December 2024 - tbb-commits - lists.torproject.org

[Git][tpo/applications/tor-browser][tor-browser-128.5.0esr-14.5-1] 2 commits: fixup! Add CI for Base Browser
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch tor-browser-128.5.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: 3fb9e5af by Henry Wilkes at 2024-12-19T10:42:05+00:00 fixup! Add CI for Base Browser Bug 43373: Only run lint CI for push events and merge requests. - - - - - 3ed32ed8 by Henry Wilkes at 2024-12-19T10:42:05+00:00 fixup! Add CI for Tor Browser Bug 43373: Only run translation and container CI for push events. - - - - - 3 changed files: - .gitlab/ci/jobs/lint/lint.yml - .gitlab/ci/jobs/update-containers.yml - .gitlab/ci/jobs/update-translations.yml Changes: ===================================== .gitlab/ci/jobs/lint/lint.yml ===================================== @@ -44,7 +44,7 @@ eslint: - 'tools/lint/eslint/eslint-plugin-mozilla/**' - 'tools/lint/eslint/eslint-plugin-spidermonkey-js/**' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') stylelint: extends: .base @@ -62,7 +62,7 @@ stylelint: - '**/.stylelintignore' - '**/*stylelintrc*' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') py-black: extends: .base @@ -81,7 +81,7 @@ py-black: - 'pyproject.toml' - 'tools/lint/black.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') py-ruff: extends: .base @@ -100,7 +100,7 @@ py-ruff: - 'tools/lint/python/ruff.py' - 'tools/lint/python/ruff_requirements.txt' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') yaml: extends: .base @@ -115,7 +115,7 @@ yaml: - '**/*.yaml' - '**/.ymllint' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') shellcheck: extends: .base @@ -129,7 +129,7 @@ shellcheck: - '**/*.sh' - 'tools/lint/shellcheck.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') clang-format: extends: .base @@ -149,7 +149,7 @@ clang-format: - '**/*.mm' - 'tools/lint/clang-format.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') rustfmt: extends: .base @@ -163,7 +163,7 @@ rustfmt: - '**/*.rs' - 'tools/lint/rustfmt.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') fluent-lint: extends: .base @@ -178,7 +178,7 @@ fluent-lint: - 'tools/lint/fluent-lint.yml' - 'tools/lint/fluent-lint/exclusions.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') localization: extends: .base @@ -195,7 +195,7 @@ localization: - 'third_party/python/fluent/**' - 'tools/lint/l10n.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') mingw-capitalization: extends: .base @@ -212,7 +212,7 @@ mingw-capitalization: - '**/*.h' - 'tools/lint/mingw-capitalization.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') mscom-init: extends: .base @@ -229,7 +229,7 @@ mscom-init: - '**/*.h' - 'tools/lint/mscom-init.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') file-whitespace: extends: .base @@ -259,7 +259,7 @@ file-whitespace: - '**/*.java' - 'tools/lint/file-whitespace.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') test-manifest: extends: .base @@ -274,7 +274,7 @@ test-manifest: - 'python/mozlint/**' - 'tools/lint/**' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') trojan-source: extends: .base @@ -293,4 +293,4 @@ trojan-source: - '**/*.rs' - 'tools/lint/trojan-source.yml' # Run job whenever a commit is merged to a protected branch - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push') ===================================== .gitlab/ci/jobs/update-containers.yml ===================================== @@ -10,7 +10,7 @@ build-base-image: echo -e "\e[33mPushing new image to registry as ${TAG}\e[0m" podman push ${TAG} rules: - - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PROJECT_NAMESPACE == 'tpo/applications') + - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PROJECT_NAMESPACE == 'tpo/applications' && $CI_PIPELINE_SOURCE == 'push') changes: - '.gitlab/ci/containers/base/Containerfile' - '.gitlab-ci.yml' ===================================== .gitlab/ci/jobs/update-translations.yml ===================================== @@ -1,7 +1,7 @@ .update-translation-base: stage: update-translations rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push") changes: - "**/*.ftl" - "**/*.properties" View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/e71046… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/e71046… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser][tor-browser-128.5.0esr-14.5-1] fixup! Bug 40597: Implement TorSettings module
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch tor-browser-128.5.0esr-14.5-1 at The Tor Project / Applications / Tor Browser Commits: e7104629 by Morgan at 2024-12-19T10:36:26+00:00 fixup! Bug 40597: Implement TorSettings module Bug 41338: Add CDN77 meek bridge - - - - - 1 changed file: - toolkit/content/pt_config.json Changes: ===================================== toolkit/content/pt_config.json ===================================== @@ -1,5 +1,5 @@ { - "_comment": "Used for dev build, replaced for release builds in tor-browser-build. This file is copied from tor-browser-build 0554d981:projects/tor-expert-bundle/pt_config.json", + "_comment": "Used for dev build, replaced for release builds in tor-browser-build. This file is copied from tor-browser-build 55dad612:projects/tor-expert-bundle/pt_config.json", "recommendedDefault" : "obfs4", "pluggableTransports" : { "lyrebird" : "ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit,webtunnel exec ${pt_path}lyrebird${pt_extension}", @@ -8,7 +8,8 @@ }, "bridges" : { "meek-azure" : [ - "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" + "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com", + "meek_lite 192.0.2.20:80 url=https://1603026938.rsc.cdn77.org front=www.phpmyadmin.net utls=HelloRandomizedALPN" ], "obfs4" : [ "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1", @@ -29,3 +30,4 @@ ] } } + View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/e710462… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/e710462… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-13.5] Bug 41338: Add CDN77 meek bridge
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch maint-13.5 at The Tor Project / Applications / tor-browser-build Commits: 55dad612 by meskio at 2024-12-19T10:25:55+00:00 Bug 41338: Add CDN77 meek bridge Azure might stop supporting Domain Fronting from Januar 15, let's add a second meek bridge so there is an alternative to it when it gets blocked. * Related: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/155 - - - - - 1 changed file: - projects/tor-expert-bundle/pt_config.json Changes: ===================================== projects/tor-expert-bundle/pt_config.json ===================================== @@ -7,7 +7,8 @@ }, "bridges" : { "meek-azure" : [ - "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" + "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com", + "meek_lite 192.0.2.20:80 url=https://1603026938.rsc.cdn77.org front=www.phpmyadmin.net utls=HelloRandomizedALPN" ], "obfs4" : [ "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1", View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/5… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/5… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Bug 41338: Add CDN77 meek bridge
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: fc283625 by meskio at 2024-12-19T10:25:15+00:00 Bug 41338: Add CDN77 meek bridge Azure might stop supporting Domain Fronting from Januar 15, let's add a second meek bridge so there is an alternative to it when it gets blocked. * Related: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/155 - - - - - 1 changed file: - projects/tor-expert-bundle/pt_config.json Changes: ===================================== projects/tor-expert-bundle/pt_config.json ===================================== @@ -7,7 +7,8 @@ }, "bridges" : { "meek-azure" : [ - "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" + "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com", + "meek_lite 192.0.2.20:80 url=https://1603026938.rsc.cdn77.org front=www.phpmyadmin.net utls=HelloRandomizedALPN" ], "obfs4" : [ "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1", View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/f… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/f… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][maint-14.0] Bug 41338: Add CDN77 meek bridge
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch maint-14.0 at The Tor Project / Applications / tor-browser-build Commits: d1862ebc by meskio at 2024-12-19T10:24:14+00:00 Bug 41338: Add CDN77 meek bridge Azure might stop supporting Domain Fronting from Januar 15, let's add a second meek bridge so there is an alternative to it when it gets blocked. * Related: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/155 - - - - - 1 changed file: - projects/tor-expert-bundle/pt_config.json Changes: ===================================== projects/tor-expert-bundle/pt_config.json ===================================== @@ -7,7 +7,8 @@ }, "bridges" : { "meek-azure" : [ - "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" + "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com", + "meek_lite 192.0.2.20:80 url=https://1603026938.rsc.cdn77.org front=www.phpmyadmin.net utls=HelloRandomizedALPN" ], "obfs4" : [ "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1", View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/d… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser-build][main] Add CDN77 meek bridge
by morgan (＠morgan) 19 Dec '24

19 Dec '24

morgan pushed to branch main at The Tor Project / Applications / tor-browser-build Commits: 8c56c218 by meskio at 2024-12-18T19:42:13+01:00 Add CDN77 meek bridge Azure might stop supporting Domain Fronting from Januar 15, let's add a second meek bridge so there is an alternative to it when it gets blocked. * Related: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/155 - - - - - 1 changed file: - projects/tor-expert-bundle/pt_config.json Changes: ===================================== projects/tor-expert-bundle/pt_config.json ===================================== @@ -7,7 +7,8 @@ }, "bridges" : { "meek-azure" : [ - "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com" + "meek_lite 192.0.2.18:80 BE776A53492E1E044A26F17306E1BC46A55A1625 url=https://meek.azureedge.net/ front=ajax.aspnetcdn.com", + "meek_lite 192.0.2.20:80 url=https://1603026938.rsc.cdn77.org front=www.phpmyadmin.net utls=HelloRandomizedALPN" ], "obfs4" : [ "obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1", View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser][mullvad-browser-128.5.0esr-14.5-1] Bug 1910593 - Don't prefetch HTTPS RR if proxyDNS is enabled, r=necko-reviewers,valentin
by Pier Angelo Vendrame (＠pierov) 18 Dec '24

18 Dec '24

Pier Angelo Vendrame pushed to branch mullvad-browser-128.5.0esr-14.5-1 at The Tor Project / Applications / Mullvad Browser Commits: c1966f06 by Kershaw Chang at 2024-12-17T12:40:47+01:00 Bug 1910593 - Don't prefetch HTTPS RR if proxyDNS is enabled, r=necko-reviewers,valentin Differential Revision: https://phabricator.services.mozilla.com/D219528 - - - - - 15 changed files: - dom/chrome-webidl/NetDashboard.webidl - netwerk/base/Dashboard.cpp - netwerk/base/DashboardTypes.h - netwerk/dns/nsHostResolver.cpp - netwerk/protocol/http/nsHttp.cpp - netwerk/protocol/http/nsHttp.h - netwerk/protocol/http/nsHttpChannel.cpp - netwerk/protocol/http/nsHttpChannel.h - netwerk/protocol/http/nsHttpConnectionInfo.h - netwerk/protocol/http/nsHttpConnectionMgr.cpp - netwerk/protocol/http/nsHttpHandler.cpp - netwerk/protocol/http/nsHttpHandler.h - + netwerk/test/unit/test_proxyDNS_leak.js - netwerk/test/unit/xpcshell.toml - toolkit/content/aboutNetworking.js Changes: ===================================== dom/chrome-webidl/NetDashboard.webidl ===================================== @@ -68,6 +68,7 @@ dictionary DnsCacheEntry { boolean trr = false; DOMString originAttributesSuffix = ""; DOMString flags = ""; + unsigned short type = 0; }; [GenerateConversionToJS] ===================================== netwerk/base/Dashboard.cpp ===================================== @@ -906,10 +906,13 @@ nsresult Dashboard::GetDNSCacheEntries(DnsData* dnsData) { CopyASCIItoUTF16(dnsData->mData[i].hostaddr[j], *addr); } - if (dnsData->mData[i].family == PR_AF_INET6) { - entry.mFamily.AssignLiteral(u"ipv6"); - } else { - entry.mFamily.AssignLiteral(u"ipv4"); + entry.mType = dnsData->mData[i].resolveType; + if (entry.mType == nsIDNSService::RESOLVE_TYPE_DEFAULT) { + if (dnsData->mData[i].family == PR_AF_INET6) { + entry.mFamily.AssignLiteral(u"ipv6"); + } else { + entry.mFamily.AssignLiteral(u"ipv4"); + } } entry.mOriginAttributesSuffix = ===================================== netwerk/base/DashboardTypes.h ===================================== @@ -35,12 +35,12 @@ struct DnsAndConnectSockets { struct DNSCacheEntries { nsCString hostname; nsTArray<nsCString> hostaddr; - uint16_t family; - int64_t expiration; - nsCString netInterface; - bool TRR; + uint16_t family{0}; + int64_t expiration{0}; + bool TRR{false}; nsCString originAttributesSuffix; nsCString flags; + uint16_t resolveType{0}; }; struct HttpConnInfo { @@ -99,8 +99,10 @@ struct ParamTraits<mozilla::net::DNSCacheEntries> { WriteParam(aWriter, aParam.hostaddr); WriteParam(aWriter, aParam.family); WriteParam(aWriter, aParam.expiration); - WriteParam(aWriter, aParam.netInterface); WriteParam(aWriter, aParam.TRR); + WriteParam(aWriter, aParam.originAttributesSuffix); + WriteParam(aWriter, aParam.flags); + WriteParam(aWriter, aParam.resolveType); } static bool Read(MessageReader* aReader, paramType* aResult) { @@ -108,8 +110,10 @@ struct ParamTraits<mozilla::net::DNSCacheEntries> { ReadParam(aReader, &aResult->hostaddr) && ReadParam(aReader, &aResult->family) && ReadParam(aReader, &aResult->expiration) && - ReadParam(aReader, &aResult->netInterface) && - ReadParam(aReader, &aResult->TRR); + ReadParam(aReader, &aResult->TRR) && + ReadParam(aReader, &aResult->originAttributesSuffix) && + ReadParam(aReader, &aResult->flags) && + ReadParam(aReader, &aResult->resolveType); } }; ===================================== netwerk/dns/nsHostResolver.cpp ===================================== @@ -1999,20 +1999,13 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { continue; } - // For now we only show A/AAAA records. - if (!rec->IsAddrRecord()) { - continue; - } - - RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec); - MOZ_ASSERT(addrRec); - if (!addrRec || !addrRec->addr_info) { - continue; - } - DNSCacheEntries info; + info.resolveType = rec->type; info.hostname = rec->host; info.family = rec->af; + if (rec->mValidEnd.IsNull()) { + continue; + } info.expiration = (int64_t)(rec->mValidEnd - TimeStamp::NowLoRes()).ToSeconds(); if (info.expiration <= 0) { @@ -2020,7 +2013,12 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { continue; } - { + info.originAttributesSuffix = recordEntry.GetKey().originSuffix; + info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type, rec->flags, + rec->af, rec->pb, rec->mTrrServer.get()); + + RefPtr<AddrHostRecord> addrRec = do_QueryObject(rec); + if (addrRec && addrRec->addr_info) { MutexAutoLock lock(addrRec->addr_info_lock); for (const auto& addr : addrRec->addr_info->Addresses()) { char buf[kIPv6CStrBufSize]; @@ -2031,10 +2029,6 @@ void nsHostResolver::GetDNSCacheEntries(nsTArray<DNSCacheEntries>* args) { info.TRR = addrRec->addr_info->IsTRR(); } - info.originAttributesSuffix = recordEntry.GetKey().originSuffix; - info.flags = nsPrintfCString("%u|0x%x|%u|%d|%s", rec->type, rec->flags, - rec->af, rec->pb, rec->mTrrServer.get()); - args->AppendElement(std::move(info)); } } ===================================== netwerk/protocol/http/nsHttp.cpp ===================================== @@ -35,6 +35,8 @@ namespace mozilla { namespace net { +extern const char kProxyType_SOCKS[]; + const uint32_t kHttp3VersionCount = 5; const nsCString kHttp3Versions[] = {"h3-29"_ns, "h3-30"_ns, "h3-31"_ns, "h3-32"_ns, "h3"_ns}; @@ -1165,5 +1167,19 @@ void DisallowHTTPSRR(uint32_t& aCaps) { aCaps = (aCaps | NS_HTTP_DISALLOW_HTTPS_RR) & ~NS_HTTP_FORCE_WAIT_HTTP_RR; } +ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag) { + if (!aType) { + return ProxyDNSStrategy::ORIGIN; + } + + if (!(aFlag & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) { + if (aType == kProxyType_SOCKS) { + return ProxyDNSStrategy::ORIGIN; + } + } + + return ProxyDNSStrategy::PROXY; +} + } // namespace net } // namespace mozilla ===================================== netwerk/protocol/http/nsHttp.h ===================================== @@ -527,6 +527,16 @@ bool PossibleZeroRTTRetryError(nsresult aReason); void DisallowHTTPSRR(uint32_t& aCaps); +enum class ProxyDNSStrategy : uint8_t { + // To resolve the origin of the end server we are connecting + // to. + ORIGIN = 1 << 0, + // To resolve the host name of the proxy. + PROXY = 1 << 1 +}; + +ProxyDNSStrategy GetProxyDNSStrategyHelper(const char* aType, uint32_t aFlag); + } // namespace net } // namespace mozilla ===================================== netwerk/protocol/http/nsHttpChannel.cpp ===================================== @@ -762,6 +762,10 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, } auto shouldSkipUpgradeWithHTTPSRR = [&]() -> bool { + if (mCaps & NS_HTTP_DISALLOW_HTTPS_RR) { + return true; + } + // Skip using HTTPS RR to upgrade when this is not a top-level load and the // loading principal is http. if ((mLoadInfo->GetExternalContentPolicyType() != @@ -784,6 +788,11 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, return true; } + auto dnsStrategy = GetProxyDNSStrategy(); + if (dnsStrategy != ProxyDNSStrategy::ORIGIN) { + return true; + } + nsAutoCString uriHost; mURI->GetAsciiHost(uriHost); @@ -808,11 +817,6 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade, return ContinueOnBeforeConnect(hasHTTPSRR, aStatus, hasHTTPSRR); } - auto dnsStrategy = GetProxyDNSStrategy(); - if (!(dnsStrategy & DNS_PREFETCH_ORIGIN)) { - return ContinueOnBeforeConnect(aShouldUpgrade, aStatus); - } - LOG(("nsHttpChannel::MaybeUseHTTPSRRForUpgrade [%p] wait for HTTPS RR", this)); @@ -1218,13 +1222,13 @@ void nsHttpChannel::SpeculativeConnect() { NS_NewNotificationCallbacksAggregation(mCallbacks, mLoadGroup, getter_AddRefs(callbacks)); if (!callbacks) return; - - Unused << gHttpHandler->SpeculativeConnect( + bool httpsRRAllowed = !(mCaps & NS_HTTP_DISALLOW_HTTPS_RR); + Unused << gHttpHandler->MaybeSpeculativeConnectWithHTTPSRR( mConnectionInfo, callbacks, mCaps & (NS_HTTP_DISALLOW_SPDY | NS_HTTP_TRR_MODE_MASK | NS_HTTP_DISABLE_IPV4 | NS_HTTP_DISABLE_IPV6 | NS_HTTP_DISALLOW_HTTP3 | NS_HTTP_REFRESH_DNS), - gHttpHandler->EchConfigEnabled()); + gHttpHandler->EchConfigEnabled() && httpsRRAllowed); } void nsHttpChannel::DoNotifyListenerCleanup() { @@ -6538,27 +6542,16 @@ nsHttpChannel::GetOrCreateChannelClassifier() { return classifier.forget(); } -uint16_t nsHttpChannel::GetProxyDNSStrategy() { - // This function currently only supports returning DNS_PREFETCH_ORIGIN. - // Support for the rest of the DNS_* flags will be added later. - - if (!mProxyInfo) { - return DNS_PREFETCH_ORIGIN; +ProxyDNSStrategy nsHttpChannel::GetProxyDNSStrategy() { + // When network_dns_force_use_https_rr is true, return DNS_PREFETCH_ORIGIN. + // This ensures that we always perform HTTPS RR query. + nsCOMPtr<nsProxyInfo> proxyInfo(static_cast<nsProxyInfo*>(mProxyInfo.get())); + if (!proxyInfo || StaticPrefs::network_dns_force_use_https_rr()) { + return ProxyDNSStrategy::ORIGIN; } - uint32_t flags = 0; - nsAutoCString type; - mProxyInfo->GetFlags(&flags); - mProxyInfo->GetType(type); - // If the proxy is not to perform name resolution itself. - if (!(flags & nsIProxyInfo::TRANSPARENT_PROXY_RESOLVES_HOST)) { - if (type.EqualsLiteral("socks")) { - return DNS_PREFETCH_ORIGIN; - } - } - - return 0; + return GetProxyDNSStrategyHelper(proxyInfo->Type(), proxyInfo->Flags()); } // BeginConnect() SHOULD NOT call AsyncAbort(). AsyncAbort will be called by @@ -6744,11 +6737,13 @@ nsresult nsHttpChannel::BeginConnect() { } bool trrEnabled = false; + auto dnsStrategy = GetProxyDNSStrategy(); bool httpsRRAllowed = !LoadBeConservative() && !(mCaps & NS_HTTP_BE_CONSERVATIVE) && !(mLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() && mLoadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT) && + dnsStrategy == ProxyDNSStrategy::ORIGIN && !mConnectionInfo->UsingConnect() && canUseHTTPSRRonNetwork(trrEnabled) && StaticPrefs::network_dns_use_https_rr_as_altsvc(); if (!httpsRRAllowed) { @@ -6859,16 +6854,7 @@ nsresult nsHttpChannel::BeginConnect() { ReEvaluateReferrerAfterTrackingStatusIsKnown(); } - rv = MaybeStartDNSPrefetch(); - if (NS_FAILED(rv)) { - auto dnsStrategy = GetProxyDNSStrategy(); - if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) { - // TODO: Should this be fatal? - return rv; - } - // Otherwise this shouldn't be fatal. - return NS_OK; - } + MaybeStartDNSPrefetch(); rv = CallOrWaitForResume( [](nsHttpChannel* self) { return self->PrepareToConnect(); }); @@ -6888,7 +6874,7 @@ nsresult nsHttpChannel::BeginConnect() { return NS_OK; } -nsresult nsHttpChannel::MaybeStartDNSPrefetch() { +void nsHttpChannel::MaybeStartDNSPrefetch() { // Start a DNS lookup very early in case the real open is queued the DNS can // happen in parallel. Do not do so in the presence of an HTTP proxy as // all lookups other than for the proxy itself are done by the proxy. @@ -6904,7 +6890,7 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { // timing we used. if ((mLoadFlags & (LOAD_NO_NETWORK_IO | LOAD_ONLY_FROM_CACHE)) || LoadAuthRedirectedChannel()) { - return NS_OK; + return; } auto dnsStrategy = GetProxyDNSStrategy(); @@ -6912,10 +6898,10 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { LOG( ("nsHttpChannel::MaybeStartDNSPrefetch [this=%p, strategy=%u] " "prefetching%s\n", - this, dnsStrategy, + this, static_cast<uint32_t>(dnsStrategy), mCaps & NS_HTTP_REFRESH_DNS ? ", refresh requested" : "")); - if (dnsStrategy & DNS_PREFETCH_ORIGIN) { + if (dnsStrategy == ProxyDNSStrategy::ORIGIN) { OriginAttributes originAttributes; StoragePrincipalHelper::GetOriginAttributesForNetworkState( this, originAttributes); @@ -6927,20 +6913,8 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { if (mCaps & NS_HTTP_REFRESH_DNS) { dnsFlags |= nsIDNSService::RESOLVE_BYPASS_CACHE; } - nsresult rv = mDNSPrefetch->PrefetchHigh(dnsFlags); - if (dnsStrategy & DNS_BLOCK_ON_ORIGIN_RESOLVE) { - LOG((" blocking on prefetching origin")); - - if (NS_WARN_IF(NS_FAILED(rv))) { - LOG((" lookup failed with 0x%08" PRIx32 ", aborting request", - static_cast<uint32_t>(rv))); - return rv; - } - - // Resolved in OnLookupComplete. - mDNSBlockingThenable = mDNSBlockingPromise.Ensure(__func__); - } + Unused << mDNSPrefetch->PrefetchHigh(dnsFlags); bool unused; if (StaticPrefs::network_dns_use_https_rr_as_altsvc() && !mHTTPSSVCRecord && @@ -6960,8 +6934,6 @@ nsresult nsHttpChannel::MaybeStartDNSPrefetch() { }); } } - - return NS_OK; } NS_IMETHODIMP ===================================== netwerk/protocol/http/nsHttpChannel.h ===================================== @@ -303,23 +303,11 @@ class nsHttpChannel final : public HttpBaseChannel, // Connections will only be established in this function. // (including DNS prefetch and speculative connection.) void MaybeResolveProxyAndBeginConnect(); - nsresult MaybeStartDNSPrefetch(); - - // Tells the channel to resolve the origin of the end server we are connecting - // to. - static uint16_t const DNS_PREFETCH_ORIGIN = 1 << 0; - // Tells the channel to resolve the host name of the proxy. - static uint16_t const DNS_PREFETCH_PROXY = 1 << 1; - // Will be set if the current channel uses an HTTP/HTTPS proxy. - static uint16_t const DNS_PROXY_IS_HTTP = 1 << 2; - // Tells the channel to wait for the result of the origin server resolution - // before any connection attempts are made. - static uint16_t const DNS_BLOCK_ON_ORIGIN_RESOLVE = 1 << 3; + void MaybeStartDNSPrefetch(); // Based on the proxy configuration determine the strategy for resolving the // end server host name. - // Returns a combination of the above flags. - uint16_t GetProxyDNSStrategy(); + ProxyDNSStrategy GetProxyDNSStrategy(); // We might synchronously or asynchronously call BeginConnect, // which includes DNS prefetch and speculative connection, according to ===================================== netwerk/protocol/http/nsHttpConnectionInfo.h ===================================== @@ -127,6 +127,13 @@ class nsHttpConnectionInfo final : public ARefBase { const char* ProxyPassword() const { return mProxyInfo ? mProxyInfo->Password().get() : nullptr; } + uint32_t ProxyFlag() const { + uint32_t flags = 0; + if (mProxyInfo) { + mProxyInfo->GetFlags(&flags); + } + return flags; + } const nsCString& ProxyAuthorizationHeader() const { return mProxyInfo ? mProxyInfo->ProxyAuthorizationHeader() : EmptyCString(); ===================================== netwerk/protocol/http/nsHttpConnectionMgr.cpp ===================================== @@ -3573,9 +3573,15 @@ void nsHttpConnectionMgr::DoSpeculativeConnectionInternal( return; } - if (aFetchHTTPSRR && NS_SUCCEEDED(aTrans->FetchHTTPSRR())) { - // nsHttpConnectionMgr::DoSpeculativeConnection will be called again when - // HTTPS RR is available. + ProxyDNSStrategy strategy = GetProxyDNSStrategyHelper( + aEnt->mConnInfo->ProxyType(), aEnt->mConnInfo->ProxyFlag()); + // Speculative connections can be triggered by non-Necko consumers, + // so add an extra check to ensure HTTPS RR isn't fetched when a proxy is + // used. + if (aFetchHTTPSRR && strategy == ProxyDNSStrategy::ORIGIN && + NS_SUCCEEDED(aTrans->FetchHTTPSRR())) { + // nsHttpConnectionMgr::DoSpeculativeConnection will be called again + // when HTTPS RR is available. return; } ===================================== netwerk/protocol/http/nsHttpHandler.cpp ===================================== @@ -2388,7 +2388,9 @@ nsresult nsHttpHandler::SpeculativeConnectInternal( } } - return SpeculativeConnect(ci, aCallbacks); + // When ech is enabled, always do speculative connect with HTTPS RR. + return MaybeSpeculativeConnectWithHTTPSRR(ci, aCallbacks, 0, + EchConfigEnabled()); } NS_IMETHODIMP ===================================== netwerk/protocol/http/nsHttpHandler.h ===================================== @@ -296,14 +296,13 @@ class nsHttpHandler final : public nsIHttpProtocolHandler, return mConnMgr->GetSocketThreadTarget(target); } - [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci, - nsIInterfaceRequestor* callbacks, - uint32_t caps = 0, - bool aFetchHTTPSRR = false) { + [[nodiscard]] nsresult MaybeSpeculativeConnectWithHTTPSRR( + nsHttpConnectionInfo* ci, nsIInterfaceRequestor* callbacks, uint32_t caps, + bool aFetchHTTPSRR) { TickleWifi(callbacks); RefPtr<nsHttpConnectionInfo> clone = ci->Clone(); return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr, - aFetchHTTPSRR | EchConfigEnabled()); + aFetchHTTPSRR); } [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci, ===================================== netwerk/test/unit/test_proxyDNS_leak.js ===================================== @@ -0,0 +1,111 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Test when socks proxy is registered, we don't try to resolve HTTPS record. +// Steps: +// 1. Use addHTTPSRecordOverride to add an override for service.com. +// 2. Add a proxy filter to use socks proxy. +// 3. Create a request to load service.com. +// 4. See if the HTTPS record is in DNS cache entries. + +"use strict"; + +const gDashboard = Cc["@mozilla.org/network/dashboard;1"].getService( + Ci.nsIDashboard +); +const pps = Cc["@mozilla.org/network/protocol-proxy-service;1"].getService(); + +add_task(async function setup() { + Services.prefs.setBoolPref("network.dns.native_https_query", true); + Services.prefs.setBoolPref("network.dns.native_https_query_win10", true); + const override = Cc["@mozilla.org/network/native-dns-override;1"].getService( + Ci.nsINativeDNSResolverOverride + ); + + let rawBuffer = [ + 0, 0, 128, 0, 0, 0, 0, 1, 0, 0, 0, 0, 7, 115, 101, 114, 118, 105, 99, 101, + 3, 99, 111, 109, 0, 0, 65, 0, 1, 0, 0, 0, 55, 0, 13, 0, 1, 0, 0, 1, 0, 6, 2, + 104, 50, 2, 104, 51, + ]; + override.addHTTPSRecordOverride("service.com", rawBuffer, rawBuffer.length); + override.addIPOverride("service.com", "127.0.0.1"); + registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.native_https_query"); + Services.prefs.clearUserPref("network.dns.native_https_query_win10"); + Services.prefs.clearUserPref("network.dns.localDomains"); + override.clearOverrides(); + }); +}); + +function makeChan(uri) { + let chan = NetUtil.newChannel({ + uri, + loadUsingSystemPrincipal: true, + contentPolicyType: Ci.nsIContentPolicy.TYPE_DOCUMENT, + }).QueryInterface(Ci.nsIHttpChannel); + chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; + return chan; +} + +function channelOpenPromise(chan, flags) { + return new Promise(resolve => { + function finish(req, buffer) { + resolve([req, buffer]); + } + chan.asyncOpen(new ChannelListener(finish, null, flags)); + }); +} + +async function isRecordFound(hostname) { + return new Promise(resolve => { + gDashboard.requestDNSInfo(function (data) { + let found = false; + for (let i = 0; i < data.entries.length; i++) { + if ( + data.entries[i].hostname == hostname && + data.entries[i].type == Ci.nsIDNSService.RESOLVE_TYPE_HTTPSSVC + ) { + found = true; + break; + } + } + resolve(found); + }); + }); +} + +async function do_test_with_proxy_filter(filter) { + pps.registerFilter(filter, 10); + + let chan = makeChan(`https://service.com/`); + await channelOpenPromise(chan, CL_EXPECT_LATE_FAILURE | CL_ALLOW_UNKNOWN_CL); + + let found = await isRecordFound("service.com"); + pps.unregisterFilter(filter); + + return found; +} + +add_task(async function test_proxyDNS_do_leak() { + let filter = new NodeProxyFilter("socks", "localhost", 443, 0); + + let res = await do_test_with_proxy_filter(filter); + + Assert.ok(res, "Should find a DNS entry"); +}); + +add_task(async function test_proxyDNS_dont_leak() { + Services.dns.clearCache(false); + + let filter = new NodeProxyFilter( + "socks", + "localhost", + 443, + Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST + ); + + let res = await do_test_with_proxy_filter(filter); + + Assert.ok(!res, "Should not find a DNS entry"); +}); ===================================== netwerk/test/unit/xpcshell.toml ===================================== @@ -983,6 +983,12 @@ run-sequentially = "node server exceptions dont replay well" ["test_proxy_pac.js"] +["test_proxyDNS_leak.js"] +skip-if = [ + "os == 'android'", + "socketprocess_networking", +] + ["test_proxyconnect.js"] skip-if = [ "tsan", ===================================== toolkit/content/aboutNetworking.js ===================================== @@ -116,6 +116,11 @@ function displayDns(data) { new_cont.setAttribute("id", "dns_content"); for (let i = 0; i < data.entries.length; i++) { + // TODO: Will be supported in bug 1889387. + if (data.entries[i].type != Ci.nsIDNSService.RESOLVE_TYPE_DEFAULT) { + continue; + } + let row = document.createElement("tr"); row.appendChild(col(data.entries[i].hostname)); row.appendChild(col(data.entries[i].family)); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/c19… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/c19… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser] Pushed new tag FIREFOX_NIGHTLY_134_END
by Pier Angelo Vendrame (＠pierov) 17 Dec '24

17 Dec '24

Pier Angelo Vendrame pushed new tag FIREFOX_NIGHTLY_134_END at The Tor Project / Applications / Mullvad Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/tree/FIREF… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/tor-browser] Pushed new tag FIREFOX_NIGHTLY_134_END
by Pier Angelo Vendrame (＠pierov) 17 Dec '24

17 Dec '24

Pier Angelo Vendrame pushed new tag FIREFOX_NIGHTLY_134_END at The Tor Project / Applications / Tor Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/tree/FIREFOX_N… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[Git][tpo/applications/mullvad-browser] Pushed new tag FIREFOX_NIGHTLY_133_END
by Pier Angelo Vendrame (＠pierov) 17 Dec '24

17 Dec '24

Pier Angelo Vendrame pushed new tag FIREFOX_NIGHTLY_133_END at The Tor Project / Applications / Mullvad Browser -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/tree/FIREF… You're receiving this email because of your account on gitlab.torproject.org.

1 0