Most of these tests have been disabled for a long time; they run well
in the current test environment.
I intend to enable still more mochitests in a future patch.
Differential Revision: https://phabricator.services.mozilla.com/D49524
--HG--
extra : moz-landing-system : lando
Bug 1586683 replaced the JS_FlattenString in the caller with JS_EnsureLinearString but
I wasn't aware of the nsDependentString vs nsDependentSubstring distinction.
This fixes assertion failures when starting the browser with non-null-terminated
JS strings.
Differential Revision: https://phabricator.services.mozilla.com/D49297
--HG--
extra : moz-landing-system : lando
Previously, Service Workers could spawn in a process that isn't subscribed
to permission updates, which could happen if that process hadn't loaded any
same-origin documents. To address this, parent-process logic for spawning
Service Workers would snapshot the permissions state to be sent to a content
process.
Unfortunately, this approach could lead to outdated, unsynchronized permissions.
Note that nsIPermissionManager::SetPermissionsWithKey is only used to initialize
permissions for a given key and is a no-op if already called with the same key
in a given process. As a result, the following sequence of events could happen:
Assume a content process CP that isn't subscribed to permission changes for an
origin A:
1) Parent process decides to spawn an origin A Service Worker in CP,
snapshotting a value V for permission P.
2) The Service Worker is spawned in CP, setting CP's permission manager's
permission P to value V (for origin A).
3) Parent process updates its permission P to a value A', which is not
broadcasted to CP (because it's not subscribed).
4) By now, the initial Service Worker has been terminated, and the parent
process decides once again to spawn an origin A Service Worker in CP.
5) The Service Worker is spawned in CP, but the call to SetPermissionsWithKey
is a no-op, leaving CP1 with a mismatched value for permission P.
An additional scenario is if the parent process updates a permission during a
remote Service Worker's lifetime.
This patch, which would subscribe CP1 to permission updates when the parent
process knows a Service Worker would be spawned in CP1, prevents these problems.
Differential Revision: https://phabricator.services.mozilla.com/D48620
--HG--
extra : moz-landing-system : lando
This patch does several things. Because Workers aren't on the main thread,
many of the things done are in the name of off main thread access.
1) Changes a parameter in IsEvalAllowed from a nsIPrincipal to a bool.
We only used the principal to determined if it was the System Principal.
Principals aren't thread safe and can only be accessed on Main Thread, so
if we passed a Principal in, we would be in error. Instead only pass in
the bool which - for workers - comes from a thread-safe location.
2) Separates out the Telemetry Event Recording and sending a message to the
console into a new function nsContentSecurityUtils::NotifyEvalUsage. (And
creates a runnable that calls it.)
We do this because we will need to only call this method on the main thread.
Telemetry Event Recording has only ever been called on the Main Thread.
While I possibly-successfully cut it over to happen Off Main Thread (OMT)
by porting preferences to StaticPrefs, I don't know if there were other
threading assumptions in the Telemetry Code. So it would be much safer to
just continue recording Event Telemetry on the main thread.
Sending a message to the console requires calling GetStringBundleService()
which requires main thread. I didn't investigate if this could be made
thread-safe, I just threw it onto the main thread too.
If, in IsEvalAllowed, we are on the main thread - we call NotifyEvalUsage
directly. If we are not, we create a runnable which will then call
NotifyEvalUsage for us on the main thread.
3) Ports allow_eval_with_system_principal and allow_eval_in_parent_process
from bools to RelaxedAtomicBool - because we now check these prefs OMT.
4) In RuntimeService.cpp, adds the call to IsEvalAllowed.
5) Add resource://gre/modules/workers/require.js to the allowlist of eval
usage. This was the script that identified this gap in the first place.
It uses eval (twice) for structural reasons (scope and line number
massaging.) The contents of the eval are the result of a request to a
uri (which may be internal, like resource://). The whole point of this
is to implement a CommonJS require() api.
This usage of eval is safe because the only way an attacker can inject
into it is by either controlling the response of the uri request or
controlling (or appending to) the argument. If they can do that, they
are able to inject script into Firefox even if we cut this usage of eval
over to some other type of safe(r) script loader.
Bug 1584564 tracks making sure calls to require.js are safe.
6) Adds cld-worker.js to the allowlist. Bug 1584605 is for refactoring that
eval usage, which is decidedly non-trivial.
7) Does _not_ enforce the eval restrictions for workers. While I've gotten
try to be green and not throw up any instances of eval-usage by workers,
it is much safer to deploy this is Telemetry-only mode for Workers for
a little bit to see if anything pops up from the Nightly population.
Bug 1584602 is for enforcing the checks.
Differential Revision: https://phabricator.services.mozilla.com/D47480
--HG--
extra : moz-landing-system : lando
Unlike WorkletPrincipal, a WorkerPrincipal had been a simple static object shared by
all Workers. We never needed to consult it about an individual Worker before. Now we
do. So we cut it over from a static object to individual objects for each Worker.
We have an off main thread access problem for the Principal however, WorkerPrivate
has a method UsesSystemPrincipal that returns a bool that was initialized from the
Principal on the main thread. We copy that pattern and add a
UsesAddonOrExpandedAddonPrincipal method that will be called by the
isSystemOrAddonPrincipal method we must implement so we can inheirt from JSPrincipal.
Differential Revision: https://phabricator.services.mozilla.com/D47476
--HG--
extra : moz-landing-system : lando
In a future commit we will tie this boolean to its own preference value, but here we
initialize it with the same value as the wasm boolean.
We also update wasm::HasSupport to check the to-be-added isSystemOrAddonPrincipal()
method on JSPrincipals to determine which member (wasm or wasmForTrustedPrinciples)
to consult.
Differential Revision: https://phabricator.services.mozilla.com/D47472
--HG--
extra : moz-landing-system : lando
CreationOptions are intended to be immutable and not change during realm operation.
Behaviors change, and clamping/jittering should reside on behaviors.
Differential Revision: https://phabricator.services.mozilla.com/D43296
--HG--
extra : moz-landing-system : lando
This mostly updates the bindings to the current state.
No actual logic backing them yet.
*Note*: the IDL does *not* need to be checked for matching the upstream spec precisely at this stage. The upstream is evolving, we just need to update in order to start integrating the implementation. What needs to be checked is - how C++ represents the IDL, esp with regards to derived classes, events, and hierarchies.
The trickiest points, arguably, are:
- WebGPU -> GPU prefix change
- the goop for interfaces that are not final
Differential Revision: https://phabricator.services.mozilla.com/D46166
--HG--
rename : dom/webgpu/InputState.cpp => dom/webgpu/DeviceLostInfo.cpp
rename : dom/webgpu/Fence.h => dom/webgpu/DeviceLostInfo.h
rename : dom/webgpu/BlendState.cpp => dom/webgpu/OutOfMemoryError.cpp
rename : dom/webgpu/LogEntry.h => dom/webgpu/OutOfMemoryError.h
rename : dom/webgpu/BindGroup.h => dom/webgpu/ProgrammablePassEncoder.cpp
rename : dom/webgpu/BlendState.cpp => dom/webgpu/RenderBundle.cpp
rename : dom/webgpu/BlendState.h => dom/webgpu/RenderBundle.h
rename : dom/webgpu/AttachmentState.cpp => dom/webgpu/ValidationError.cpp
rename : dom/webgpu/AttachmentState.h => dom/webgpu/ValidationError.h
extra : moz-landing-system : lando
This mostly updates the bindings to the current state.
No actual logic backing them yet.
*Note*: the IDL does *not* need to be checked for matching the upstream spec precisely at this stage. The upstream is evolving, we just need to update in order to start integrating the implementation. What needs to be checked is - how C++ represents the IDL, esp with regards to derived classes, events, and hierarchies.
The trickiest points, arguably, are:
- WebGPU -> GPU prefix change
- the goop for interfaces that are not final
Differential Revision: https://phabricator.services.mozilla.com/D46166
--HG--
rename : dom/webgpu/InputState.cpp => dom/webgpu/DeviceLostInfo.cpp
rename : dom/webgpu/Fence.h => dom/webgpu/DeviceLostInfo.h
rename : dom/webgpu/BlendState.cpp => dom/webgpu/OutOfMemoryError.cpp
rename : dom/webgpu/LogEntry.h => dom/webgpu/OutOfMemoryError.h
rename : dom/webgpu/BindGroup.h => dom/webgpu/ProgrammablePassEncoder.cpp
rename : dom/webgpu/BlendState.cpp => dom/webgpu/RenderBundle.cpp
rename : dom/webgpu/BlendState.h => dom/webgpu/RenderBundle.h
rename : dom/webgpu/AttachmentState.cpp => dom/webgpu/ValidationError.cpp
rename : dom/webgpu/AttachmentState.h => dom/webgpu/ValidationError.h
extra : moz-landing-system : lando
With Fission, the remote type can have the form webIsolated= in
addition to web. IsWebRemoteType() handles both of these cases.
Differential Revision: https://phabricator.services.mozilla.com/D45378
--HG--
extra : moz-landing-system : lando
Dedicated workers should be in the same agent cluster with its parent/creator.
The other workers (ShareWorker/ServiceWorker/ChromeWorker) create another agent
cluster when they are created from the creator.
Differential Revision: https://phabricator.services.mozilla.com/D43241
--HG--
extra : moz-landing-system : lando
It doesn't really make sense to enforce this behavior for calls on stack
variables (which presumably we then want to do something with) and doesn't
necessarily make sense to enforce it for member variables either.
Differential Revision: https://phabricator.services.mozilla.com/D46105
--HG--
extra : moz-landing-system : lando
We're getting crashes because either there's no CycleCollectedJSContext or it
has a null JSContext. Hard to tell which, and whether this is happening
because our runnable comes really early in thread setup or really late in
thread teardown. In either case, this is restoring the null-check that used to
be there in this code.
Differential Revision: https://phabricator.services.mozilla.com/D43804
--HG--
extra : moz-landing-system : lando
ReferrerPolicy gets tossed back and forth as a uint32_t and
ReferrerPolicy enum in header file. Expose ReferrerPolicyValues from
webidl file and use consistently in native code.
Differential Revision: https://phabricator.services.mozilla.com/D41954
--HG--
extra : moz-landing-system : lando
The args are sent from the parent process main thread to the parent process
background thread and then from the background thread to a content process
worker launcher thread.
Differential Revision: https://phabricator.services.mozilla.com/D26173
--HG--
extra : moz-landing-system : lando