commit 680dece41e71d30afd4616aa19001c60e55dc852 Author: Kathy Brade brade@pearlcrescent.com Date: Tue Mar 20 15:02:32 2018 -0400
Bug 23439: Exempt .onion domains from mixed content warnings --- dom/html/HTMLFormElement.cpp | 5 +++++ dom/security/nsContentSecurityManager.cpp | 7 +++--- dom/security/nsMixedContentBlocker.cpp | 37 ++++++++++++++++++++++++++++--- dom/security/nsMixedContentBlocker.h | 2 ++ 4 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp index 5164391f8d2b..71b6248d5b06 100644 --- a/dom/html/HTMLFormElement.cpp +++ b/dom/html/HTMLFormElement.cpp @@ -14,6 +14,7 @@ #include "mozilla/dom/AutocompleteErrorEvent.h" #include "mozilla/dom/nsCSPUtils.h" #include "mozilla/dom/nsCSPContext.h" +#include "mozilla/dom/nsMixedContentBlocker.h" #include "mozilla/dom/HTMLFormControlsCollection.h" #include "mozilla/dom/HTMLFormElementBinding.h" #include "mozilla/Move.h" @@ -907,6 +908,10 @@ HTMLFormElement::DoSecureToInsecureSubmitCheck(nsIURI* aActionURL, return NS_OK; }
+ if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(aActionURL)) { + return NS_OK; + } + nsCOMPtr<nsPIDOMWindowOuter> window = OwnerDoc()->GetWindow(); if (!window) { return NS_ERROR_FAILURE; diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index c95226b56e91..aa4f735a5c4f 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -10,6 +10,7 @@ #include "nsMixedContentBlocker.h"
#include "mozilla/dom/Element.h" +#include "mozilla/dom/nsMixedContentBlocker.h"
NS_IMPL_ISUPPORTS(nsContentSecurityManager, nsIContentSecurityManager, @@ -689,11 +690,9 @@ nsContentSecurityManager::IsOriginPotentiallyTrustworthy(nsIPrincipal* aPrincipa } } } - // Maybe we have a .onion URL. Treat it as whitelisted as well when + // Maybe we have a .onion URL. Treat it as whitelisted as well if // `dom.securecontext.whitelist_onions` is `true`. - bool whitelistOnions = - Preferences::GetBool("dom.securecontext.whitelist_onions", false); - if (whitelistOnions && StringEndsWith(host, NS_LITERAL_CSTRING(".onion"))) { + if (nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(uri)) { *aIsTrustWorthy = true; return NS_OK; } diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index a9aca5333491..98e262f0bcf4 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -394,6 +394,29 @@ nsMixedContentBlocker::ShouldLoad(uint32_t aContentType, return rv; }
+/* Maybe we have a .onion URL. Treat it as whitelisted as well if + * `dom.securecontext.whitelist_onions` is `true`. + */ +bool +nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(nsIURI* aURL) { + static bool sInited = false; + static bool sWhiteListOnions = false; + if (!sInited) { + Preferences::AddBoolVarCache(&sWhiteListOnions, + "dom.securecontext.whitelist_onions"); + sInited = true; + } + if (!sWhiteListOnions) { + return false; + } + + nsAutoCString host; + nsresult rv = aURL->GetHost(host); + NS_ENSURE_SUCCESS(rv, false); + return StringEndsWith(host, NS_LITERAL_CSTRING(".onion")); +} + + /* Static version of ShouldLoad() that contains all the Mixed Content Blocker * logic. Called from non-static ShouldLoad(). */ @@ -696,6 +719,17 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; }
+ bool isHttpScheme = false; + rv = innerContentLocation->SchemeIs("http", &isHttpScheme); + NS_ENSURE_SUCCESS(rv, rv); + + // .onion URLs are encrypted and authenticated. Don't treat them as mixed + // content if potentially trustworthy (i.e. whitelisted). + if (isHttpScheme && IsPotentiallyTrustworthyOnion(innerContentLocation)) { + *aDecision = ACCEPT; + return NS_OK; + } + // The page might have set the CSP directive 'upgrade-insecure-requests'. In such // a case allow the http: load to succeed with the promise that the channel will // get upgraded to https before fetching any data from the netwerk. @@ -707,9 +741,6 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, // we only have to check against http: here. Skip mixed content blocking if the // subresource load uses http: and the CSP directive 'upgrade-insecure-requests' // is present on the page. - bool isHttpScheme = false; - rv = innerContentLocation->SchemeIs("http", &isHttpScheme); - NS_ENSURE_SUCCESS(rv, rv); nsIDocument* document = docShell->GetDocument(); MOZ_ASSERT(document, "Expected a document"); if (isHttpScheme && document->GetUpgradeInsecureRequests(isPreload)) { diff --git a/dom/security/nsMixedContentBlocker.h b/dom/security/nsMixedContentBlocker.h index 539c3ebbb7f0..24fbac171dac 100644 --- a/dom/security/nsMixedContentBlocker.h +++ b/dom/security/nsMixedContentBlocker.h @@ -43,6 +43,8 @@ public:
nsMixedContentBlocker();
+ static bool IsPotentiallyTrustworthyOnion(nsIURI* aURL); + /* Static version of ShouldLoad() that contains all the Mixed Content Blocker * logic. Called from non-static ShouldLoad(). * Called directly from imageLib when an insecure redirect exists in a cached
tor-commits@lists.torproject.org