Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-25 13:51:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out 10 changesets (bug 1214305) for leaks on linux debug m-e10s(bc7)

Browse Source 
Backed out changeset 1f482566235a (bug 1214305)
Backed out changeset 001b31489756 (bug 1214305)
Backed out changeset 4e94d2088219 (bug 1214305)
Backed out changeset fba4a5bcea41 (bug 1214305)
Backed out changeset 100f8e249007 (bug 1214305)
Backed out changeset a59c453192dc (bug 1214305)
Backed out changeset 2daa86fc1fb9 (bug 1214305)
Backed out changeset c04efb57b0ed (bug 1214305)
Backed out changeset 52046e843c60 (bug 1214305)
Backed out changeset ac4fd6615828 (bug 1214305)

--HG--
extra : commitid : ILmaVumvmvH
This commit is contained in:
Wes Kocher 2016-01-04 10:34:24 -08:00
parent 009f18f61a
commit dbbade6e75
15 changed files with 121 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
devtools/client/webconsole/test/browser_bug1045902_console_csp_ignore_reflected_xss_message.js
View File

@ -35,9 +35,16 @@ add_task(function* () {
});
function loadDocument(browser) {
let deferred = promise.defer();
hud.jsterm.clearOutput();
browser.loadURI(TEST_FILE);
return BrowserTestUtils.browserLoaded(browser);
browser.addEventListener("load", function onLoad() {
browser.removeEventListener("load", onLoad, true);
deferred.resolve();
}, true);
content.location = TEST_FILE;
return deferred.promise;
}
function testViolationMessage() {

3
dom/ipc/ContentParent.cpp
View File

@ -2761,9 +2761,6 @@ bool
ContentParent::RecvReadDataStorageArray(const nsString& aFilename,
InfallibleTArray<DataStorageItem>* aValues)
{
// Ensure the SSS is initialized before we try to use its storage.
nsCOMPtr<nsISiteSecurityService> sss = do_GetService("@mozilla.org/ssservice;1");
RefPtr<DataStorage> storage = DataStorage::Get(aFilename);
storage->GetAll(aValues);
return true;

2
dom/workers/ServiceWorkerManager.cpp
View File

@ -3591,7 +3591,7 @@ ServiceWorkerManager::PrepareFetchEvent(const PrincipalOriginAttributes& aOrigin
documentId = aDocumentIdForTopLevelNavigation;
nsCOMPtr<nsIURI> uri;
aRv = aChannel->GetSecureUpgradedChannelURI(getter_AddRefs(uri));
aRv = internalChannel->GetURI(getter_AddRefs(uri));
if (NS_WARN_IF(aRv.Failed())) {
return nullptr;
}

2
dom/workers/ServiceWorkerPrivate.cpp
View File

@ -1052,7 +1052,7 @@ public:
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> uri;
rv = mInterceptedChannel->GetSecureUpgradedChannelURI(getter_AddRefs(uri));
rv = channel->GetURI(getter_AddRefs(uri));
NS_ENSURE_SUCCESS(rv, rv);
rv = uri->GetSpec(mSpec);

2
dom/workers/test/serviceworkers/mochitest.ini
View File

@ -286,7 +286,9 @@ skip-if = toolkit == "android" || toolkit == "gonk"
[test_file_blob_upload.html]
[test_unresolved_fetch_interception.html]
[test_hsts_upgrade_intercept.html]
skip-if = e10s # Bug 1214305
[test_csp_upgrade-insecure_intercept.html]
skip-if = e10s # Bug 1214305
[test_serviceworker_header.html]
[test_openWindow.html]
skip-if = toolkit == "android" || toolkit == "gonk"

6
modules/libjar/InterceptedJARChannel.cpp
View File

@ -45,12 +45,6 @@ InterceptedJARChannel::GetChannel(nsIChannel** aChannel)
return NS_OK;
}
NS_IMETHODIMP
InterceptedJARChannel::GetSecureUpgradedChannelURI(nsIURI** aURI)
{
return mChannel->GetURI(aURI);
}
NS_IMETHODIMP
InterceptedJARChannel::ResetInterception()
{

8
netwerk/base/nsINetworkInterceptController.idl
View File

@ -29,7 +29,7 @@ class ChannelInfo;
* which do not implement nsIChannel.
*/
[scriptable, uuid(f4b82975-6a86-4cc4-87fe-9a1fd430c86d)]
[scriptable, uuid(64439e24-eda5-4f39-9a7e-162c4b5e0150)]
interface nsIInterceptedChannel : nsISupports
{
/**
@ -76,12 +76,6 @@ interface nsIInterceptedChannel : nsISupports
*/
readonly attribute nsIChannel channel;
/**
* The URL of the underlying channel object, corrected for a potential
* secure upgrade.
*/
readonly attribute nsIURI secureUpgradedChannelURI;
/**
* This method allows to override the channel info for the channel.
*/

101
netwerk/base/nsNetUtil.cpp
View File

@ -4,9 +4,6 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// HttpLog.h should generally be included first
#include "HttpLog.h"
#include "mozilla/LoadContext.h"
#include "mozilla/LoadInfo.h"
#include "mozilla/BasePrincipal.h"
@ -61,10 +58,6 @@
#include "nsInterfaceRequestorAgg.h"
#include "plstr.h"
#include "nsINestedURI.h"
#include "mozilla/dom/nsCSPUtils.h"
#include "nsIScriptError.h"
#include "nsISiteSecurityService.h"
#include "nsHttpHandler.h"
#ifdef MOZ_WIDGET_GONK
#include "nsINetworkManager.h"
@ -2232,100 +2225,6 @@ NS_IsSrcdocChannel(nsIChannel *aChannel)
return false;
}
nsresult
NS_ShouldSecureUpgrade(nsIURI* aURI,
nsILoadInfo* aLoadInfo,
nsIPrincipal* aChannelResultPrincipal,
bool aPrivateBrowsing,
bool aAllowSTS,
bool& aShouldUpgrade)
{
// Even if we're in private browsing mode, we still enforce existing STS
// data (it is read-only).
// if the connection is not using SSL and either the exact host matches or
// a superdomain wants to force HTTPS, do it.
bool isHttps = false;
nsresult rv = aURI->SchemeIs("https", &isHttps);
NS_ENSURE_SUCCESS(rv, rv);
if (!isHttps) {
// If any of the documents up the chain to the root doucment makes use of
// the CSP directive 'upgrade-insecure-requests', then it's time to fulfill
// the promise to CSP and mixed content blocking to upgrade the channel
// from http to https.
if (aLoadInfo) {
bool isPreload = nsContentUtils::IsPreloadType(aLoadInfo->InternalContentPolicyType());
bool upgradeRequests =
((isPreload && aLoadInfo->GetUpgradeInsecurePreloads()) ||
(aLoadInfo->GetUpgradeInsecureRequests()));
// Please note that cross origin top level navigations are not subject
// to upgrade-insecure-requests, see:
// http://www.w3.org/TR/upgrade-insecure-requests/#examples
bool crossOriginNavigation =
(aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) &&
(!aChannelResultPrincipal->Equals(aLoadInfo->LoadingPrincipal()));
if (upgradeRequests && !crossOriginNavigation) {
// let's log a message to the console that we are upgrading a request
nsAutoCString spec, scheme;
aURI->GetSpec(spec);
aURI->GetScheme(scheme);
// append the additional 's' for security to the scheme :-)
scheme.AppendASCII("s");
NS_ConvertUTF8toUTF16 reportSpec(spec);
NS_ConvertUTF8toUTF16 reportScheme(scheme);
const char16_t* params[] = { reportSpec.get(), reportScheme.get() };
uint32_t innerWindowId = aLoadInfo->GetInnerWindowID();
CSP_LogLocalizedStr(MOZ_UTF16("upgradeInsecureRequest"),
params, ArrayLength(params),
EmptyString(), // aSourceFile
EmptyString(), // aScriptSample
0, // aLineNumber
0, // aColumnNumber
nsIScriptError::warningFlag, "CSP",
innerWindowId);
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 4);
aShouldUpgrade = true;
return NS_OK;
}
}
// enforce Strict-Transport-Security
nsISiteSecurityService* sss = gHttpHandler->GetSSService();
NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
bool isStsHost = false;
uint32_t flags = aPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, aURI, flags,
&isStsHost);
// if the SSS check fails, it's likely because this load is on a
// malformed URI or something else in the setup is wrong, so any error
// should be reported.
NS_ENSURE_SUCCESS(rv, rv);
if (isStsHost) {
LOG(("nsHttpChannel::Connect() STS permissions found\n"));
if (aAllowSTS) {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 3);
aShouldUpgrade = true;
return NS_OK;
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 2);
}
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 1);
}
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 0);
}
aShouldUpgrade = false;
return NS_OK;
}
namespace mozilla {
namespace net {

10
netwerk/base/nsNetUtil.h
View File

@ -979,16 +979,6 @@ bool NS_IsReasonableHTTPHeaderValue(const nsACString &aValue);
*/
bool NS_IsValidHTTPToken(const nsACString &aToken);
/**
* Return true if the given request must be upgraded to HTTPS.
*/
nsresult NS_ShouldSecureUpgrade(nsIURI* aURI,
nsILoadInfo* aLoadInfo,
nsIPrincipal* aChannelResultPrincipal,
bool aPrivateBrowsing,
bool aAllowSTS,
bool& aShouldUpgrade);
namespace mozilla {
namespace net {

33
netwerk/protocol/http/HttpBaseChannel.cpp
View File

@ -2445,13 +2445,13 @@ HttpBaseChannel::BypassServiceWorker() const
}
bool
HttpBaseChannel::ShouldIntercept(nsIURI* aURI)
HttpBaseChannel::ShouldIntercept()
{
nsCOMPtr<nsINetworkInterceptController> controller;
GetCallback(controller);
bool shouldIntercept = false;
if (controller && !BypassServiceWorker() && mLoadInfo) {
nsresult rv = controller->ShouldPrepareForIntercept(aURI ? aURI : mURI.get(),
nsresult rv = controller->ShouldPrepareForIntercept(mURI,
nsContentUtils::IsNonSubresourceRequest(this),
&shouldIntercept);
if (NS_FAILED(rv)) {
@ -3153,34 +3153,5 @@ HttpBaseChannel::SetCorsPreflightParameters(const nsTArray<nsCString>& aUnsafeHe
mUnsafeHeaders = aUnsafeHeaders;
}
// static
nsresult
HttpBaseChannel::GetSecureUpgradedURI(nsIURI* aURI, nsIURI** aUpgradedURI)
{
nsCOMPtr<nsIURI> upgradedURI;
nsresult rv = aURI->Clone(getter_AddRefs(upgradedURI));
NS_ENSURE_SUCCESS(rv,rv);
upgradedURI->SetScheme(NS_LITERAL_CSTRING("https"));
int32_t oldPort = -1;
rv = aURI->GetPort(&oldPort);
if (NS_FAILED(rv)) return rv;
// Keep any nonstandard ports so only the scheme is changed.
// For example:
// http://foo.com:80 -> https://foo.com:443
// http://foo.com:81 -> https://foo.com:81
if (oldPort == 80 || oldPort == -1)
upgradedURI->SetPort(-1);
else
upgradedURI->SetPort(oldPort);
upgradedURI.forget(aUpgradedURI);
return NS_OK;
}
} // namespace net
} // namespace mozilla

6
netwerk/protocol/http/HttpBaseChannel.h
View File

@ -299,10 +299,6 @@ public: /* Necko internal use only... */
// the new mUploadStream.
void EnsureUploadStreamIsCloneableComplete(nsresult aStatus);
// Returns an https URI for channels that need to go through secure
// upgrades.
static nsresult GetSecureUpgradedURI(nsIURI* aURI, nsIURI** aUpgradedURI);
protected:
nsCOMArray<nsISecurityConsoleMessage> mSecurityConsoleMessages;
@ -347,7 +343,7 @@ protected:
// Returns true if this channel should intercept the network request and prepare
// for a possible synthesized response instead.
bool ShouldIntercept(nsIURI* aURI = nullptr);
bool ShouldIntercept();
friend class PrivateBrowsingChannel<HttpBaseChannel>;
friend class InterceptFailedOnStop;

28
netwerk/protocol/http/HttpChannelChild.cpp
View File

@ -1813,30 +1813,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
// Set user agent override
HttpBaseChannel::SetDocshellUserAgentOverride();
bool isHttps = false;
rv = mURI->SchemeIs("https", &isHttps);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIPrincipal> resultPrincipal;
if (!isHttps && mLoadInfo) {
nsContentUtils::GetSecurityManager()->
GetChannelResultPrincipal(this, getter_AddRefs(resultPrincipal));
}
bool shouldUpgrade = false;
rv = NS_ShouldSecureUpgrade(mURI,
mLoadInfo,
resultPrincipal,
mPrivateBrowsing,
mAllowSTS,
shouldUpgrade);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> upgradedURI;
if (shouldUpgrade) {
rv = GetSecureUpgradedURI(mURI, getter_AddRefs(upgradedURI));
NS_ENSURE_SUCCESS(rv, rv);
}
if (ShouldIntercept(upgradedURI)) {
if (ShouldIntercept()) {
mResponseCouldBeSynthesized = true;
nsCOMPtr<nsINetworkInterceptController> controller;
@ -1845,8 +1822,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
mInterceptListener = new InterceptStreamListener(this, mListenerContext);
RefPtr<InterceptedChannelContent> intercepted =
new InterceptedChannelContent(this, controller,
mInterceptListener, shouldUpgrade);
new InterceptedChannelContent(this, controller, mInterceptListener);
intercepted->NotifyController();
return NS_OK;
}

46
netwerk/protocol/http/InterceptedChannel.cpp
View File

@ -135,21 +135,6 @@ InterceptedChannelBase::SetReleaseHandle(nsISupports* aHandle)
return NS_OK;
}
/* static */
already_AddRefed<nsIURI>
InterceptedChannelBase::SecureUpgradeChannelURI(nsIChannel* aChannel)
{
nsCOMPtr<nsIURI> uri;
nsresult rv = aChannel->GetURI(getter_AddRefs(uri));
NS_ENSURE_SUCCESS(rv, nullptr);
nsCOMPtr<nsIURI> upgradedURI;
rv = HttpBaseChannel::GetSecureUpgradedURI(uri, getter_AddRefs(upgradedURI));
NS_ENSURE_SUCCESS(rv, nullptr);
return upgradedURI.forget();
}
InterceptedChannelChrome::InterceptedChannelChrome(nsHttpChannel* aChannel,
nsINetworkInterceptController* aController,
nsICacheEntry* aEntry)
@ -344,20 +329,12 @@ InterceptedChannelChrome::GetInternalContentPolicyType(nsContentPolicyType* aPol
return NS_OK;
}
NS_IMETHODIMP
InterceptedChannelChrome::GetSecureUpgradedChannelURI(nsIURI** aURI)
{
return mChannel->GetURI(aURI);
}
InterceptedChannelContent::InterceptedChannelContent(HttpChannelChild* aChannel,
nsINetworkInterceptController* aController,
InterceptStreamListener* aListener,
bool aSecureUpgrade)
InterceptStreamListener* aListener)
: InterceptedChannelBase(aController)
, mChannel(aChannel)
, mStreamListener(aListener)
, mSecureUpgrade(aSecureUpgrade)
{
}
@ -435,10 +412,6 @@ InterceptedChannelContent::FinishSynthesizedResponse(const nsACString& aFinalURL
if (!aFinalURLSpec.IsEmpty()) {
nsresult rv = NS_NewURI(getter_AddRefs(responseURI), aFinalURLSpec);
NS_ENSURE_SUCCESS(rv, rv);
} else if (mSecureUpgrade) {
nsresult rv = HttpBaseChannel::GetSecureUpgradedURI(originalURI,
getter_AddRefs(responseURI));
NS_ENSURE_SUCCESS(rv, rv);
} else {
responseURI = originalURI;
}
@ -505,22 +478,5 @@ InterceptedChannelContent::GetInternalContentPolicyType(nsContentPolicyType* aPo
return NS_OK;
}
NS_IMETHODIMP
InterceptedChannelContent::GetSecureUpgradedChannelURI(nsIURI** aURI)
{
nsCOMPtr<nsIURI> uri;
if (mSecureUpgrade) {
uri = SecureUpgradeChannelURI(mChannel);
} else {
nsresult rv = mChannel->GetURI(getter_AddRefs(uri));
NS_ENSURE_SUCCESS(rv, rv);
}
if (uri) {
uri.forget(aURI);
return NS_OK;
}
return NS_ERROR_FAILURE;
}
} // namespace net
} // namespace mozilla

11
netwerk/protocol/http/InterceptedChannel.h
View File

@ -57,9 +57,6 @@ public:
NS_IMETHOD GetResponseBody(nsIOutputStream** aOutput) override;
NS_IMETHOD GetConsoleReportCollector(nsIConsoleReportCollector** aCollectorOut) override;
NS_IMETHOD SetReleaseHandle(nsISupports* aHandle) override;
static already_AddRefed<nsIURI>
SecureUpgradeChannelURI(nsIChannel* aChannel);
};
class InterceptedChannelChrome : public InterceptedChannelBase
@ -83,7 +80,6 @@ public:
NS_IMETHOD ResetInterception() override;
NS_IMETHOD FinishSynthesizedResponse(const nsACString& aFinalURLSpec) override;
NS_IMETHOD GetChannel(nsIChannel** aChannel) override;
NS_IMETHOD GetSecureUpgradedChannelURI(nsIURI** aURI) override;
NS_IMETHOD SynthesizeStatus(uint16_t aStatus, const nsACString& aReason) override;
NS_IMETHOD SynthesizeHeader(const nsACString& aName, const nsACString& aValue) override;
NS_IMETHOD Cancel(nsresult aStatus) override;
@ -104,19 +100,14 @@ class InterceptedChannelContent : public InterceptedChannelBase
// Listener for the synthesized response to fix up the notifications before they reach
// the actual channel.
RefPtr<InterceptStreamListener> mStreamListener;
// Set for intercepted channels that have gone through a secure upgrade.
bool mSecureUpgrade;
public:
InterceptedChannelContent(HttpChannelChild* aChannel,
nsINetworkInterceptController* aController,
InterceptStreamListener* aListener,
bool aSecureUpgrade);
InterceptStreamListener* aListener);
NS_IMETHOD ResetInterception() override;
NS_IMETHOD FinishSynthesizedResponse(const nsACString& aFinalURLSpec) override;
NS_IMETHOD GetChannel(nsIChannel** aChannel) override;
NS_IMETHOD GetSecureUpgradedChannelURI(nsIURI** aURI) override;
NS_IMETHOD SynthesizeStatus(uint16_t aStatus, const nsACString& aReason) override;
NS_IMETHOD SynthesizeHeader(const nsACString& aName, const nsACString& aValue) override;
NS_IMETHOD Cancel(nsresult aStatus) override;

116
netwerk/protocol/http/nsHttpChannel.cpp
View File

@ -7,6 +7,7 @@
// HttpLog.h should generally be included first
#include "HttpLog.h"
#include "mozilla/dom/nsCSPUtils.h"
#include "mozilla/dom/nsCSPContext.h"
#include "nsHttp.h"
#include "nsHttpChannel.h"
@ -55,6 +56,7 @@
#include "nsIClassOfService.h"
#include "nsIPermissionManager.h"
#include "nsIPrincipal.h"
#include "nsIScriptError.h"
#include "nsIScriptSecurityManager.h"
#include "nsISSLStatus.h"
#include "nsISSLStatusProvider.h"
@ -310,24 +312,88 @@ nsHttpChannel::Connect()
LOG(("nsHttpChannel::Connect [this=%p]\n", this));
// Even if we're in private browsing mode, we still enforce existing STS
// data (it is read-only).
// if the connection is not using SSL and either the exact host matches or
// a superdomain wants to force HTTPS, do it.
bool isHttps = false;
rv = mURI->SchemeIs("https", &isHttps);
NS_ENSURE_SUCCESS(rv,rv);
nsCOMPtr<nsIPrincipal> resultPrincipal;
if (!isHttps && mLoadInfo) {
nsContentUtils::GetSecurityManager()->
GetChannelResultPrincipal(this, getter_AddRefs(resultPrincipal));
}
bool shouldUpgrade = false;
rv = NS_ShouldSecureUpgrade(mURI,
mLoadInfo,
resultPrincipal,
mPrivateBrowsing,
mAllowSTS,
shouldUpgrade);
NS_ENSURE_SUCCESS(rv, rv);
if (shouldUpgrade) {
return AsyncCall(&nsHttpChannel::HandleAsyncRedirectChannelToHttps);
if (!isHttps) {
// If any of the documents up the chain to the root doucment makes use of
// the CSP directive 'upgrade-insecure-requests', then it's time to fulfill
// the promise to CSP and mixed content blocking to upgrade the channel
// from http to https.
if (mLoadInfo) {
bool isPreload = nsContentUtils::IsPreloadType(mLoadInfo->InternalContentPolicyType());
bool upgradeRequests =
((isPreload && mLoadInfo->GetUpgradeInsecurePreloads()) ||
(mLoadInfo->GetUpgradeInsecureRequests()));
// Please note that cross origin top level navigations are not subject
// to upgrade-insecure-requests, see:
// http://www.w3.org/TR/upgrade-insecure-requests/#examples
nsCOMPtr<nsIPrincipal> resultPrincipal;
nsContentUtils::GetSecurityManager()->
GetChannelResultPrincipal(this, getter_AddRefs(resultPrincipal));
bool crossOriginNavigation =
(mLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) &&
(!resultPrincipal->Equals(mLoadInfo->LoadingPrincipal()));
if (upgradeRequests && !crossOriginNavigation) {
// let's log a message to the console that we are upgrading a request
nsAutoCString spec, scheme;
mURI->GetSpec(spec);
mURI->GetScheme(scheme);
// append the additional 's' for security to the scheme :-)
scheme.AppendASCII("s");
NS_ConvertUTF8toUTF16 reportSpec(spec);
NS_ConvertUTF8toUTF16 reportScheme(scheme);
const char16_t* params[] = { reportSpec.get(), reportScheme.get() };
uint32_t innerWindowId = mLoadInfo ? mLoadInfo->GetInnerWindowID() : 0;
CSP_LogLocalizedStr(MOZ_UTF16("upgradeInsecureRequest"),
params, ArrayLength(params),
EmptyString(), // aSourceFile
EmptyString(), // aScriptSample
0, // aLineNumber
0, // aColumnNumber
nsIScriptError::warningFlag, "CSP",
innerWindowId);
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 4);
return AsyncCall(&nsHttpChannel::HandleAsyncRedirectChannelToHttps);
}
}
// enforce Strict-Transport-Security
nsISiteSecurityService* sss = gHttpHandler->GetSSService();
NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);
bool isStsHost = false;
uint32_t flags = mPrivateBrowsing ? nsISocketProvider::NO_PERMANENT_STORAGE : 0;
rv = sss->IsSecureURI(nsISiteSecurityService::HEADER_HSTS, mURI, flags,
&isStsHost);
// if the SSS check fails, it's likely because this load is on a
// malformed URI or something else in the setup is wrong, so any error
// should be reported.
NS_ENSURE_SUCCESS(rv, rv);
if (isStsHost) {
LOG(("nsHttpChannel::Connect() STS permissions found\n"));
if (mAllowSTS) {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 3);
return AsyncCall(&nsHttpChannel::HandleAsyncRedirectChannelToHttps);
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 2);
}
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 1);
}
} else {
Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 0);
}
// ensure that we are using a valid hostname
@ -1870,12 +1936,30 @@ nsHttpChannel::HandleAsyncRedirectChannelToHttps()
nsresult
nsHttpChannel::StartRedirectChannelToHttps()
{
nsresult rv = NS_OK;
LOG(("nsHttpChannel::HandleAsyncRedirectChannelToHttps() [STS]\n"));
nsCOMPtr<nsIURI> upgradedURI;
nsresult rv = GetSecureUpgradedURI(mURI, getter_AddRefs(upgradedURI));
rv = mURI->Clone(getter_AddRefs(upgradedURI));
NS_ENSURE_SUCCESS(rv,rv);
upgradedURI->SetScheme(NS_LITERAL_CSTRING("https"));
int32_t oldPort = -1;
rv = mURI->GetPort(&oldPort);
if (NS_FAILED(rv)) return rv;
// Keep any nonstandard ports so only the scheme is changed.
// For example:
// http://foo.com:80 -> https://foo.com:443
// http://foo.com:81 -> https://foo.com:81
if (oldPort == 80 || oldPort == -1)
upgradedURI->SetPort(-1);
else
upgradedURI->SetPort(oldPort);
return StartRedirectChannelToURI(upgradedURI,
nsIChannelEventSink::REDIRECT_PERMANENT |
nsIChannelEventSink::REDIRECT_STS_UPGRADE);