Bug 1476570 - allow proxy to work on restricted domains, r=aswan

Proxies must work with all requests, however the new onRequest proxy api
has maching logic using ChannelWrapper which uses WebExtensionPolicy which
checks against restricted domains.  We need to bypass that check when
matching for proxy requests.

MozReview-Commit-ID: 5zCdmV1b9M7

--HG--
extra : rebase_source : 4bc0f2735a8c2cc4f42934877783dbc68f6067ab

toolkit/components/extensions/WebExtensionPolicy.h

@@ -67,10 +67,10 @@ public:
   void UnregisterContentScript(const WebExtensionContentScript& script,
                                ErrorResult& aRv);
 
-  bool CanAccessURI(const URLInfo& aURI, bool aExplicit = false) const
+  bool CanAccessURI(const URLInfo& aURI, bool aExplicit = false, bool aCheckRestricted = true) const
   {
-    return (!IsRestrictedURI(aURI) &&
+    return (!aCheckRestricted || !IsRestrictedURI(aURI)) &&
-            mHostPermissions && mHostPermissions->Matches(aURI, aExplicit));
+            mHostPermissions && mHostPermissions->Matches(aURI, aExplicit);
   }
 
   bool IsPathWebAccessible(const nsAString& aPath) const

toolkit/components/extensions/test/xpcshell/test_proxy_listener.js

@@ -8,10 +8,10 @@ XPCOMUtils.defineLazyServiceGetter(this, "gProxyService",
 
 const TRANSPARENT_PROXY_RESOLVES_HOST = Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST;
 
-function getProxyInfo() {
+function getProxyInfo(url = "http://www.mozilla.org/") {
   return new Promise((resolve, reject) => {
     let channel = NetUtil.newChannel({
-      uri: "http://www.mozilla.org/",
+      uri: url,
       loadUsingSystemPrincipal: true,
     });
 
@@ -176,13 +176,14 @@ async function getExtension(expectedProxyInfo) {
 
 add_task(async function test_passthrough() {
   let ext1 = await getExtension(null);
-  let ext2 = await getExtension({host: "1.2.3.4", port: 8888, type: "http"});
+  let ext2 = await getExtension({host: "1.2.3.4", port: 8888, type: "https"});
 
-  let proxyInfo = await getProxyInfo();
+  // Also use a restricted url to test the ability to proxy those.
+  let proxyInfo = await getProxyInfo("https://addons.mozilla.org/");
 
   equal(proxyInfo.host, "1.2.3.4", `second extension won`);
   equal(proxyInfo.port, "8888", `second extension won`);
-  equal(proxyInfo.type, "http", `second extension won`);
+  equal(proxyInfo.type, "https", `second extension won`);
 
   await ext2.unload();
 

toolkit/components/extensions/webrequest/ChannelWrapper.cpp

@@ -521,13 +521,14 @@ ChannelWrapper::Matches(const dom::MozRequestFilter& aFilter,
   }
 
   if (aExtension) {
-    if (!aExtension->CanAccessURI(urlInfo)) {
+    bool isProxy = aOptions.mIsProxy && aExtension->HasPermission(nsGkAtoms::proxy);
+    // Proxies are allowed access to all urls, including restricted urls.
+    if (!aExtension->CanAccessURI(urlInfo, false, !isProxy)) {
       return false;
     }
 
     // If this isn't the proxy phase of the request, check that the extension
     // has origin permissions for origin that originated the request.
-    bool isProxy = aOptions.mIsProxy && aExtension->HasPermission(nsGkAtoms::proxy);
     if (!isProxy) {
       if (IsSystemLoad()) {
         return false;