The main behavior changes are:
1) We no longer create a new Window when doing document.open(). We use the
same Window but remove all the event listeners on it and on the existing DOM
tree before removing the document's existing kids.
2) We no longer create a new session history entry. The existing one always
gets replaced instead.
3) We now support document.open on documents that are not in a Window.
The reasons for the various test changes are as follows:
The change to browser_modifiedclick_inherit_principal.js is because we no
longer set the docshell to a wyciwyg URL when document.open() happens and the
test was depending on that to terminate.
browser_wyciwyg_urlbarCopying.js is being removed because it's trying to test
wyciwyg URIs, which no longer exist.
The changes in docshell/test/navigation are because document.open() no longer
affects session history. One of the tests was testing the interactions there
and is being removed; another is being repurposed to just test that
document.open() does not affect history.length.
The change to test_x-frame-options.html is because document.open() now removes
event listeners on the window, which it didn't use to do (and in the specific
case in this test reused the existing inner too, so the listener was still
around in practice). The new behavior matches other browsers.
The removal of test_bug172261.html is because document.open() no longer affects
session history, so you can't go back across it or forward to the "opened"
state, so the situation that test is trying to test no longer exists.
The changes to test_bug255820.html are because reloading a document after
document.open() will now just load the URL of the document that was the entry
document for the open() call, not reload the written content. So there's not
much point testing reload behavior, and in this test it was just reloading the
toplevel test file inside the frames.
The change to test_bug346659.html is because now we no longer create a new
Window on document.open().
The change to test_bug1232829.html is because document.open() (implicit in this
test) no longer adds history entries, so the back() was just leaving the test
page instead of going back across the document.open(). The test is a
crashtest in practice, so might still be testing something useful about how
document.open() interacts with animations.
The change to test_bug715739.html is because the URL of the document after
document.open() is now the URL of the entry document, not a wyciwyg URL, so
reload() has different behavior than it used to.
The change to test_bug329869.html is because now when we go back we're
reloading the original document we had, not doing a wyciwyg load, and the
security info now doesn't include the untrusted script.
The changes to the wpt expectations are removing a bunch of expected failures
now that we pass those tests and disabling some tests that are fundamentally
racy and hence fail randomly. The latter all have github issues filed for the
test problem.
The change to testing/web-platform/tests/common/object-association.js is fixing
tests that were not matching the spec (and were failing in other browsers).
The change to parser-uses-registry-of-owner-document.html is fixing tests that
were not matching the spec (and were failing in other browsers).
The change to document-write.tentative.html is because the test was buggy: it
was using the same iframe element for all its tests and racing loads from some
tests against API calls from other tests, etc. It's a wonder it ever managed
to pass, independent of these patches (and in fact it doesn't pass according to
wpt.fyi data, even in Firefox).
The changes in html/browsers/history/the-history-interface are because
document.open() no longer adds history entries. The test was failing in all
other browsers for the same reason.
The changes in html/browsers/history/the-location-interface are because
reloading a document.open()-created thing now loads the URL of the page that
was the entry document for the open() call. The test was failing in all other
browsers.
The change to reload_document_open_write.html is because we now reload the url
of the document that entered the script that called open() when we reload, not
the written content. Other browsers were failing this test too; Gecko with
the old document.open implementation was the only one that passed.
The change to http-refresh.py is to fix a test bug: it was not returning a
Content-Type header, so we were putting up helper app dialogs, etc.
The change to test_ext_contentscript.js is because we no create a new global
for document.open() calls. Kris Maglione OKed this part.
Differential Revision: https://phabricator.services.mozilla.com/D17323
--HG--
extra : moz-landing-system : lando
The seccomp-bpf policy is currently just the "common" policy with no
additions (but with the fixes in bug 1511560 to enable shared memory
creation). The file broker policy allows shared memory creation and
nothing else. The namespace setup is the same as for GMP (i.e., as
restrictive as we currently can be).
The sandbox can be turned off for troubleshooting by setting the
environment variable MOZ_DISABLE_RDD_SANDBOX, similarly to the other
process types.
Tested against https://demo.bitmovin.com/public/firefox/av1/ with the
necessary prefs set.
Depends on D20895
Differential Revision: https://phabricator.services.mozilla.com/D14525
--HG--
extra : moz-landing-system : lando
File descriptors are sometimes dup()ed in the process of communicating
them over IPC; some of this may be unnecessary (due to insufficient
use of move-only types), but dup() is relatively harmless. It was
previously allowed for both content and GMP, so this doesn't change
anything.
The handling of ftruncate is a little complicated -- it's used for IPC
shared memory, but only when creating segments; so GMP doesn't allow
it and should continue not allowing it, but content needs it and RDD
will as well. As a result, the subclass indicates if it will be needed.
Note that even when we have memfd_create support (bug 1440203),
ftruncate is still necessary even though brokering may not.
Depends on D14523
Differential Revision: https://phabricator.services.mozilla.com/D14524
--HG--
extra : moz-landing-system : lando
The sandbox broker uses socketpair to construct the per-request channels
over which responses are sent; thus, if and only if the policy will be
using brokering, it will allow socketpair as safely as possible (i.e.,
denying datagram sockets if possible).
Depends on D14522
Differential Revision: https://phabricator.services.mozilla.com/D14523
--HG--
extra : moz-landing-system : lando
madvise is used by our malloc (and probably others), and mprotect is
used with shared memory, including when created by another process, so
the common policy should include those rules.
Depends on D14521
Differential Revision: https://phabricator.services.mozilla.com/D14522
--HG--
extra : moz-landing-system : lando
This will allow other policies to use brokering if needed (e.g., RDD and
similar utility processes may need to access /dev/shm to create shared
memory). The concrete policy class can deny filesystem access completely
(matching the current behavior of the GMP policy) by passing nullptr to
the superclass constructor instead.
Depends on D14520
Differential Revision: https://phabricator.services.mozilla.com/D14521
--HG--
extra : moz-landing-system : lando
ContentSandboxPolicy currently allows direct filesystem access if it
isn't given a broker client; this is a legacy design from the B2G era,
before the current idea of "sandbox level". With this patch, it allows
filesystem access at level 1, and above that it requires brokering.
This is both to reduce the opportunities for accidentally having a
too-permissive sandbox and to prepare for refactoring the broker glue in
bug 1511560.
Depends on D14519
Differential Revision: https://phabricator.services.mozilla.com/D14520
--HG--
extra : moz-landing-system : lando
Level 1 is meant to enable some seccomp-bpf filtering, but still allow
direct access to the filesystem, and level 2 is where brokering starts.
This was accidentally broken in 1365257 (making "level 1" act like level
2); this patch fixes that.
This feature obviously isn't used much given how long nobody noticed it was
broken, but it's useful to have around for troubleshooting, and it's
actually easier to fix it than edit it out of the documentation.
Differential Revision: https://phabricator.services.mozilla.com/D14519
--HG--
extra : moz-landing-system : lando
This test should remind us to regenerate the test certificates next year before they actually expire.
Differential Revision: https://phabricator.services.mozilla.com/D21065
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
This actor won't be being used anymore, and acts only as a maintenance burden
for people working on this code (which we're doing pretty often these days!).
Differential Revision: https://phabricator.services.mozilla.com/D20549
--HG--
extra : moz-landing-system : lando
Remove all occurences of the above mentioned attributes and replace them by event handlers.
Minor changes to consuming functions to preserve functionality.
Differential Revision: https://phabricator.services.mozilla.com/D20368
--HG--
extra : moz-landing-system : lando
In bug 1470918, a shared thread was introduced that did the reading/writing work
for all DataStorage instances. To ensure all state was written out at shutdown,
the original patch implemented a two stage strategy that in the first stage
queued an event for each DataStorage that would write out its contents and then
in the second stage ran these events to completion. This conflicted with how
Firefox's sanitization implementation would make sure that data was cleared at
shutdown, if requested by the user. If the DataStorage objects observed the
first shutdown notification before the sanitization implementation, the existing
data would be queued for writing and any further updates would be prevented.
Thus, when the sanitizer tried to clear data held by DataStorage instances,
nothing would happen and the data would be written to disk.
This patch fixes this issue by implementing DataStorage shutdown in a single
stage that can run after sanitization. Since sDataStorages knows of the
existence of every DataStorage, we can simply iterate through its entries, queue
write events for each one, and then run those events to completion in one pass.
This patch also fixes bug 1528019 (gDataStorageSharedThread could leak if
NS_NewNamedThread failed) because the fix is trivial and not worth handling in
an entirely separate bug.
Differential Revision: https://phabricator.services.mozilla.com/D20034
--HG--
extra : moz-landing-system : lando
Consequently, this removes:
- MOZ_LIBPRIO, which is now always enabled.
- non_msvc_compiler, which is now always true.
- The cl.py wrapper, since it's not used anymore.
- CL_INCLUDES_PREFIX, which was only used for the cl.py wrapper.
- NONASCII, which was only there to ensure CL_INCLUDES_PREFIX still
worked in non-ASCII cases.
This however keeps a large part of detecting and configuring for MSVC,
because we still do need it for at least headers, libraries, and midl.
Depends on D19614
Differential Revision: https://phabricator.services.mozilla.com/D19615
--HG--
extra : moz-landing-system : lando
Adds telemetry for the state of intermediate preloading, as well as what errors
occur during the process.
Dana- will solicit data review today, too.
Differential Revision: https://phabricator.services.mozilla.com/D19507
--HG--
extra : moz-landing-system : lando
Move functionality out of XULDocument::AddElementToDocumentPost:
1) Convert all XUL link elements into HTML link elements which have
code to handle when they are added to the DOM.
2) Move handling of the end of a linkset element into nsXULElement's DoneAddingChildren callback.
3) Move document direction reset to where the root element is created.
Differential Revision: https://phabricator.services.mozilla.com/D19739
--HG--
extra : moz-landing-system : lando
This is a follow-up to the previous part, which actually changes one of
these callers to use Array<nsIIDRef> instead of [array] nsIIDPtr.
From doing this patch, it seems like we should consider changing
the type `nsIIDRef` to instead simply be `nsIID`, and treat it more like
the `AString` types from the POV of XPIDL. `nsIIDPtr` would then
continue to exist for backwards compatibility, but we can probably
remove almost all current consumers over time.
Depends on D19175
Differential Revision: https://phabricator.services.mozilla.com/D19176
--HG--
extra : moz-landing-system : lando
Replacing js and text occurences of asyncOpen2
Replacing open2 with open
Differential Revision: https://phabricator.services.mozilla.com/D16885
--HG--
rename : layout/style/test/test_asyncopen2.html => layout/style/test/test_asyncopen.html
extra : moz-landing-system : lando
Allow file-write-unlink in ~/Library/Preferences/Macromedia/Flash Player to allow changes made in the Flash Global Settings panel to persist.
Differential Revision: https://phabricator.services.mozilla.com/D19217
--HG--
extra : moz-landing-system : lando
As of bug 1514118, NSS is not the only place NSSCertDBTrustDomain looks for
issuer certificates. However, the initial implementation did not take into
account that NSSCertDBTrustDomain::FindIssuer would return early if NSS did not
find candidate issuers, resulting in unknown issuer errors for third party
roots. This patch fixes that bug by not returning early.
Differential Revision: https://phabricator.services.mozilla.com/D19058
--HG--
extra : moz-landing-system : lando
This patch:
* Classifies RemoteSecuritySettings as production.
* Add detailed logging controlled by the browser.policies.loglevel pref.
* Generally make RemoteSecuritySettings match other services better.
* Move to hex-encoded hashes to match Kinto.
* Adds RemoteSecuritySettings to blocklist-clients. This may not be the
permanent home.
* Adds a preference for how many certs to download at once.
* Adds an Observer interface.
(This makes the tests more predictable, but it also avoids having a
duplicate call when the full "sync" is called.)
Differential Revision: https://phabricator.services.mozilla.com/D19043
--HG--
extra : moz-landing-system : lando
Previously, the GPU sandbox was enabled and caused the VR service to break.
The VR service has now been moved into its own process, and now the GPU
sandbox should be able to work fine. We will initially apply sandbox level '1'
for a time, and then increase to sandbox level '2' if everything works just
fine.
Differential Revision: https://phabricator.services.mozilla.com/D18876
--HG--
extra : moz-landing-system : lando
This removes all .flake8 files except for the one at the root of the repo.
Instead we use the new 'per-file-ignores' config introduced in 3.7. To ignore
specific errors in a subdirectory, add a line like this to the root .flake8:
[per-file-ignores]
path/to/subdir/*: E100, F200, ...
The reasons for this change are:
1. Unblock flake8 blacklist (bug 1367092).
2. Simplify configuration and code.
3. Encourage more consistent styling.
4. Improve performance.
5. Greater editor consistency.
Differential Revision: https://phabricator.services.mozilla.com/D18354
--HG--
extra : moz-landing-system : lando
This bumps flake8 to version 3.7.5.
This also ignores the new lint rules that were added in the new versions.
These rules are de-marked via comment so we know that they should be enabled at
some point (as opposed to the other rules that are (presumably) ignored
intentionally.
Differential Revision: https://phabricator.services.mozilla.com/D18353
--HG--
extra : moz-landing-system : lando
In bug 1525191, the test certificates expired again. While regenerating them is
almost as simple as running a script, there were some manual test changes that
had to happen to get the tests passing again. This patch fixes up those tests so
that they shouldn't need changing the next time we regenerate the certificates.
Differential Revision: https://phabricator.services.mozilla.com/D18891
--HG--
extra : moz-landing-system : lando
For cases where the class has direct calls (that is, we cast `this` to the
subclass before making the call) no longer declare Recv/Answer methods on the
base class at all. This should ensure that slots for them are not generated in
vtables, and also allow the derived class to choose the method signature (e.g.
whether it wants to take something by reference or by value).
Differential Revision: https://phabricator.services.mozilla.com/D18132
--HG--
extra : moz-landing-system : lando
Summary:
Scripts:
https://gist.github.com/jcjones/b25e07de3a48c3ed084f0f9e26911693
# From the above gist
./jcj-regenerate-certspecs
# This is a DER form, not a PEM.
openssl x509 -in security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem -outform der > security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
rm security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem
# These don't seem to be checked in
rm services/common/tests/unit/test_blocklist_signatures/*.pem
Reviewers: ccoroiu
Bug #: 1525191
Differential Revision: https://phabricator.services.mozilla.com/D18638
--HG--
extra : histedit_source : f6e29ef6f3d012e42cda980abbb13bc4276702d6
