Bug 1886184 - Add HTTPS-Only Permission Types exclusively for HTTPS-First r=freddyb,simonf

Introduce the two new value types "FIRST_LOAD_INSECURE_ALLOW" and "FIRST_LOAD_INSECURE_ALLOW_SESSION" for permission "https-only-load-insecure". While the existing values apply to both HTTPS-Only and HTTPS-First, these will only apply to HTTPS-First. Additionally, they will not be displayed in the UI (HTTPS-Only settings and identity pane). Differential Revision: https://phabricator.services.mozilla.com/D205713
2024-11-27 06:43:32 +00:00 · 2024-05-27 18:57:24 +00:00 · 2024-05-27 18:57:24 +00:00 · 08b5db9eb3
commit 08b5db9eb3
parent 3c2759e1f6
3 changed files with 21 additions and 5 deletions
--- a/dom/security/nsHTTPSOnlyUtils.cpp
+++ b/dom/security/nsHTTPSOnlyUtils.cpp
@ -691,7 +691,8 @@ bool nsHTTPSOnlyUtils::CouldBeHttpsOnlyError(nsIChannel* aChannel,
 }

 /* static */
-bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal) {
+bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal,
+                                               bool aCheckForHTTPSFirst) {
  static nsCOMPtr<nsIPermissionManager> sPermMgr;
  if (!sPermMgr) {
    sPermMgr = mozilla::components::PermissionManager::Service();
@ -705,7 +706,11 @@ bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal) {
  NS_ENSURE_SUCCESS(rv, false);

  return perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW ||
-         perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW_SESSION;
+         perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW_SESSION ||
+         (aCheckForHTTPSFirst &&
+          (perm == nsIHttpsOnlyModePermission::HTTPSFIRST_LOAD_INSECURE_ALLOW ||
+           perm == nsIHttpsOnlyModePermission::
+                       HTTPSFIRST_LOAD_INSECURE_ALLOW_SESSION));
 }

 /* static */
@ -744,7 +749,8 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption(
  NS_ENSURE_SUCCESS_VOID(rv);

  uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus();
-  bool isPrincipalExempt = TestIfPrincipalIsExempt(principal);
+  bool isPrincipalExempt = TestIfPrincipalIsExempt(
+      principal, isHttpsFirst || isSchemelessHttpsFirst);
  if (isPrincipalExempt) {
    httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT;
  } else {
--- a/dom/security/nsHTTPSOnlyUtils.h
+++ b/dom/security/nsHTTPSOnlyUtils.h
@ -132,7 +132,8 @@ class nsHTTPSOnlyUtils {
   * @param  aPrincipal The principal for whom the exception should be checked
   * @return            True if exempt
   */
-  static bool TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal);
+  static bool TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal,
+                                      bool aCheckForHTTPSFirst = false);

  /**
   * Tests if the HTTPS-Only Mode upgrade exception is set for channel result
--- a/dom/security/nsIHttpsOnlyModePermission.idl
+++ b/dom/security/nsIHttpsOnlyModePermission.idl
@ -3,8 +3,9 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

 #include "nsISupports.idl"
+
 /**
- * An interface to test for cookie permissions
+ * HTTPS-Only/First permission types
 */
 [scriptable, uuid(73f4f039-d6ff-41a7-9eb3-00db57b0b7f4)]
 interface nsIHttpsOnlyModePermission : nsISupports
@ -23,4 +24,12 @@ interface nsIHttpsOnlyModePermission : nsISupports
   * any methods on this interface.
   */
  const uint32_t LOAD_INSECURE_ALLOW_SESSION = 9;
+  /**
+    * While LOAD_INSECURE_ALLOW and LOAD_INSECURE_ALLOW_SESSION apply to both
+    * HTTPS-Only and HTTPS-First, the following two values work analogous, but
+    * only apply to HTTPS-First. Permissions with these values set will not be
+    * displayed in the UI.
+   */
+  const uint32_t HTTPSFIRST_LOAD_INSECURE_ALLOW = 10;
+  const uint32_t HTTPSFIRST_LOAD_INSECURE_ALLOW_SESSION = 11;
 };