Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-24 13:21:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1728981 - Don't upgrade HTTP WebSocket requests of exempt principals. r=ckerschb

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D131094
This commit is contained in:
Tom Schuster 2021-11-24 14:50:35 +00:00
parent 219a9f9ad6
commit b39be51d3d
2 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
dom/security/nsHTTPSOnlyUtils.cpp
View File

@ -220,6 +220,12 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(nsIURI* aURI,
return false;
}
// All subresources of an exempt triggering principal are also exempt.
if (!aLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
TestIfPrincipalIsExempt(aLoadInfo->TriggeringPrincipal())) {
return false;
}
// We can upgrade the request - let's log it to the console
// Appending an 's' to the scheme for the logging. (ws -> wss)
nsAutoCString scheme;

25
dom/websocket/WebSocket.cpp
View File

@ -1640,22 +1640,19 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
// Disallowed by content policy
return NS_ERROR_CONTENT_BLOCKED;
}
}
// If the HTTPS-Only mode is enabled, we need to upgrade the websocket
// connection from ws:// to wss:// and mark it as secure.
if (!mIsServerSide && !mSecure && originDoc &&
!nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(
originDoc->GetDocumentURI())) {
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), mURI);
NS_ENSURE_SUCCESS(rv, rv);
// If the HTTPS-Only mode is enabled, we need to upgrade the websocket
// connection from ws:// to wss:// and mark it as secure.
if (!mSecure && originDoc &&
!nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(
originDoc->GetDocumentURI())) {
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), mURI);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIChannel> channel = originDoc->GetChannel();
if (channel) {
nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo();
if (nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(uri, loadInfo)) {
// secCheckLoadInfo is only used for the triggering principal, so this
// is okay.
if (nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(uri, secCheckLoadInfo)) {
mURI.ReplaceSubstring("ws://", "wss://");
if (NS_WARN_IF(mURI.Find("wss://") != 0)) {
return NS_OK;