Bug 1551886: Check the parent scheme for NullPrincipals via the precusor principal. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D119977
2024-12-02 18:08:58 +00:00 · 2021-07-22 10:18:57 +00:00 · 2021-07-22 10:18:57 +00:00 · 22a59e14de
commit 22a59e14de
parent edb16ba59a
6 changed files with 79 additions and 52 deletions
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -367,6 +367,21 @@ bool nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
  return false;
 }

+/*
+ * Return the URI of the precusor principal or the URI of aPrincipal if there is
+ * no precursor URI.
+ */
+static already_AddRefed<nsIURI> GetPrincipalURIOrPrecursorPrincialURI(
+    nsIPrincipal* aPrincipal) {
+  nsCOMPtr<nsIURI> precursorURI = nullptr;
+  if (aPrincipal->GetIsNullPrincipal()) {
+    nsCOMPtr<nsIPrincipal> precursorPrin = aPrincipal->GetPrecursorPrincipal();
+    precursorURI = precursorPrin ? precursorPrin->GetURI() : nullptr;
+  }
+
+  return precursorURI ? precursorURI.forget() : aPrincipal->GetURI();
+}
+
 /* Static version of ShouldLoad() that contains all the Mixed Content Blocker
 * logic.  Called from non-static ShouldLoad().
 */
@ -614,12 +629,14 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
  nsCOMPtr<nsIURI> requestingLocation;
  auto* baseLoadingPrincipal = BasePrincipal::Cast(loadingPrincipal);
  if (baseLoadingPrincipal) {
-    baseLoadingPrincipal->GetURI(getter_AddRefs(requestingLocation));
+    requestingLocation =
+        GetPrincipalURIOrPrecursorPrincialURI(baseLoadingPrincipal);
  }
  if (!requestingLocation) {
    auto* baseTriggeringPrincipal = BasePrincipal::Cast(triggeringPrincipal);
    if (baseTriggeringPrincipal) {
-      baseTriggeringPrincipal->GetURI(getter_AddRefs(requestingLocation));
+      requestingLocation =
+          GetPrincipalURIOrPrecursorPrincialURI(baseTriggeringPrincipal);
    }
  }

--- a/dom/security/test/mixedcontentblocker/file_bug1551886.html
+++ b/dom/security/test/mixedcontentblocker/file_bug1551886.html
@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+</head>
+
+<body>
+<script>
+    let f = document.createElement("iframe");
+    f.src = "data:text/html,<iframe src='http://example.com' onload=\"parent.postMessage({status:'loaded', type: 'http'}, 'https://example.com')\" onerror=\"parent.postMessage({status:'blocked', type: 'http'}, 'https://example.com')\"></iframe>";
+    window.addEventListener("message", (event) => {
+        parent.postMessage(event.data, "http://mochi.test:8888");
+
+        // Only create second iframe once
+        if(event.data.type === "https") {
+            return;
+        }
+
+        let f2 = document.createElement("iframe");
+        f2.src = "data:text/html,<iframe src='https://example.com' onload=\"parent.postMessage({status:'loaded', type: 'https'}, 'https://example.com')\" onerror=\"parent.postMessage({status:'blocked', type: 'https'}, 'https://example.com')\"></iframe>";
+        document.body.appendChild(f2);
+    });
+    document.body.appendChild(f);
+</script>
+</body>
+</html>
--- a/dom/security/test/mixedcontentblocker/mochitest.ini
+++ b/dom/security/test/mixedcontentblocker/mochitest.ini
@ -19,6 +19,7 @@ support-files =
  !/image/test/mochitest/blue.png
  file_redirect.html
  file_redirect_handler.sjs
+  file_bug1551886.html

 [test_main.html]
 skip-if =
@ -30,3 +31,4 @@ skip-if = (os=='linux' && bits==32) || headless || tsan # Linux32:bug 1324870; H
 skip-if =
    webrender  # Bug 1424752
 [test_redirect.html]
+[test_bug1551886.html]
--- a/dom/security/test/mixedcontentblocker/test_bug1551886.html
+++ b/dom/security/test/mixedcontentblocker/test_bug1551886.html
@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Bug 1551886: Opaque documents aren't considered in the mixed content blocker</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+let f = document.createElement("iframe");
+f.src = "https://example.com/tests/dom/security/test/mixedcontentblocker/file_bug1551886.html";
+
+window.addEventListener("message", (event) => {
+    switch(event.data.type) {
+        case 'http':
+            is(event.data.status, "blocked", "nested load of http://example should get blocked by the MCB");
+            break
+        case 'https':
+            is(event.data.status, "loaded", "nested load of https://example should not get blocked by the MCB");
+            SimpleTest.finish();
+            break;
+    }
+});
+
+document.body.appendChild(f); 
+
+</script>
+</body>
+</html>
--- a/testing/web-platform/meta/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.ini
+++ b/testing/web-platform/meta/mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html.ini
@ -1,25 +0,0 @@
-[fetch.https.html]
-  [Mixed-Content: Expects blocked for fetch to same-https origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to cross-http origin and keep-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to cross-http origin and no-redirect redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to cross-http origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to cross-https origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to same-http origin and keep-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to same-http origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for fetch to same-http origin and no-redirect redirection from https context.]
-    expected: FAIL
-
--- a/testing/web-platform/meta/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.ini
+++ b/testing/web-platform/meta/mixed-content/gen/worker-classic-data.http-rp/opt-in/xhr.https.html.ini
@ -1,25 +0,0 @@
-[xhr.https.html]
-  [Mixed-Content: Expects blocked for xhr to same-http origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to same-https origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to cross-https origin and swap-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to cross-http origin and no-redirect redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to same-http origin and keep-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to same-http origin and no-redirect redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to cross-http origin and keep-scheme redirection from https context.]
-    expected: FAIL
-
-  [Mixed-Content: Expects blocked for xhr to cross-http origin and swap-scheme redirection from https context.]
-    expected: FAIL
-