Backed out changeset 5027638ce987 (bug 1898659) for causing Linux mochitests-plain failures in test_group_scroll_snap.html. CLOSED TREE

2024-12-01 00:32:11 +00:00 · 2024-05-31 15:29:10 +03:00 · 2024-05-31 15:29:10 +03:00 · f573121987
commit f573121987
parent 03337fb3ac
2 changed files with 10 additions and 1 deletions
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -13442,6 +13442,15 @@
  value: false
  mirror: always

+# If true nsCORSListenerProxy will reject any URL that contains user & password
+# regardless if it's a redirect or not. When false nsCORSListenerProxy will
+# only reject URLs with a username and password when they happen on a redirected
+# channel.
+- name: network.cors_preflight.block_userpass_uri
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 # Whether to record the telemetry event when a JAR channel is failed to load.
 - name: network.jar.record_failure_reason
  type: RelaxedAtomicBool
--- a/netwerk/protocol/http/nsCORSListenerProxy.cpp
+++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp
@ -1038,7 +1038,7 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
  // It's a cross site load
  mHasBeenCrossSite = true;

-  if (mIsRedirect) {
+  if (mIsRedirect || StaticPrefs::network_cors_preflight_block_userpass_uri()) {
    // https://fetch.spec.whatwg.org/#http-redirect-fetch
    // Step 9. If request’s mode is "cors", locationURL includes credentials,
    // and request’s origin is not same origin with locationURL’s origin,