diff --git a/netwerk/protocol/http/TRRServiceChannel.cpp b/netwerk/protocol/http/TRRServiceChannel.cpp index a25d8c201483..fe7c15041a3b 100644 --- a/netwerk/protocol/http/TRRServiceChannel.cpp +++ b/netwerk/protocol/http/TRRServiceChannel.cpp @@ -501,6 +501,7 @@ nsresult TRRServiceChannel::ContinueOnBeforeConnect() { if (LoadIsTRRServiceChannel()) { mCaps |= NS_HTTP_LARGE_KEEPALIVE; + mCaps |= NS_HTTP_DISALLOW_HTTPS_RR; } mCaps |= NS_HTTP_TRR_FLAGS_FROM_MODE(nsIRequest::GetTRRMode()); diff --git a/netwerk/protocol/http/nsHttp.h b/netwerk/protocol/http/nsHttp.h index 3c7513d9ab3d..1c162ed1297a 100644 --- a/netwerk/protocol/http/nsHttp.h +++ b/netwerk/protocol/http/nsHttp.h @@ -131,6 +131,8 @@ extern const nsCString kHttp3Versions[]; // on a connection for an anonymous request. #define NS_HTTP_LOAD_ANONYMOUS_CONNECT_ALLOW_CLIENT_CERT (1 << 24) +#define NS_HTTP_DISALLOW_HTTPS_RR (1 << 25) + #define NS_HTTP_TRR_FLAGS_FROM_MODE(x) ((static_cast(x) & 3) << 19) #define NS_HTTP_TRR_MODE_FROM_FLAGS(x) \ diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index 922a35f2c9de..054200c8f779 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -623,18 +623,6 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, } auto shouldSkipUpgradeWithHTTPSRR = [&]() -> bool { - if (LoadBeConservative()) { - return true; - } - - // Skip upgrading channel triggered by system unless it is a top-level - // load. - if (mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() && - mLoadInfo->GetExternalContentPolicyType() != - ExtContentPolicy::TYPE_DOCUMENT) { - return true; - } - nsAutoCString uriHost; mURI->GetAsciiHost(uriHost); @@ -728,6 +716,7 @@ nsresult nsHttpChannel::ContinueOnBeforeConnect(bool aShouldUpgrade, if (LoadIsTRRServiceChannel()) { mCaps |= NS_HTTP_LARGE_KEEPALIVE; + mCaps |= NS_HTTP_DISALLOW_HTTPS_RR; } mCaps |= NS_HTTP_TRR_FLAGS_FROM_MODE(nsIRequest::GetTRRMode()); @@ -6612,11 +6601,6 @@ nsresult nsHttpChannel::BeginConnect() { !(mCaps & NS_HTTP_BE_CONSERVATIVE) && !LoadBeConservative() && LoadAllowHttp3(); - // No need to lookup HTTPSSVC record if mHTTPSSVCRecord already contains a - // value. - StoreUseHTTPSSVC(StaticPrefs::network_dns_upgrade_with_https_rr() && - mHTTPSSVCRecord.isNothing()); - RefPtr mapping; if (!mConnectionInfo && LoadAllowAltSvc() && // per channel (http2Allowed || http3Allowed) && !(mLoadFlags & LOAD_FRESH_CONNECTION) && @@ -6665,9 +6649,6 @@ nsresult nsHttpChannel::BeginConnect() { originAttributes); Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, true); Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC_OE, !isHttps); - - // Don't use HTTPSSVC record if we found altsvc mapping. - StoreUseHTTPSSVC(false); } else if (mConnectionInfo) { LOG(("nsHttpChannel %p Using channel supplied connection info", this)); Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, false); @@ -6678,9 +6659,19 @@ nsresult nsHttpChannel::BeginConnect() { Telemetry::Accumulate(Telemetry::HTTP_TRANSACTION_USE_ALTSVC, false); } - if (mConnectionInfo->UsingConnect()) { - StoreUseHTTPSSVC(false); + bool httpsRRAllowed = + !LoadBeConservative() && !(mCaps & NS_HTTP_BE_CONSERVATIVE) && + !(mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() && + mLoadInfo->GetExternalContentPolicyType() != + ExtContentPolicy::TYPE_DOCUMENT) && + !mConnectionInfo->UsingConnect(); + if (!httpsRRAllowed) { + mCaps |= NS_HTTP_DISALLOW_HTTPS_RR; } + // No need to lookup HTTPSSVC record if mHTTPSSVCRecord already contains a + // value. + StoreUseHTTPSSVC(StaticPrefs::network_dns_upgrade_with_https_rr() && + httpsRRAllowed && mHTTPSSVCRecord.isNothing()); // Need to re-ask the handler, since mConnectionInfo may not be the connInfo // we used earlier @@ -6800,8 +6791,8 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { bool httpssvcQueried = false; // If https rr is not queried sucessfully, we have to reset mUseHTTPSSVC to // false. Otherwise, this channel may wait https rr forever. - auto resetUsHTTPSSVC = - MakeScopeExit([&] { StoreUseHTTPSSVC(httpssvcQueried); }); + auto resetUsHTTPSSVC = MakeScopeExit( + [&] { StoreUseHTTPSSVC(LoadUseHTTPSSVC() && httpssvcQueried); }); // Start a DNS lookup very early in case the real open is queued the DNS can // happen in parallel. Do not do so in the presence of an HTTP proxy as @@ -6855,7 +6846,7 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { // not "prefetch", since DNS prefetch can be disabled by the pref. if (LoadUseHTTPSSVC() || (gHttpHandler->UseHTTPSRRForSpeculativeConnection() && - !mHTTPSSVCRecord && !mConnectionInfo->UsingConnect())) { + !mHTTPSSVCRecord && !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR))) { MOZ_ASSERT(!mHTTPSSVCRecord); OriginAttributes originAttributes; diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp index 0d23b46760e9..48be1d46cbd5 100644 --- a/netwerk/protocol/http/nsHttpTransaction.cpp +++ b/netwerk/protocol/http/nsHttpTransaction.cpp @@ -442,7 +442,8 @@ nsresult nsHttpTransaction::Init( mPushedStream = trans->TakePushedStreamById(aPushedStreamId); } - if (gHttpHandler->UseHTTPSRRAsAltSvcEnabled() && !mConnInfo->UsingConnect()) { + if (gHttpHandler->UseHTTPSRRAsAltSvcEnabled() && + !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR)) { mHTTPSSVCReceivedStage = HTTPSSVC_NOT_PRESENT; nsCOMPtr target; diff --git a/netwerk/test/unit/test_http3_fast_fallback.js b/netwerk/test/unit/test_http3_fast_fallback.js index 24432a95fcce..0cf04905e84e 100644 --- a/netwerk/test/unit/test_http3_fast_fallback.js +++ b/netwerk/test/unit/test_http3_fast_fallback.js @@ -128,6 +128,7 @@ function makeChan(url) { let chan = NetUtil.newChannel({ uri: url, loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, }).QueryInterface(Ci.nsIHttpChannel); chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; return chan; diff --git a/netwerk/test/unit/test_httpssvc_retry_with_ech.js b/netwerk/test/unit/test_httpssvc_retry_with_ech.js index 1ce5d95db8f1..223a1c3f4980 100644 --- a/netwerk/test/unit/test_httpssvc_retry_with_ech.js +++ b/netwerk/test/unit/test_httpssvc_retry_with_ech.js @@ -121,6 +121,7 @@ function makeChan(url) { let chan = NetUtil.newChannel({ uri: url, loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, }).QueryInterface(Ci.nsIHttpChannel); return chan; } diff --git a/netwerk/test/unit/test_httpssvc_retry_without_ech.js b/netwerk/test/unit/test_httpssvc_retry_without_ech.js index 6c256dd13803..6e22e0ffcf72 100644 --- a/netwerk/test/unit/test_httpssvc_retry_without_ech.js +++ b/netwerk/test/unit/test_httpssvc_retry_without_ech.js @@ -125,6 +125,7 @@ function makeChan(url) { let chan = NetUtil.newChannel({ uri: url, loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, }).QueryInterface(Ci.nsIHttpChannel); return chan; } diff --git a/netwerk/test/unit/test_trr_https_fallback.js b/netwerk/test/unit/test_trr_https_fallback.js index 9647f668a73b..4aab46cbb6a5 100644 --- a/netwerk/test/unit/test_trr_https_fallback.js +++ b/netwerk/test/unit/test_trr_https_fallback.js @@ -96,6 +96,7 @@ registerCleanupFunction(async () => { prefs.clearUserPref("network.dns.httpssvc.reset_exclustion_list"); prefs.clearUserPref("network.http.http3.enabled"); prefs.clearUserPref("network.dns.httpssvc.http3_fast_fallback_timeout"); + prefs.clearUserPref("network.http.speculative-parallel-limit"); if (trrServer) { await trrServer.stop(); } @@ -124,6 +125,7 @@ function makeChan(url) { let chan = NetUtil.newChannel({ uri: url, loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, }).QueryInterface(Ci.nsIHttpChannel); return chan; } @@ -1104,6 +1106,9 @@ add_task(async function testAllRecordsInHttp3ExcludedList() { Assert.equal(inRequest, request, "correct request was used"); Assert.equal(inStatus, Cr.NS_OK, "status OK"); + Services.prefs.setIntPref("network.http.speculative-parallel-limit", 0); + Services.obs.notifyObservers(null, "net:prune-all-connections"); + // All HTTPS RRs are in http3 excluded list and all records are failed to // connect, so don't fallback to the origin one. chan = makeChan(`https://www.h3_all_excluded.org:${h2Port}/server-timing`);