From 7f6848365ce80503b1b12a6d476cc7debcb97714 Mon Sep 17 00:00:00 2001
From: Justin Dolske <dolske@mozilla.com>
Date: Tue, 16 Jun 2015 12:28:42 -0700
Subject: [PATCH] Bug 1109475 - Firefox should use HTTPS instead of HTTP for
 Safe Browsing URLs. r=gcp

---
 .../source/python-lib/cuddlefish/prefs.py     |  1 -
 .../test/preferences/no-connections.json      |  1 -
 b2g/app/b2g.js                                |  9 ++--
 browser/app/profile/firefox.js                | 10 ++--
 browser/base/content/browser-safebrowsing.js  | 12 +----
 browser/base/content/browser.js               |  4 +-
 .../base/content/report-phishing-overlay.xul  |  2 +-
 mobile/android/app/mobile.js                  | 10 ++--
 .../url-classifier/SafeBrowsing.jsm           | 48 ++++++++++++-------
 9 files changed, 43 insertions(+), 54 deletions(-)

diff --git a/addon-sdk/source/python-lib/cuddlefish/prefs.py b/addon-sdk/source/python-lib/cuddlefish/prefs.py
index 78ecfc36b5b8..2636bba6a7c7 100644
--- a/addon-sdk/source/python-lib/cuddlefish/prefs.py
+++ b/addon-sdk/source/python-lib/cuddlefish/prefs.py
@@ -60,7 +60,6 @@ DEFAULT_NO_CONNECTIONS_PREFS = {
     'browser.safebrowsing.enabled' : False,
     'browser.safebrowsing.updateURL': 'http://localhost/safebrowsing-dummy/update',
     'browser.safebrowsing.gethashURL': 'http://localhost/safebrowsing-dummy/gethash',
-    'browser.safebrowsing.reportURL': 'http://localhost/safebrowsing-dummy/report',
     'browser.safebrowsing.malware.reportURL': 'http://localhost/safebrowsing-dummy/malwarereport',
     'browser.selfsupport.url': 'https://localhost/selfsupport-dummy',
     'browser.trackingprotection.gethashURL': 'http://localhost/safebrowsing-dummy/gethash',
diff --git a/addon-sdk/source/test/preferences/no-connections.json b/addon-sdk/source/test/preferences/no-connections.json
index 396e7e33729a..5f00738fb7d1 100644
--- a/addon-sdk/source/test/preferences/no-connections.json
+++ b/addon-sdk/source/test/preferences/no-connections.json
@@ -17,7 +17,6 @@
   "browser.safebrowsing.enabled": false,
   "browser.safebrowsing.updateURL": "http://localhost/safebrowsing-dummy/update",
   "browser.safebrowsing.gethashURL": "http://localhost/safebrowsing-dummy/gethash",
-  "browser.safebrowsing.reportURL": "http://localhost/safebrowsing-dummy/report",
   "browser.safebrowsing.malware.reportURL": "http://localhost/safebrowsing-dummy/malwarereport",
   "browser.selfsupport.url": "https://localhost/selfsupport-dummy",
   "browser.trackingprotection.gethashURL": "http://localhost/safebrowsing-dummy/gethash",
diff --git a/b2g/app/b2g.js b/b2g/app/b2g.js
index e2b49526a2aa..1a2d58efaef0 100644
--- a/b2g/app/b2g.js
+++ b/b2g/app/b2g.js
@@ -360,12 +360,9 @@ pref("browser.safebrowsing.malware.enabled", false);
 pref("browser.safebrowsing.debug", false);
 pref("browser.safebrowsing.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2&key=%GOOGLE_API_KEY%");
 pref("browser.safebrowsing.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2");
-pref("browser.safebrowsing.reportURL", "https://safebrowsing.google.com/safebrowsing/report?");
-pref("browser.safebrowsing.reportGenericURL", "http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportErrorURL", "http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportPhishURL", "http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareURL", "http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareErrorURL", "http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%");
+pref("browser.safebrowsing.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportPhishURL", "https://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
 pref("browser.safebrowsing.appRepURL", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%");
 
 pref("browser.safebrowsing.id", "Firefox");
diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
index e2677e06682a..bc876e9f57ae 100644
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -981,13 +981,9 @@ pref("browser.safebrowsing.debug", false);
 
 pref("browser.safebrowsing.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2&key=%GOOGLE_API_KEY%");
 pref("browser.safebrowsing.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2");
-pref("browser.safebrowsing.reportURL", "https://safebrowsing.google.com/safebrowsing/report?");
-pref("browser.safebrowsing.reportGenericURL", "http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportErrorURL", "http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportPhishURL", "http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareURL", "http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareErrorURL", "http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%");
-
+pref("browser.safebrowsing.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportPhishURL", "https://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
 pref("browser.safebrowsing.malware.reportURL", "https://safebrowsing.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=");
 
 pref("browser.safebrowsing.appRepURL", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%");
diff --git a/browser/base/content/browser-safebrowsing.js b/browser/base/content/browser-safebrowsing.js
index aa0c65f57a5e..9f84b0ce0ab6 100644
--- a/browser/base/content/browser-safebrowsing.js
+++ b/browser/base/content/browser-safebrowsing.js
@@ -36,17 +36,7 @@ var gSafeBrowsing = {
    * @return String the report phishing URL.
    */
   getReportURL: function(name) {
-    var reportUrl = SafeBrowsing.getReportURL(name);
-
-    var pageUri = gBrowser.currentURI.clone();
-
-    // Remove the query to avoid including potentially sensitive data
-    if (pageUri instanceof Ci.nsIURL)
-      pageUri.query = '';
-
-    reportUrl += "&url=" + encodeURIComponent(pageUri.asciiSpec);
-
-    return reportUrl;
+    return SafeBrowsing.getReportURL(name, gBrowser.currentURI);
   }
 }
 #endif
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index 0f4b5f7b6c88..f7806a71bb54 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -3019,7 +3019,7 @@ let BrowserOnClick = {
         label: gNavigatorBundle.getString("safebrowsing.notAnAttackButton.label"),
         accessKey: gNavigatorBundle.getString("safebrowsing.notAnAttackButton.accessKey"),
         callback: function() {
-          openUILinkIn(gSafeBrowsing.getReportURL('MalwareError'), 'tab');
+          openUILinkIn(gSafeBrowsing.getReportURL('MalwareMistake'), 'tab');
         }
       };
     } else if (reason === 'phishing') {
@@ -3028,7 +3028,7 @@ let BrowserOnClick = {
         label: gNavigatorBundle.getString("safebrowsing.notAForgeryButton.label"),
         accessKey: gNavigatorBundle.getString("safebrowsing.notAForgeryButton.accessKey"),
         callback: function() {
-          openUILinkIn(gSafeBrowsing.getReportURL('Error'), 'tab');
+          openUILinkIn(gSafeBrowsing.getReportURL('PhishMistake'), 'tab');
         }
       };
     } else if (reason === 'unwanted') {
diff --git a/browser/base/content/report-phishing-overlay.xul b/browser/base/content/report-phishing-overlay.xul
index 76baf01da3b0..d4c050e9765c 100644
--- a/browser/base/content/report-phishing-overlay.xul
+++ b/browser/base/content/report-phishing-overlay.xul
@@ -29,7 +29,7 @@
               accesskey="&reportPhishSiteMenu.accesskey;"
               insertbefore="aboutSeparator"
               observes="reportPhishingErrorBroadcaster"
-              oncommand="openUILinkIn(gSafeBrowsing.getReportURL('Error'), 'tab');"
+              oncommand="openUILinkIn(gSafeBrowsing.getReportURL('PhishMistake'), 'tab');"
               onclick="checkForMiddleClick(this, event);"/>
   </menupopup>
 </overlay>
diff --git a/mobile/android/app/mobile.js b/mobile/android/app/mobile.js
index 858f7674f581..3590e690b504 100644
--- a/mobile/android/app/mobile.js
+++ b/mobile/android/app/mobile.js
@@ -599,13 +599,9 @@ pref("browser.safebrowsing.debug", false);
 
 pref("browser.safebrowsing.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2&key=%GOOGLE_API_KEY%");
 pref("browser.safebrowsing.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%VERSION%&pver=2.2");
-pref("browser.safebrowsing.reportURL", "https://safebrowsing.google.com/safebrowsing/report?");
-pref("browser.safebrowsing.reportGenericURL", "http://%LOCALE%.phish-generic.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportErrorURL", "http://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportPhishURL", "http://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareURL", "http://%LOCALE%.malware-report.mozilla.com/?hl=%LOCALE%");
-pref("browser.safebrowsing.reportMalwareErrorURL", "http://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%");
-
+pref("browser.safebrowsing.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportPhishURL", "https://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%&url=");
+pref("browser.safebrowsing.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
 pref("browser.safebrowsing.malware.reportURL", "https://safebrowsing.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=");
 
 pref("browser.safebrowsing.id", @MOZ_APP_UA_NAME@);
diff --git a/toolkit/components/url-classifier/SafeBrowsing.jsm b/toolkit/components/url-classifier/SafeBrowsing.jsm
index 5593c214d04b..8d6bbfe9fdd3 100644
--- a/toolkit/components/url-classifier/SafeBrowsing.jsm
+++ b/toolkit/components/url-classifier/SafeBrowsing.jsm
@@ -90,15 +90,36 @@ this.SafeBrowsing = {
   gethashURL:            null,
 
   reportURL:             null,
-  reportGenericURL:      null,
-  reportErrorURL:        null,
-  reportPhishURL:        null,
-  reportMalwareURL:      null,
-  reportMalwareErrorURL: null,
 
+  getReportURL: function(kind, URI) {
+    let pref;
+    switch (kind) {
+      case "Phish":
+        pref = "browser.safebrowsing.reportPhishURL";
+        break;
+      case "PhishMistake":
+        pref = "browser.safebrowsing.reportPhishMistakeURL";
+        break;
+      case "MalwareMistake":
+        pref = "browser.safebrowsing.reportMalwareMistakeURL";
+        break;
 
-  getReportURL: function(kind) {
-    return this["report"  + kind + "URL"];
+      default:
+        let err = "SafeBrowsing getReportURL() called with unknown kind: " + kind;
+        Components.utils.reportError(err);
+        throw err;
+    }
+    let reportUrl = Services.urlFormatter.formatURLPref(pref);
+
+    let pageUri = URI.clone();
+
+    // Remove the query to avoid including potentially sensitive data
+    if (pageUri instanceof Ci.nsIURL)
+      pageUri.query = '';
+
+    reportUrl += encodeURIComponent(pageUri.asciiSpec);
+
+    return reportUrl;
   },
 
 
@@ -128,19 +149,10 @@ this.SafeBrowsing = {
     }
 
     log("initializing safe browsing URLs, client id ", clientID);
-    let basePref = "browser.safebrowsing.";
-
-    // Urls to HTML report pages
-    this.reportURL             = Services.urlFormatter.formatURLPref(basePref + "reportURL");
-    this.reportGenericURL      = Services.urlFormatter.formatURLPref(basePref + "reportGenericURL");
-    this.reportErrorURL        = Services.urlFormatter.formatURLPref(basePref + "reportErrorURL");
-    this.reportPhishURL        = Services.urlFormatter.formatURLPref(basePref + "reportPhishURL");
-    this.reportMalwareURL      = Services.urlFormatter.formatURLPref(basePref + "reportMalwareURL");
-    this.reportMalwareErrorURL = Services.urlFormatter.formatURLPref(basePref + "reportMalwareErrorURL");
 
     // Urls used to update DB
-    this.updateURL  = Services.urlFormatter.formatURLPref(basePref + "updateURL");
-    this.gethashURL = Services.urlFormatter.formatURLPref(basePref + "gethashURL");
+    this.updateURL  = Services.urlFormatter.formatURLPref("browser.safebrowsing.updateURL");
+    this.gethashURL = Services.urlFormatter.formatURLPref("browser.safebrowsing.gethashURL");
 
     this.updateURL  = this.updateURL.replace("SAFEBROWSING_ID", clientID);
     this.gethashURL = this.gethashURL.replace("SAFEBROWSING_ID", clientID);