Bug 1732069: Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D129152

build/pgo/server-locations.txt

@@ -340,6 +340,9 @@ https://localhost:443
 # Bug 1402530
 http://localhost:80                 privileged
 
+http://localhost:9898
+http://localhost:9899
+
 # Host for testing APIs whitelisted for mozilla.org
 https://www.mozilla.org:443
 

dom/security/SecFetch.cpp

@@ -209,7 +209,9 @@ bool IsSameSite(nsIChannel* aHTTPChannel) {
   // if the initial request is not same-site, or not https, we can
   // return here because we already know it's not a same-site request
   if (!hostDomain.Equals(channelDomain) ||
-      !loadInfo->TriggeringPrincipal()->SchemeIs("https")) {
+      (!loadInfo->TriggeringPrincipal()->SchemeIs("https") &&
+       !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
+           hostDomain))) {
     return false;
   }
 

dom/security/test/sec-fetch/file_trustworthy_loopback.html

@@ -0,0 +1,11 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs</title>
+</head>
+<body>
+  <iframe src="http://localhost:9898/foo"></iframe>
+  <iframe src="http://localhost:9899/foo"></iframe>
+  <iframe src="http://sub.localhost/foo"></iframe>
+</body>
+</html>

dom/security/test/sec-fetch/mochitest.ini

@@ -10,3 +10,5 @@ support-files = file_websocket_wsh.py
 [test_iframe_srcdoc_metaRedirect.html]
 [test_iframe_window_open_metaRedirect.html]
 [test_iframe_history_manipulation.html]
+[test_trustworthy_loopback.html]
+support-files = file_trustworthy_loopback.html

dom/security/test/sec-fetch/test_trustworthy_loopback.html

@@ -0,0 +1,79 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script type="application/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+let testsSucceeded = 0;
+
+let win;
+function checkTestsDone() {
+  testsSucceeded++;
+  if (testsSucceeded == 3) {
+    win.close();
+    SimpleTest.finish();
+  }
+}
+
+/* eslint-env mozilla/frame-script */
+var script = SpecialPowers.loadChromeScript(() => {
+  const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
+
+  Services.obs.addObserver(function onExamResp(subject, topic, data) {
+    let channel = subject.QueryInterface(Ci.nsIHttpChannel);
+    if (!channel.URI.spec.includes("localhost") ||
+        channel.URI.spec.startsWith("http://localhost:9898/tests/dom/security/test/sec-fetch/file_trustworthy_loopback.html")) {
+      return;
+    }
+
+    const expectedHeaders = {
+      "localhost:9898": {
+        "sec-fetch-site": "same-origin",
+        "sec-fetch-mode": "navigate",
+        "sec-fetch-dest": "iframe",
+      },
+      "sub.localhost:-1": {
+        "sec-fetch-site": "cross-site",
+        "sec-fetch-mode": "navigate",
+        "sec-fetch-dest": "iframe",
+      },
+      "localhost:9899": {
+        "sec-fetch-site": "same-site",
+        "sec-fetch-mode": "navigate",
+        "sec-fetch-dest": "iframe",
+      },
+    };
+
+    info(`checking headers for request to ${channel.URI.spec}`);
+    const expected = expectedHeaders[channel.URI.host + ":" + channel.URI.port];
+    for (let key in expected) {
+      try {
+        is(channel.getRequestHeader(key), expected[key], `${key} header matches`);
+      } catch (e) {
+        ok(false, "failed to check headers");
+      }
+    }
+    sendAsyncMessage("test-end");
+  }, "http-on-stop-request");
+});
+
+script.addMessageListener("test-end", () => {
+  checkTestsDone();
+});
+
+SpecialPowers.pushPrefEnv({set: [
+  ["network.proxy.allow_hijacking_localhost", true],
+  ["network.proxy.testing_localhost_is_secure_when_hijacked", true],
+]}).then(function() {
+  win = window.open("http://localhost:9898/tests/dom/security/test/sec-fetch/file_trustworthy_loopback.html");
+});
+
+</script>
+</body>
+</html>