Bug 1909396 - Remove HTTPS-Only exception button in iframes r=freddyb,fluent-reviewers

Rationale for this can be read in Bug 1909396, but the main reason is that the iframe will get blocked regardless by mixed content blocking. Differential Revision: https://phabricator.services.mozilla.com/D220257
2024-11-23 12:51:06 +00:00 · 2024-10-07 12:39:59 +00:00 · 2024-10-07 12:39:59 +00:00 · d5a73a8d6f
commit d5a73a8d6f
parent 6a7ad57a74
7 changed files with 94 additions and 21 deletions
--- a/dom/ipc/WindowGlobalParent.cpp
+++ b/dom/ipc/WindowGlobalParent.cpp
@ -1379,18 +1379,11 @@ mozilla::ipc::IPCResult WindowGlobalParent::RecvReloadWithHttpsOnlyException() {
    return IPC_FAIL(this, "HTTPS-only mode: Illegal state");
  }

-  // If the error page is within an iFrame, we create an exception for whatever
-  // scheme the top-level site is currently on, because the user wants to
-  // unbreak the iFrame and not the top-level page. When the error page shows up
-  // on a top-level request, then we replace the scheme with http, because the
-  // user wants to unbreak the whole page.
+  // We replace the scheme with http, because the user wants to unbreak the
+  // whole page.
  nsCOMPtr<nsIURI> newURI;
-  if (!BrowsingContext()->IsTop()) {
-    newURI = innerURI;
-  } else {
-    Unused << NS_MutateURI(innerURI).SetScheme("http"_ns).Finalize(
-        getter_AddRefs(newURI));
-  }
+  Unused << NS_MutateURI(innerURI).SetScheme("http"_ns).Finalize(
+      getter_AddRefs(newURI));

  OriginAttributes originAttributes =
      TopWindowContext()->DocumentPrincipal()->OriginAttributesRef();
--- a/dom/security/test/https-only/browser.toml
+++ b/dom/security/test/https-only/browser.toml
@ -29,6 +29,9 @@ support-files = [
 ["browser_httpsonly_speculative_connect.js"]
 support-files = ["file_httpsonly_speculative_connect.html"]

+["browser_iframe_buttons.js"]
+support-files = ["file_iframe_buttons.html"]
+
 ["browser_iframe_test.js"]
 skip-if = [
  "os == 'linux' && bits == 64", # Bug 1735565
--- a/dom/security/test/https-only/browser_iframe_buttons.js
+++ b/dom/security/test/https-only/browser_iframe_buttons.js
@ -0,0 +1,50 @@
+/* Any copyright is dedicated to the Public Domain.
+   https://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+// Ensure the buttons at the buttom of the HTTPS-Only error page do not get
+// displayed in an iframe (Bug 1909396).
+
+add_task(async function test_iframe_buttons() {
+  await BrowserTestUtils.withNewTab(
+    "https://example.com/browser/dom/security/test/https-only/file_iframe_buttons.html",
+    async function (browser) {
+      await SpecialPowers.pushPrefEnv({
+        set: [["dom.security.https_only_mode", true]],
+      });
+
+      await SpecialPowers.spawn(browser, [], async function () {
+        const iframe = content.document.getElementById("iframe");
+        // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+        iframe.src = "http://nocert.example.com";
+
+        await ContentTaskUtils.waitForCondition(
+          () => iframe.contentWindow.document.readyState === "interactive",
+          "Iframe error page should have loaded"
+        );
+
+        ok(
+          !!iframe.contentWindow.document.getElementById("explanation-iframe"),
+          "#explanation-iframe should exist"
+        );
+
+        is(
+          iframe.contentWindow.document
+            .getElementById("explanation-iframe")
+            .getAttribute("hidden"),
+          null,
+          "#explanation-iframe should not be hidden"
+        );
+
+        for (const id of ["explanation-continue", "goBack", "openInsecure"]) {
+          is(
+            iframe.contentWindow.document.getElementById(id),
+            null,
+            `#${id} should have been removed`
+          );
+        }
+      });
+    }
+  );
+});
--- a/dom/security/test/https-only/file_iframe_buttons.html
+++ b/dom/security/test/https-only/file_iframe_buttons.html
@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+</head>
+<body>
+  <iframe id="iframe" frameborder="0"></iframe>
+</body>
+</html>
--- a/toolkit/components/httpsonlyerror/content/errorpage.html
+++ b/toolkit/components/httpsonlyerror/content/errorpage.html
@ -70,6 +70,16 @@
          inert
        ></button>
      </div>
+
+      <p id="explanation-iframe" hidden>
+        <span data-l10n-id="about-httpsonly-explanation-iframe"></span>
+        <a
+          id="mixedContentLearnMoreLink"
+          target="_blank"
+          data-l10n-id="about-httpsonly-link-learn-more"
+        ></a>
+      </p>
+
      <div class="suggestion-box" hidden>
        <h2 data-l10n-id="about-httpsonly-suggestion-box-header"></h2>
      </div>
--- a/toolkit/components/httpsonlyerror/content/errorpage.js
+++ b/toolkit/components/httpsonlyerror/content/errorpage.js
@ -29,28 +29,35 @@ function initPage() {
  document
    .getElementById("learnMoreLink")
    .setAttribute("href", baseSupportURL + "https-only-prefs");
+  document
+    .getElementById("mixedContentLearnMoreLink")
+    .setAttribute("href", baseSupportURL + "mixed-content");
+
+  const isTopLevel = window.top == window;
+  if (!isTopLevel) {
+    for (const id of ["explanation-continue", "goBack", "openInsecure"]) {
+      document.getElementById(id).remove();
+    }
+    document.getElementById("explanation-iframe").removeAttribute("hidden");
+    return;
+  }

  document
    .getElementById("openInsecure")
    .addEventListener("click", onOpenInsecureButtonClick);
+  document
+    .getElementById("goBack")
+    .addEventListener("click", onReturnButtonClick);

  const delay = RPMGetIntPref("security.dialog_enable_delay", 1000);
  setTimeout(() => {
    document.getElementById("openInsecure").removeAttribute("inert");
  }, delay);

-  if (window.top == window) {
-    document
-      .getElementById("goBack")
-      .addEventListener("click", onReturnButtonClick);
-    addAutofocus("#goBack", "beforeend");
-  } else {
-    document.getElementById("goBack").remove();
-  }
+  addAutofocus("#goBack", "beforeend");

-  const isTopLevel = window.top == window;
  const hasWWWPrefix = pageUrl.href.startsWith("https://www.");
-  if (isTopLevel && !hasWWWPrefix) {
+  if (!hasWWWPrefix) {
    // HTTPS-Only generally simply replaces http: with https:;
    // here we additionally try to add www and see if that allows to upgrade the connection if it is top level

--- a/toolkit/locales/en-US/toolkit/about/aboutHttpsOnlyError.ftl
+++ b/toolkit/locales/en-US/toolkit/about/aboutHttpsOnlyError.ftl
@ -12,6 +12,7 @@ about-httpsonly-explanation-question = What could be causing this?
 about-httpsonly-explanation-nosupport = Most likely, the website simply does not support HTTPS.
 about-httpsonly-explanation-risk = It’s also possible that an attacker is involved. If you decide to visit the website, you should not enter any sensitive information like passwords, emails, or credit card details.
 about-httpsonly-explanation-continue = If you continue, HTTPS-Only Mode will be turned off temporarily for this site.
+about-httpsonly-explanation-iframe = Due to mixed content blocking, it is not possible to manually allow this frame to load.

 about-httpsonly-button-continue-to-site = Continue to HTTP Site
 about-httpsonly-button-go-back = Go Back