Bug 1700103 - Disallow to use https rr for internal requests r=necko-reviewers,dragana

Differential Revision: https://phabricator.services.mozilla.com/D109348
2025-02-17 14:25:49 +00:00 · 2021-03-24 08:11:22 +00:00 · 2021-03-24 08:11:22 +00:00 · 9e4f5f9c4a
commit 9e4f5f9c4a
parent 66f9604c86
8 changed files with 29 additions and 26 deletions
--- a/netwerk/protocol/http/TRRServiceChannel.cpp
+++ b/netwerk/protocol/http/TRRServiceChannel.cpp
@ -501,6 +501,7 @@ nsresult TRRServiceChannel::ContinueOnBeforeConnect() {

  if (LoadIsTRRServiceChannel()) {
    mCaps |= NS_HTTP_LARGE_KEEPALIVE;
+    mCaps |= NS_HTTP_DISALLOW_HTTPS_RR;
  }

  mCaps |= NS_HTTP_TRR_FLAGS_FROM_MODE(nsIRequest::GetTRRMode());
--- a/netwerk/protocol/http/nsHttp.h
+++ b/netwerk/protocol/http/nsHttp.h
@ -131,6 +131,8 @@ extern const nsCString kHttp3Versions[];
 // on a connection for an anonymous request.
 #define NS_HTTP_LOAD_ANONYMOUS_CONNECT_ALLOW_CLIENT_CERT (1 << 24)

+#define NS_HTTP_DISALLOW_HTTPS_RR (1 << 25)
+
 #define NS_HTTP_TRR_FLAGS_FROM_MODE(x) ((static_cast<uint32_t>(x) & 3) << 19)

 #define NS_HTTP_TRR_MODE_FROM_FLAGS(x) \
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -623,18 +623,6 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade,
  }

  auto shouldSkipUpgradeWithHTTPSRR = [&]() -> bool {
-    if (LoadBeConservative()) {
-      return true;
-    }
-
-    // Skip upgrading channel triggered by system unless it is a top-level
-    // load.
-    if (mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
-        mLoadInfo->GetExternalContentPolicyType() !=
-            ExtContentPolicy::TYPE_DOCUMENT) {
-      return true;
-    }
-
    nsAutoCString uriHost;
    mURI->GetAsciiHost(uriHost);

@ -728,6 +716,7 @@ nsresult nsHttpChannel::ContinueOnBeforeConnect(bool aShouldUpgrade,

  if (LoadIsTRRServiceChannel()) {
    mCaps |= NS_HTTP_LARGE_KEEPALIVE;
+    mCaps |= NS_HTTP_DISALLOW_HTTPS_RR;
  }

  mCaps |= NS_HTTP_TRR_FLAGS_FROM_MODE(nsIRequest::GetTRRMode());
@ -6612,11 +6601,6 @@ nsresult nsHttpChannel::BeginConnect() {
                      !(mCaps & NS_HTTP_BE_CONSERVATIVE) &&
                      !LoadBeConservative() && LoadAllowHttp3();

-  // No need to lookup HTTPSSVC record if mHTTPSSVCRecord already contains a
-  // value.
-  StoreUseHTTPSSVC(StaticPrefs::network_dns_upgrade_with_https_rr() &&
-                   mHTTPSSVCRecord.isNothing());
-
  RefPtr<AltSvcMapping> mapping;
  if (!mConnectionInfo && LoadAllowAltSvc() &&  // per channel
      (http2Allowed || http3Allowed) && !(mLoadFlags & LOAD_FRESH_CONNECTION) &&
@ -6665,9 +6649,6 @@ nsresult nsHttpChannel::BeginConnect() {
                               originAttributes);
    Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, true);
    Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC_OE, !isHttps);
-
-    // Don't use HTTPSSVC record if we found altsvc mapping.
-    StoreUseHTTPSSVC(false);
  } else if (mConnectionInfo) {
    LOG(("nsHttpChannel %p Using channel supplied connection info", this));
    Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, false);
@ -6678,9 +6659,19 @@ nsresult nsHttpChannel::BeginConnect() {
    Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, false);
  }

-  if (mConnectionInfo->UsingConnect()) {
-    StoreUseHTTPSSVC(false);
+  bool httpsRRAllowed =
+      !LoadBeConservative() && !(mCaps & NS_HTTP_BE_CONSERVATIVE) &&
+      !(mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
+        mLoadInfo->GetExternalContentPolicyType() !=
+            ExtContentPolicy::TYPE_DOCUMENT) &&
+      !mConnectionInfo->UsingConnect();
+  if (!httpsRRAllowed) {
+    mCaps |= NS_HTTP_DISALLOW_HTTPS_RR;
  }
+  // No need to lookup HTTPSSVC record if mHTTPSSVCRecord already contains a
+  // value.
+  StoreUseHTTPSSVC(StaticPrefs::network_dns_upgrade_with_https_rr() &&
+                   httpsRRAllowed && mHTTPSSVCRecord.isNothing());

  // Need to re-ask the handler, since mConnectionInfo may not be the connInfo
  // we used earlier
@ -6800,8 +6791,8 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() {
  bool httpssvcQueried = false;
  // If https rr is not queried sucessfully, we have to reset mUseHTTPSSVC to
  // false. Otherwise, this channel may wait https rr forever.
-  auto resetUsHTTPSSVC =
-      MakeScopeExit([&] { StoreUseHTTPSSVC(httpssvcQueried); });
+  auto resetUsHTTPSSVC = MakeScopeExit(
+      [&] { StoreUseHTTPSSVC(LoadUseHTTPSSVC() && httpssvcQueried); });

  // Start a DNS lookup very early in case the real open is queued the DNS can
  // happen in parallel. Do not do so in the presence of an HTTP proxy as
@ -6855,7 +6846,7 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() {
    // not "prefetch", since DNS prefetch can be disabled by the pref.
    if (LoadUseHTTPSSVC() ||
        (gHttpHandler->UseHTTPSRRForSpeculativeConnection() &&
-         !mHTTPSSVCRecord && !mConnectionInfo->UsingConnect())) {
+         !mHTTPSSVCRecord && !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR))) {
      MOZ_ASSERT(!mHTTPSSVCRecord);

      OriginAttributes originAttributes;
--- a/netwerk/protocol/http/nsHttpTransaction.cpp
+++ b/netwerk/protocol/http/nsHttpTransaction.cpp
@ -442,7 +442,8 @@ nsresult nsHttpTransaction::Init(
    mPushedStream = trans->TakePushedStreamById(aPushedStreamId);
  }

-  if (gHttpHandler->UseHTTPSRRAsAltSvcEnabled() && !mConnInfo->UsingConnect()) {
+  if (gHttpHandler->UseHTTPSRRAsAltSvcEnabled() &&
+      !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR)) {
    mHTTPSSVCReceivedStage = HTTPSSVC_NOT_PRESENT;

    nsCOMPtr<nsIEventTarget> target;
--- a/netwerk/test/unit/test_http3_fast_fallback.js
+++ b/netwerk/test/unit/test_http3_fast_fallback.js
@ -128,6 +128,7 @@ function makeChan(url) {
  let chan = NetUtil.newChannel({
    uri: url,
    loadUsingSystemPrincipal: true,
+    contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT,
  }).QueryInterface(Ci.nsIHttpChannel);
  chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
  return chan;
--- a/netwerk/test/unit/test_httpssvc_retry_with_ech.js
+++ b/netwerk/test/unit/test_httpssvc_retry_with_ech.js
@ -121,6 +121,7 @@ function makeChan(url) {
  let chan = NetUtil.newChannel({
    uri: url,
    loadUsingSystemPrincipal: true,
+    contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT,
  }).QueryInterface(Ci.nsIHttpChannel);
  return chan;
 }
--- a/netwerk/test/unit/test_httpssvc_retry_without_ech.js
+++ b/netwerk/test/unit/test_httpssvc_retry_without_ech.js
@ -125,6 +125,7 @@ function makeChan(url) {
  let chan = NetUtil.newChannel({
    uri: url,
    loadUsingSystemPrincipal: true,
+    contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT,
  }).QueryInterface(Ci.nsIHttpChannel);
  return chan;
 }
--- a/netwerk/test/unit/test_trr_https_fallback.js
+++ b/netwerk/test/unit/test_trr_https_fallback.js
@ -96,6 +96,7 @@ registerCleanupFunction(async () => {
  prefs.clearUserPref("network.dns.httpssvc.reset_exclustion_list");
  prefs.clearUserPref("network.http.http3.enabled");
  prefs.clearUserPref("network.dns.httpssvc.http3_fast_fallback_timeout");
+  prefs.clearUserPref("network.http.speculative-parallel-limit");
  if (trrServer) {
    await trrServer.stop();
  }
@ -124,6 +125,7 @@ function makeChan(url) {
  let chan = NetUtil.newChannel({
    uri: url,
    loadUsingSystemPrincipal: true,
+    contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT,
  }).QueryInterface(Ci.nsIHttpChannel);
  return chan;
 }
@ -1104,6 +1106,9 @@ add_task(async function testAllRecordsInHttp3ExcludedList() {
  Assert.equal(inRequest, request, "correct request was used");
  Assert.equal(inStatus, Cr.NS_OK, "status OK");

+  Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0);
+  Services.obs.notifyObservers(null, "net:prune-all-connections");
+
  // All HTTPS RRs are in http3 excluded list and all records are failed to
  // connect, so don't fallback to the origin one.
  chan = makeChan(`https://www.h3_all_excluded.org:${h2Port}/server-timing`);