.html and test_ext_downloads_misc.js on linux32 only, to enable taskcluster migration; r=jmaher
2017-01-05 16:34:47 -07:00
8ca3b2dc24
Backed out changeset 724fdfe8f396 (bug 1324870)
2017-01-05 12:21:31 -05:00
4fdfff0c12
Bug 1324870 - Skip test_bug803225.html and test_ext_downloads_misc.js on linux32 only, to enable taskcluster migration; r=jmaher
...
--HG--
extra : rebase_source : eb4c1e94381f46d54619f0a3ba65e3f5beed2221
2017-01-05 09:15:11 -07:00
0aaea58b69
Bug 1304623 - Create a pref to control the default referrer policy - part 3. r=bkelly
...
MozReview-Commit-ID: 1A6IHPeNYBQ
2017-01-05 11:29:56 +08:00
c88d12696d
Bug 1182569: Update ContentSecurityManager to handle docshell loads. r=smaug
2017-01-03 20:59:30 +01:00
47afdb3f0c
Bug 1324542 - Code-quality tweaks for isValidBase64Value. r=ckerschb
...
--HG--
extra : rebase_source : 6077893a7edc62c5842c3a1c9f5be9386a6e7e7c
2016-12-20 11:56:14 -05:00
515ef9ba45
Bug 1321218 - Remove legacy generator from dom/. r=smaug
2016-12-01 18:11:32 +09:00
8843a98210
Bug 1319936 - Remove String generics uses in dom. r=billm
...
--HG--
extra : rebase_source : f2b40e5d4a423035d2de8739570a76305a058cf0
2016-11-24 13:17:00 -08:00
450508f7f3
merge mozilla-inbound to mozilla-central a=merge
2016-11-29 11:39:49 +01:00
002a446aec
Backed out changeset 3472d9d9dd47 (bug 1313595) for hopefully reducing crashes
2016-11-29 10:25:07 +01:00
29efcb86ac
Bug 1316826 - Test for JS URLs and strict-dynamic. r=dveditz
...
MozReview-Commit-ID: EKmYoZbap25
2016-11-28 21:56:55 -05:00
fe33117844
Bug 1309219 - Only allow valid base64-values for CSP nonce and hash sources, per spec. r=francois
2016-11-24 21:46:09 -05:00
53901256a5
Bug 1316826 - Test case for strict-dynamic blocks inline event handlers. r=dveditz
...
MozReview-Commit-ID: 4TS4pUNeIS1
--HG--
extra : rebase_source : e517f4898d0a9873c77e2731152ce3255b7c5938
2016-11-21 15:13:29 -05:00
e1487e92f8
Bug 1311599 - Disable HSTS tests on linux debug.
...
--HG--
extra : rebase_source : 5ad7d6ea972d4a350091458b0cc47dd148f13bb6
2016-11-21 12:30:56 -05:00
42cdd9436b
Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 2, r=qdot
2016-11-18 09:33:50 +01:00
2f974ccbce
Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 1, r=qdot
2016-11-18 09:33:33 +01:00
7110a88674
Backed out changeset d43b778d95c6 (bug 1318273) for failing mochitest fetch/test_formdataparsing.html. r=backout on a CLOSED TREE
2016-11-17 20:58:38 +01:00
fdfd8b91d1
Backed out changeset 2560659cda95 (bug 1318273)
2016-11-17 20:57:59 +01:00
a895bd31ae
Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 2, r=qdot
2016-11-17 19:36:21 +01:00
cf2ad8072f
Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 1, r=qdot
2016-11-17 19:36:01 +01:00
dcbe139332
Bug 1317115 turn off HSTS priming to suppress perma-orange a=test-only
...
MozReview-Commit-ID: I1bNquP4yT7
2016-11-15 10:52:45 +09:00
5565f4d518
Bug 1313595 Reduce timeout for HSTS priming channels r=mayhemer
...
Default is 3 seconds
MozReview-Commit-ID: 47hoaTEL9hV
2016-11-08 17:49:39 +09:00
8562d3859b
Backed out changeset a8be4ebc85cf (bug 1313595) for permaorange unexpected assertion in test_referrerdirective.html, a=backout
...
MozReview-Commit-ID: GxBqDrHHg7z
2016-11-14 18:30:58 -08:00
b8eeda422c
Bug 1313595 Reduce timeout for HSTS priming channels r=mayhemer
...
Default is 3 seconds
MozReview-Commit-ID: 47hoaTEL9hV
--HG--
extra : rebase_source : 6954dc92966122b15c60f19f5e91086fcd859728
2016-11-08 17:49:39 +09:00
5ef79ef9a4
Bug 1313596 - Increase HSTS Priming default cache timeout. r=mayhemer
...
MozReview-Commit-ID: 6sHuB4wIEu4
--HG--
extra : rebase_source : 9672c18384efe24f6cb5e1aa455217e37a97db90
2016-11-10 00:30:00 -05:00
115286c614
Backed out changeset 9c1069e2a42e (bug 1236222) for failing xpcshell test test_csp_reports.js. r=backout
2016-11-09 11:31:38 +01:00
134e80abde
Bug 1236222 - CSP: Blocked URI should be empty for inline violations. r=ckerschb
2016-11-07 19:22:53 +05:30
41c087935b
Merge m-c to inbound, a=merge
2016-11-08 14:08:34 -08:00
eb1fcc9de6
Bug 1299483 - CSP: Implement 'strict-dynamic', test default-src. r=dveditz
2016-11-08 13:34:36 +01:00
54b5ba8aa1
Bug 1299483 - CSP: Implement 'strict-dynamic', parser inserted mochitests. r=dveditz,freddyb
2016-11-08 13:33:58 +01:00
7148985f09
Bug 1299483 - CSP: Implement 'strict-dynamic', mochitests. r=dveditz,freddyb
2016-11-08 13:33:27 +01:00
d9efe93bac
Bug 1299483 - CSP: Implement 'strict-dynamic', parser tests. r=dveditz,freddyb
2016-11-08 13:32:17 +01:00
611dfdf9b7
Bug 1299483 - CSP: Implement 'strict-dynamic', parser changes. r=dveditz,freddyb
2016-11-08 13:08:33 +01:00
c267f70f91
Bug 1299483 - CSP: Implement 'strict-dynamic', enforcement changes. r=dveditz,freddyb
2016-11-08 12:55:23 +01:00
27b9e899b0
Bug 1311599 - Disable hsts tests on linux32-debug only. r=kmckinley
...
MozReview-Commit-ID: 2V5Xrfpwy3a
--HG--
extra : rebase_source : c02f00ac03368b5ce52598c23964e39f892e6007
2016-11-07 14:51:45 -05:00
e13c48fba9
Bug 1315170 - gtestify dom/security/test/TestCSPParser.cpp. r=francois.
...
--HG--
rename : dom/security/test/TestCSPParser.cpp => dom/security/test/gtest/TestCSPParser.cpp
extra : rebase_source : 52b30a4c063ce2d330108fa4b8382ff8e4adf1b0
2016-11-04 17:02:26 +11:00
a7bc94158c
Merge m-i to m-c, a=merge
...
MozReview-Commit-ID: H4VKCYDq5cD
--HG--
rename : xpcom/tests/TestAutoRef.cpp => xpcom/tests/gtest/TestAutoRef.cpp
rename : xpcom/tests/TestCOMArray.cpp => xpcom/tests/gtest/TestCOMArray.cpp
rename : xpcom/tests/TestCOMPtr.cpp => xpcom/tests/gtest/TestCOMPtr.cpp
rename : xpcom/tests/TestCOMPtrEq.cpp => xpcom/tests/gtest/TestCOMPtrEq.cpp
rename : xpcom/tests/TestFile.cpp => xpcom/tests/gtest/TestFile.cpp
rename : xpcom/tests/TestHashtables.cpp => xpcom/tests/gtest/TestHashtables.cpp
rename : xpcom/tests/TestID.cpp => xpcom/tests/gtest/TestID.cpp
2016-11-05 13:36:25 -07:00
4b45959d12
Bug 1310297 - Remove test annotations using b2g, mulet or gonk: dom/security. r=RyanVM
...
MozReview-Commit-ID: 8G41CCQ1P01
--HG--
extra : rebase_source : d8f02480bc506c06e13d0d47fa123df6f8b2f18d
2016-11-05 11:29:17 +01:00
e8f0bc4a89
Bug 1312272 - Test that marquee event handlers are subject to CSP. r=smaug
...
MozReview-Commit-ID: 4KYon5u0ocf
--HG--
extra : histedit_source : 6de85932af364aba1960f16a51d20d32b8ec6b7c
2016-11-04 22:54:19 -04:00
579a6043ca
Bug 1312680 - Test that require-sri-for blocks style loads via @import r=francois
...
MozReview-Commit-ID: A8DPWH2S3sD
2016-11-03 03:18:00 +01:00
921f2dc51d
Merge mozilla-central to mozilla-inbound
...
--HG--
extra : amend_source : 754a1f5236bea4ec4fcaac985945aa89f6c29769
2016-10-20 16:50:23 +02:00
26490f6904
Bug 1310955 - Fix nsSiteSecurityService cache retrieval r=ckerschb,keeler
...
MozReview-Commit-ID: 55DpKrqcL1x
--HG--
extra : rebase_source : 5e068cc70c45dd1844a0e59559875cde659f202a
2016-10-18 20:09:15 +09:00
6c91017f20
Merge m-i to m-c, a=merge
...
MozReview-Commit-ID: FA9OZyjP59N
2016-10-18 19:36:18 -07:00
f13c011369
Bug 1310895 - Remove support for app default and manifest CSP enforcement; r=baku
2016-10-18 09:40:41 -04:00
5b82359aa3
Bug 1305993 - Break tests up to avoid timeouts r=philor
...
MozReview-Commit-ID: 8y2gwNjnEnT
--HG--
extra : rebase_source : c24354dd7c60064b38bbbad067806d3c0a52c690
2016-10-07 17:19:38 +09:00
066a3827af
Bug 1307321 - Use correct length of CSP report when sending violations. r=jrgm,freddyb
2016-10-14 20:07:32 +02:00
24324313f6
Backed out changeset f443b21ba9de (bug 1307321) for unexpected passing of scripthash-unicode-normalization.sub.html. r=backout
2016-10-14 17:51:22 +02:00
0341cd9771
Bug 1307321 - Use correct length of CSP report when sending violations. r=jrgm,freddyb
2016-10-14 15:23:24 +02:00
9de6bbbaec
Bug 1261019 - Part 3: Remove Navigator.mozApps and code depending on it; r=myk,jryans,fabrice,mcmanus,peterv
2016-10-13 13:18:41 -04:00
793b227795
Bug 1309818 - Fixing some warning when compiling dom/*, r=smaug
2016-10-13 14:33:07 +02:00
f4e92ab657
Bug 1277803 - Part 5 : A test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-10-13 15:44:00 +08:00
372ec56ff4
Bug 1277803 - Part 1 : Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-10-13 15:43:54 +08:00
2142de26c1
Backed out 8 changesets (bug 1277803) for browser-chrome test failures a=backout
...
Backed out changeset 477890efdb88 (bug 1277803)
Backed out changeset 49da326bfe68 (bug 1277803)
Backed out changeset 2d17a40a9077 (bug 1277803)
Backed out changeset b1cb0a195ca1 (bug 1277803)
Backed out changeset c7d82459d152 (bug 1277803)
Backed out changeset 3be9a06248af (bug 1277803)
Backed out changeset 8d119ca96999 (bug 1277803)
Backed out changeset be767a6f7ecd (bug 1277803)
2016-10-12 14:26:00 -07:00
226661a0bc
Bug 1277803 - Part 5 : A test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-10-12 17:32:11 +08:00
0ceca5575d
Bug 1277803 - Part 1 : Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-10-12 17:32:03 +08:00
ea829544cd
Bug 1308951 - Add a pref to whitelist specific domains as SecureContexts r=ckerschb,jcj
...
MozReview-Commit-ID: AxihCLsBNRw
--HG--
extra : rebase_source : bd2800c65af839ef67f4ca9a841f08884ac9c539
2016-10-10 11:32:24 -04:00
06ba09a073
Bug 1264137 - Part 3: perform ContentPolicy check if the load is happening on this docshell. r=bz, smaug
2016-10-07 17:40:21 +08:00
e6ab0adc40
Backed out changeset d283c59402ce (bug 1277803)
...
CLOSED TREE
2016-10-07 11:24:08 +08:00
596b8e86ce
Backed out changeset 76788d4f83ce (bug 1277803)
...
CLOSED TREE
2016-10-07 11:23:40 +08:00
1925944f12
Bug 1277803 - Part 5: Add a test to verify the loadingPrincipal of favicon loads. r=ckerschb
2016-09-13 00:33:00 -04:00
85a1cb6b99
Bug 1277803 - Part 1: Add a new ContentPolicy TYPE_INTERNAL_IMAGE_FAVICON for indicating a favicon loading. r=ckerschb
2016-09-07 00:38:00 -04:00
395abf823f
Bug 1288104 part 2 - Instrument SRICheckDataVerifier to load/save the computed hash from the bytecode cache. r=francois
2016-10-20 09:44:33 +00:00
ae7fb1e8d0
Bug 1279139 - require-sri-for needs to govern scriptloading for workers. r=baku
...
MozReview-Commit-ID: 3m21kbiV5qK
--HG--
extra : rebase_source : 30c784392e96c1b28c55d38959cc529093b9b568
2016-10-04 02:36:00 +02:00
b0951acfc5
Bug 1302539 - X-Content-Type-Options: nosniff should not apply to images (temporarily). r=dveditz
2016-09-30 09:38:44 +02:00
cf7304c3c6
Bug 1306007 - Part 1: Remove srcset/picture feature control preference; r=jdm,smaug
...
MozReview-Commit-ID: BsyTHeqiGZL
--HG--
extra : rebase_source : 2add2510dbe16c641fe997a8349c1a36009bec20
2016-04-16 18:07:56 -04:00
40e1a53f35
Bug 1303682 - Add deprecation warning before removing 'referrer' directive from CSP. r=ckerschb
2016-09-28 20:17:18 +05:30
c190891418
Bug 1303121 - Do not fire one last progress event on XHR errors, to match a spec change. r=annevk
...
--HG--
extra : rebase_source : 9a59934cfe8fc7f2ee8ef7788813f97e2355ce2a
2016-09-28 13:05:32 -04:00
c57d400961
Bug 1246540 - HSTS Priming Proof of Concept. r=ckerschb, r=mayhemer, r=jld, r=smaug, r=dkeeler, r=jmaher, p=ally
...
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
MozReview-Commit-ID: ES1JruCtDdX
--HG--
extra : rebase_source : 2ac6c93c49f2862fc0b9e595eb0598cd1ea4bedf
2016-09-27 11:27:00 -04:00
f196d451ef
Bug 1304302 part 7 - Break cycle reference between SRIMetadata.h and SRICheck.h. r=smaug
...
MozReview-Commit-ID: 8UpAEXURuSg
--HG--
extra : source : 50604098e9e374611b02d82d765fa0b230d71373
2016-09-26 22:03:25 +10:00
767e1e9b11
merge mozilla-inbound to mozilla-central a=merge
2016-09-26 18:34:20 +08:00
694c12c743
Bug 1242019 - Truncate data URIs in CSP log messages. r=ckerschb
...
MozReview-Commit-ID: DaiGESRI1rb
--HG--
extra : transplant_source : %EC%7B%3F%20O%3A%A7g%BAl%82%BC-Xg%23%84%E2%3C%EE
2016-09-12 14:30:43 -07:00
ed0b5f06ee
Bug 1271796 use raw bytes to calculate SRI hash r=francois
...
MozReview-Commit-ID: F62t5CnsYlJ
--HG--
extra : rebase_source : 9c2148ffe99a51db5541ec6d9961597b578157ae
2016-09-05 12:55:25 +02:00
9f5afabda0
Bug 1294381 - Delayed process script for test_bug803225.html. r=mrbkap
2016-09-22 09:26:26 +02:00
f41283f981
Bug 1298680 - Use uint64_t consistently for windowID within CSP. r=freddyb
2016-09-19 12:57:20 +02:00
9f2e941749
Bug 1296027 - CSP: Include 'Source' within error message when logging to the console. r=freddyb,bgrins
2016-09-19 10:18:55 +02:00
fd99ac5cc2
Bug 1277248 - Add test to ensure that require-sri-for does not allow svg:scripts r=ckerschb
...
MozReview-Commit-ID: 1knIYZ93UeY
--HG--
extra : rebase_source : 4c1385382ecdddf80ec45d46d440b37bf4ad47c1
2016-09-13 11:05:37 +02:00
db38e2111a
Bug 1187335 - P6 - Support script/css to set integrity metadata to serviceWorker. r=bkelly. r=francois.
2016-09-07 10:30:21 +08:00
6f314fb375
Bug 1187335 - P3 - modify SRI test to match current behavior. r=bkelly, r=francois.
2016-05-30 12:26:56 +08:00
78670a91d5
Bug 1187335 - P2 - Modify the way to report to console for worker and use LoadTainting to decide CORS or not. r=bkelly. r=francois.
2016-09-08 09:59:40 +08:00
6ea7c1b598
Bug 1229639 - Part 2: Test case. r=ckerschb
...
MozReview-Commit-ID: GbofB6JoFil
--HG--
extra : rebase_source : dc4ac339817a052f687179988e28ec02764bd3e7
2016-09-06 18:30:12 +08:00
f9eeeb2620
Bug 1229639 - Part 1: Match CSP host source with percent-decoded URI. r=ckerschb
...
MozReview-Commit-ID: CSGeoSR2qw8
--HG--
extra : rebase_source : f64cb0b9cab61ec09faa29139f72d28272fbbedb
2016-09-06 18:29:26 +08:00
885c81fd09
Bug 1299267 - Test for wrong mime types. r=ckerschb
2016-09-05 20:02:52 +02:00
b71747b2ac
Bug 1299727 - Rename NS_WARN_IF_FALSE as NS_WARNING_ASSERTION. r=erahm.
...
The new name makes the sense of the condition much clearer. E.g. compare:
NS_WARN_IF_FALSE(!rv.Failed());
with:
NS_WARNING_ASSERTION(!rv.Failed());
The new name also makes it clearer that it only has effect in debug builds,
because that's standard for assertions.
--HG--
extra : rebase_source : 886e57a9e433e0cb6ed635cc075b34b7ebf81853
2016-09-01 15:01:16 +10:00
Sebastian Hengst
Christoph Kerschbaumer
Mark Banner
Ehsan Akhgari
Florian Quèze
Tuhina
Carsten "Tomcat" Book
Kate McKinley
Geoff Brown
Iris Hsiao
Thomas Nguyen
Thomas Wisniewski
Tooru Fujisawa
André Bargull
Frederik Braun
Ryan VanderMeulen
Andrea Marchesini
Phil Ringnalda
Tanuja Sawant
Wes Kocher
Joel Maher
Nicholas Nethercote
Steven Englehardt
Tim Huang
Richard Barnes
Yoshi Huang
Nicolas B. Pierron
Edgar Chen
Samriddhi Jain
Xidorn Quan
Gabor Krizsanits
Tom Tung
Henry Chang
Tom Schuster