The new rkv-based cert_storage database caused a Heap Unclassified regression because of memory that LMDB reserves when opening a database in read-write mode. Since cert_storage usage is read-heavy, this change claws back that regression by opening it in read-only mode except when changes are being made.
Differential Revision: https://phabricator.services.mozilla.com/D25098
--HG--
extra : moz-landing-system : lando
Per the thread "Intent-to-Ship: Backward-Compatibility FIDO U2F support for
Google Accounts" on dev-platform [0], this bug is to:
1. Enable the security.webauth.u2f by default, to ride the trains
2. Remove the aOp == U2FOperation::Sign check from EvaluateAppID in
WebAuthnUtil.cpp, permitting the Google override to work for Register as
well as Sign.
This would enable Firefox users to use FIDO U2F API on most all sites, subject
to the algorithm limitations discussed in the section "Thorny issues in
enabling our FIDO U2F API implementation" of that post.
[0] https://groups.google.com/d/msg/mozilla.dev.platform/q5cj38hGTEA/lC834665BQAJ
Differential Revision: https://phabricator.services.mozilla.com/D25241
--HG--
extra : moz-landing-system : lando
When the RDD process sandbox is started at launch, assert the sandbox has been enabled in the Init message.
Change AssertMacSandboxEnabled() to use the undocumented sandbox_check() function instead of sandbox_init().
Differential Revision: https://phabricator.services.mozilla.com/D22414
--HG--
extra : moz-landing-system : lando
Move sandbox early start logic to GeckoChildProcessHost.
Move sandbox CLI param logic into MacSandboxInfo.
Differential Revision: https://phabricator.services.mozilla.com/D22409
--HG--
extra : moz-landing-system : lando
Remove the unused plugin binary path and app binary path parameters and cleanup file path permissions.
Explicitly allow access to launchservicesd to allow SetProcessName() to work when the sandbox is started during startup.
Differential Revision: https://phabricator.services.mozilla.com/D22408
--HG--
extra : moz-landing-system : lando
Move sandbox policies for different process types into their own files.
Create a new "utility" policy cloned from the GMP policy to be used for basic utility-type processes.
Use the utility policy for the RDD process.
Differential Revision: https://phabricator.services.mozilla.com/D22405
--HG--
extra : moz-landing-system : lando
After initialization (which happens on the main thread because we need to access
preferences), cert_storage will first be used on a certificate verification
thread. We can use this to avoid main-thread I/O by lazily opening the DB when
it first gets used rather than at initialization.
Differential Revision: https://phabricator.services.mozilla.com/D24998
--HG--
extra : moz-landing-system : lando
Apparently importing a certificate into the NSS certificate DB is slow enough to
materially impact the time it takes to connect to a site. This patch addresses
this by importing any intermediate certificates we want to cache from verified
connections on a background thread (so the certificate verification thread can
return faster).
Differential Revision: https://phabricator.services.mozilla.com/D24384
--HG--
extra : moz-landing-system : lando
Removed all occurences of ondialogaccept.
Removed all occurences of ondialogcancel.
Replaced all removed attributes with event handlers.
Differential Revision: https://phabricator.services.mozilla.com/D21227
--HG--
extra : moz-landing-system : lando
1. Adding a new attribute chromeContext in ConsoleEvent
2. Adding a new boolean attribute isFromChromeContext in nsIConsoleMessage
3. Sending IsFromChromeContext to the parent process
Differential Revision: https://phabricator.services.mozilla.com/D23330
--HG--
extra : moz-landing-system : lando
Apparently importing a certificate into the NSS certificate DB is slow enough to
materially impact the time it takes to connect to a site. This patch addresses
this by importing any intermediate certificates we want to cache from verified
connections on a background thread (so the certificate verification thread can
return faster).
Differential Revision: https://phabricator.services.mozilla.com/D24384
--HG--
extra : moz-landing-system : lando
Added files to UNIFIED_SOURCES and removed conflicts. Files that required flags still remain in SOURCES. SOURCES use "StrictOrderingOnAppendListWithFlagsFactory" base class and UNIFIED_SOURCES use "StrictOrderingOnAppendList" base class. As of now I do not think there is an option to add flags for the later. So the files requiring flags are kept in SOURCES.
Differential Revision: https://phabricator.services.mozilla.com/D23795
--HG--
extra : moz-landing-system : lando
cert_storage migrates revocations.txt via one transaction per entry, which can be expensive. This change uses a single transaction to migrate all entries.
Differential Revision: https://phabricator.services.mozilla.com/D24579
--HG--
extra : moz-landing-system : lando
The definitions can't be entirely removed yet because NSS still needs them.
Differential Revision: https://phabricator.services.mozilla.com/D23454
--HG--
extra : moz-landing-system : lando
This allows us to drop preprocessing and makes it simpler to add edit menu functionality to any type of document.
Differential Revision: https://phabricator.services.mozilla.com/D21446
--HG--
extra : moz-landing-system : lando
If nsSecureBrowserUIImpl::GetState is never called, it never checks for mixed
content (this can happen when loading a page from the BF cache). To ensure that
we properly set the security state (via OnLocationChange -> OnSecurityChange),
nsSecureBrowserUIImpl must check for mixed content more proactively.
Differential Revision: https://phabricator.services.mozilla.com/D23945
--HG--
extra : moz-landing-system : lando
This patch also base64-decodes the API inputs before storing in the DB in
anticipation of being able to pass binary data directly (bug 1535752).
Differential Revision: https://phabricator.services.mozilla.com/D23430
--HG--
extra : moz-landing-system : lando
This patch also base64-decodes the API inputs before storing in the DB in
anticipation of being able to pass binary data directly (bug 1535752).
This patch additionally whitelists the DB backing file in talos.
Differential Revision: https://phabricator.services.mozilla.com/D23430
--HG--
extra : moz-landing-system : lando
The certificate when exported had filename with no separator. Now added "_" separator to filename.
Differential Revision: https://phabricator.services.mozilla.com/D23492
--HG--
extra : moz-landing-system : lando
clang-cl only acts on five MSVC warning flags: 7219c7e9af/clang/include/clang/Driver/CLCompatOptions.td (L188-L197)
With MSVC now unsupported, most -wdNNNN have no effect and can be removed.
This patch converts the five supported warnings to their clang spellings, as preparation for a subsequent patch that will remove all remaining `[/-]w[edo][0-9]{4}`.
Differential Revision: https://phabricator.services.mozilla.com/D22582
--HG--
extra : moz-landing-system : lando
The main behavior changes are:
1) We no longer create a new Window when doing document.open(). We use the
same Window but remove all the event listeners on it and on the existing DOM
tree before removing the document's existing kids.
2) We no longer create a new session history entry. The existing one always
gets replaced instead.
3) We now support document.open on documents that are not in a Window.
The reasons for the various test changes are as follows:
The change to browser_modifiedclick_inherit_principal.js is because we no
longer set the docshell to a wyciwyg URL when document.open() happens and the
test was depending on that to terminate.
browser_wyciwyg_urlbarCopying.js is being removed because it's trying to test
wyciwyg URIs, which no longer exist.
The changes in docshell/test/navigation are because document.open() no longer
affects session history. One of the tests was testing the interactions there
and is being removed; another is being repurposed to just test that
document.open() does not affect history.length.
The change to test_x-frame-options.html is because document.open() now removes
event listeners on the window, which it didn't use to do (and in the specific
case in this test reused the existing inner too, so the listener was still
around in practice). The new behavior matches other browsers.
The removal of test_bug172261.html is because document.open() no longer affects
session history, so you can't go back across it or forward to the "opened"
state, so the situation that test is trying to test no longer exists.
The changes to test_bug255820.html are because reloading a document after
document.open() will now just load the URL of the document that was the entry
document for the open() call, not reload the written content. So there's not
much point testing reload behavior, and in this test it was just reloading the
toplevel test file inside the frames.
The change to test_bug346659.html is because now we no longer create a new
Window on document.open().
The change to test_bug1232829.html is because document.open() (implicit in this
test) no longer adds history entries, so the back() was just leaving the test
page instead of going back across the document.open(). The test is a
crashtest in practice, so might still be testing something useful about how
document.open() interacts with animations.
The change to test_bug715739.html is because the URL of the document after
document.open() is now the URL of the entry document, not a wyciwyg URL, so
reload() has different behavior than it used to.
The change to test_bug329869.html is because now when we go back we're
reloading the original document we had, not doing a wyciwyg load, and the
security info now doesn't include the untrusted script.
The changes to the wpt expectations are removing a bunch of expected failures
now that we pass those tests and disabling some tests that are fundamentally
racy and hence fail randomly. The latter all have github issues filed for the
test problem.
The change to testing/web-platform/tests/common/object-association.js is fixing
tests that were not matching the spec (and were failing in other browsers).
The change to parser-uses-registry-of-owner-document.html is fixing tests that
were not matching the spec (and were failing in other browsers).
The change to document-write.tentative.html is because the test was buggy: it
was using the same iframe element for all its tests and racing loads from some
tests against API calls from other tests, etc. It's a wonder it ever managed
to pass, independent of these patches (and in fact it doesn't pass according to
wpt.fyi data, even in Firefox).
The changes in html/browsers/history/the-history-interface are because
document.open() no longer adds history entries. The test was failing in all
other browsers for the same reason.
The changes in html/browsers/history/the-location-interface are because
reloading a document.open()-created thing now loads the URL of the page that
was the entry document for the open() call. The test was failing in all other
browsers.
The change to reload_document_open_write.html is because we now reload the url
of the document that entered the script that called open() when we reload, not
the written content. Other browsers were failing this test too; Gecko with
the old document.open implementation was the only one that passed.
The change to http-refresh.py is to fix a test bug: it was not returning a
Content-Type header, so we were putting up helper app dialogs, etc.
The change to test_ext_contentscript.js is because we no create a new global
for document.open() calls. Kris Maglione OKed this part.
Differential Revision: https://phabricator.services.mozilla.com/D17323
--HG--
extra : moz-landing-system : lando
The seccomp-bpf policy is currently just the "common" policy with no
additions (but with the fixes in bug 1511560 to enable shared memory
creation). The file broker policy allows shared memory creation and
nothing else. The namespace setup is the same as for GMP (i.e., as
restrictive as we currently can be).
The sandbox can be turned off for troubleshooting by setting the
environment variable MOZ_DISABLE_RDD_SANDBOX, similarly to the other
process types.
Tested against https://demo.bitmovin.com/public/firefox/av1/ with the
necessary prefs set.
Depends on D20895
Differential Revision: https://phabricator.services.mozilla.com/D14525
--HG--
extra : moz-landing-system : lando
File descriptors are sometimes dup()ed in the process of communicating
them over IPC; some of this may be unnecessary (due to insufficient
use of move-only types), but dup() is relatively harmless. It was
previously allowed for both content and GMP, so this doesn't change
anything.
The handling of ftruncate is a little complicated -- it's used for IPC
shared memory, but only when creating segments; so GMP doesn't allow
it and should continue not allowing it, but content needs it and RDD
will as well. As a result, the subclass indicates if it will be needed.
Note that even when we have memfd_create support (bug 1440203),
ftruncate is still necessary even though brokering may not.
Depends on D14523
Differential Revision: https://phabricator.services.mozilla.com/D14524
--HG--
extra : moz-landing-system : lando
The sandbox broker uses socketpair to construct the per-request channels
over which responses are sent; thus, if and only if the policy will be
using brokering, it will allow socketpair as safely as possible (i.e.,
denying datagram sockets if possible).
Depends on D14522
Differential Revision: https://phabricator.services.mozilla.com/D14523
--HG--
extra : moz-landing-system : lando
madvise is used by our malloc (and probably others), and mprotect is
used with shared memory, including when created by another process, so
the common policy should include those rules.
Depends on D14521
Differential Revision: https://phabricator.services.mozilla.com/D14522
--HG--
extra : moz-landing-system : lando
This will allow other policies to use brokering if needed (e.g., RDD and
similar utility processes may need to access /dev/shm to create shared
memory). The concrete policy class can deny filesystem access completely
(matching the current behavior of the GMP policy) by passing nullptr to
the superclass constructor instead.
Depends on D14520
Differential Revision: https://phabricator.services.mozilla.com/D14521
--HG--
extra : moz-landing-system : lando
ContentSandboxPolicy currently allows direct filesystem access if it
isn't given a broker client; this is a legacy design from the B2G era,
before the current idea of "sandbox level". With this patch, it allows
filesystem access at level 1, and above that it requires brokering.
This is both to reduce the opportunities for accidentally having a
too-permissive sandbox and to prepare for refactoring the broker glue in
bug 1511560.
Depends on D14519
Differential Revision: https://phabricator.services.mozilla.com/D14520
--HG--
extra : moz-landing-system : lando
Level 1 is meant to enable some seccomp-bpf filtering, but still allow
direct access to the filesystem, and level 2 is where brokering starts.
This was accidentally broken in 1365257 (making "level 1" act like level
2); this patch fixes that.
This feature obviously isn't used much given how long nobody noticed it was
broken, but it's useful to have around for troubleshooting, and it's
actually easier to fix it than edit it out of the documentation.
Differential Revision: https://phabricator.services.mozilla.com/D14519
--HG--
extra : moz-landing-system : lando
This test should remind us to regenerate the test certificates next year before they actually expire.
Differential Revision: https://phabricator.services.mozilla.com/D21065
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
Remove all occurences of the above mentioned attributes and replace them by event handlers.
Minor changes to consuming functions to preserve functionality.
Differential Revision: https://phabricator.services.mozilla.com/D20368
--HG--
extra : moz-landing-system : lando
In bug 1470918, a shared thread was introduced that did the reading/writing work
for all DataStorage instances. To ensure all state was written out at shutdown,
the original patch implemented a two stage strategy that in the first stage
queued an event for each DataStorage that would write out its contents and then
in the second stage ran these events to completion. This conflicted with how
Firefox's sanitization implementation would make sure that data was cleared at
shutdown, if requested by the user. If the DataStorage objects observed the
first shutdown notification before the sanitization implementation, the existing
data would be queued for writing and any further updates would be prevented.
Thus, when the sanitizer tried to clear data held by DataStorage instances,
nothing would happen and the data would be written to disk.
This patch fixes this issue by implementing DataStorage shutdown in a single
stage that can run after sanitization. Since sDataStorages knows of the
existence of every DataStorage, we can simply iterate through its entries, queue
write events for each one, and then run those events to completion in one pass.
This patch also fixes bug 1528019 (gDataStorageSharedThread could leak if
NS_NewNamedThread failed) because the fix is trivial and not worth handling in
an entirely separate bug.
Differential Revision: https://phabricator.services.mozilla.com/D20034
--HG--
extra : moz-landing-system : lando
Consequently, this removes:
- MOZ_LIBPRIO, which is now always enabled.
- non_msvc_compiler, which is now always true.
- The cl.py wrapper, since it's not used anymore.
- CL_INCLUDES_PREFIX, which was only used for the cl.py wrapper.
- NONASCII, which was only there to ensure CL_INCLUDES_PREFIX still
worked in non-ASCII cases.
This however keeps a large part of detecting and configuring for MSVC,
because we still do need it for at least headers, libraries, and midl.
Depends on D19614
Differential Revision: https://phabricator.services.mozilla.com/D19615
--HG--
extra : moz-landing-system : lando
Adds telemetry for the state of intermediate preloading, as well as what errors
occur during the process.
Dana- will solicit data review today, too.
Differential Revision: https://phabricator.services.mozilla.com/D19507
--HG--
extra : moz-landing-system : lando
Move functionality out of XULDocument::AddElementToDocumentPost:
1) Convert all XUL link elements into HTML link elements which have
code to handle when they are added to the DOM.
2) Move handling of the end of a linkset element into nsXULElement's DoneAddingChildren callback.
3) Move document direction reset to where the root element is created.
Differential Revision: https://phabricator.services.mozilla.com/D19739
--HG--
extra : moz-landing-system : lando
This is a follow-up to the previous part, which actually changes one of
these callers to use Array<nsIIDRef> instead of [array] nsIIDPtr.
From doing this patch, it seems like we should consider changing
the type `nsIIDRef` to instead simply be `nsIID`, and treat it more like
the `AString` types from the POV of XPIDL. `nsIIDPtr` would then
continue to exist for backwards compatibility, but we can probably
remove almost all current consumers over time.
Depends on D19175
Differential Revision: https://phabricator.services.mozilla.com/D19176
--HG--
extra : moz-landing-system : lando
Replacing js and text occurences of asyncOpen2
Replacing open2 with open
Differential Revision: https://phabricator.services.mozilla.com/D16885
--HG--
rename : layout/style/test/test_asyncopen2.html => layout/style/test/test_asyncopen.html
extra : moz-landing-system : lando
Allow file-write-unlink in ~/Library/Preferences/Macromedia/Flash Player to allow changes made in the Flash Global Settings panel to persist.
Differential Revision: https://phabricator.services.mozilla.com/D19217
--HG--
extra : moz-landing-system : lando
As of bug 1514118, NSS is not the only place NSSCertDBTrustDomain looks for
issuer certificates. However, the initial implementation did not take into
account that NSSCertDBTrustDomain::FindIssuer would return early if NSS did not
find candidate issuers, resulting in unknown issuer errors for third party
roots. This patch fixes that bug by not returning early.
Differential Revision: https://phabricator.services.mozilla.com/D19058
--HG--
extra : moz-landing-system : lando
This patch:
* Classifies RemoteSecuritySettings as production.
* Add detailed logging controlled by the browser.policies.loglevel pref.
* Generally make RemoteSecuritySettings match other services better.
* Move to hex-encoded hashes to match Kinto.
* Adds RemoteSecuritySettings to blocklist-clients. This may not be the
permanent home.
* Adds a preference for how many certs to download at once.
* Adds an Observer interface.
(This makes the tests more predictable, but it also avoids having a
duplicate call when the full "sync" is called.)
Differential Revision: https://phabricator.services.mozilla.com/D19043
--HG--
extra : moz-landing-system : lando
Previously, the GPU sandbox was enabled and caused the VR service to break.
The VR service has now been moved into its own process, and now the GPU
sandbox should be able to work fine. We will initially apply sandbox level '1'
for a time, and then increase to sandbox level '2' if everything works just
fine.
Differential Revision: https://phabricator.services.mozilla.com/D18876
--HG--
extra : moz-landing-system : lando
Gian-Carlo Pascutto
ffxbld
Sylvestre Ledru
Myk Melez
J.C. Jones
Mark Banner
Haik Aftandilian
Dana Keeler
Nan Jiang
Cosmin Sabou
J.C. Jones
Jonas Allmann
Eden Chuang
Jeff Walden
Narcis Beleuzu
srujana
monikamaheshwari
brendaadel
Nicholas Nethercote
Brian Grinstead
shindli
Ian Moody
Andreea Pavel
Mark Goodwin
Alex Gaynor
Razvan Maries
Trushita
Dorel Luca
Csoregi Natalia
Kai Engert
Chris Pearce
David Major
arthur.iakab
Neil Deakin
Valentin Gosu
Tim Nguyen
m.boselli
Jorg K
Gurzau Raul
Oana Pop Rus
Boris Zbarsky
Jonathan Kingston
Jed Davis
Mathieu Leplatre
Nika Layzell
Noemi Erli
Christoph Kerschbaumer
Masatoshi Kimura
Bob Owen
Daniel Varga
Kris Maglione
Mike Hommey
Brendan Dahl
Chris Martin