commit 4f22857f926d1e35d22709a247cca0aa3f8e560f Author: Arthur Edelstein arthuredelstein@gmail.com Date: Wed Aug 29 21:43:38 2018 -0700

fixup! Bug 23247: Communicating security expectations for .onion

The mixed content blocker should not block a directly-loaded image from a .onion domain. We need to detect this situation earlier in nsMixedContentBlocker::ShouldLoad. --- dom/security/nsMixedContentBlocker.cpp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index 7b0e5088a4de..c8f850e1300c 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -726,6 +726,17 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, } }

+ bool isHttpScheme = false; + rv = innerContentLocation->SchemeIs("http", &isHttpScheme); + NS_ENSURE_SUCCESS(rv, rv); + + // .onion URLs are encrypted and authenticated. Don't treat them as mixed + // content if potentially trustworthy (i.e. whitelisted). + if (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) { + *aDecision = ACCEPT; + return NS_OK; + } + nsCOMPtr<nsIDocShell> docShell = NS_CP_GetDocShellFromContext(aRequestingContext); NS_ENSURE_TRUE(docShell, NS_OK);

@@ -746,10 +757,6 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; }

- bool isHttpScheme = false; - rv = innerContentLocation->SchemeIs("http", &isHttpScheme); - NS_ENSURE_SUCCESS(rv, rv); - // Loopback origins are not considered mixed content even over HTTP. See: // https://w3c.github.io/webappsec-mixed-content/#should-block-fetch if (isHttpScheme && @@ -758,13 +765,6 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; }

- // .onion URLs are encrypted and authenticated. Don't treat them as mixed - // content if potentially trustworthy (i.e. whitelisted). - if (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) { - *aDecision = ACCEPT; - return NS_OK; - } - // The page might have set the CSP directive 'upgrade-insecure-requests'. In such // a case allow the http: load to succeed with the promise that the channel will // get upgraded to https before fetching any data from the netwerk.