[tor-commits] [tor-browser/tor-browser-38.1.0esr-5.x-1] fixup! Bug 13670.2: Isolate OCSP requests by first party domain

mikeperry at torproject.org mikeperry at torproject.org
Fri Jun 26 02:00:01 UTC 2015 

commit c95f25a009d421a7cf38e56cc4c6fe83ff43c438
Author: Arthur Edelstein <arthuredelstein at gmail.com>
Date:   Tue Jun 23 13:21:11 2015 -0700

    fixup! Bug 13670.2: Isolate OCSP requests by first party domain
---
 dom/base/ThirdPartyUtil.cpp                            |    9 +++++++++
 netwerk/base/nsISocketTransport.idl                    |    2 +-
 netwerk/protocol/http/nsHttpConnectionMgr.cpp          |    2 +-
 netwerk/protocol/http/nsHttpConnectionMgr.h            |    2 +-
 netwerk/protocol/http/nsHttpHandler.cpp                |    2 +-
 security/manager/ssl/src/SSLServerCertVerification.cpp |    2 +-
 security/manager/ssl/src/TransportSecurityInfo.cpp     |    7 -------
 security/manager/ssl/src/TransportSecurityInfo.h       |    3 +--
 security/manager/ssl/src/nsNSSCallbacks.cpp            |   10 ++++++----
 9 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/dom/base/ThirdPartyUtil.cpp b/dom/base/ThirdPartyUtil.cpp
index 9aa3414..a7d05f7 100644
--- a/dom/base/ThirdPartyUtil.cpp
+++ b/dom/base/ThirdPartyUtil.cpp
@@ -171,7 +171,16 @@ ThirdPartyUtil::GetOriginatingURI(nsIChannel *aChannel, nsIURI **aURI)
 
   // case 3)
   if (!topWin)
+  {
+    if (httpChannelInternal)
+    {
+      httpChannelInternal->GetDocumentURI(aURI);
+      if (*aURI) {
+        return NS_OK;
+      }
+    }
     return NS_ERROR_INVALID_ARG;
+  }
 
   // case 4)
   if (ourWin == topWin) {
diff --git a/netwerk/base/nsISocketTransport.idl b/netwerk/base/nsISocketTransport.idl
index 2662145..161e9c3 100644
--- a/netwerk/base/nsISocketTransport.idl
+++ b/netwerk/base/nsISocketTransport.idl
@@ -28,7 +28,7 @@ native NetAddr(mozilla::net::NetAddr);
  * NOTE: This is a free-threaded interface, meaning that the methods on
  * this interface may be called from any thread.
  */
-[scriptable, uuid(a0b3b547-d6f0-4b65-a3de-a99ffa368840)]
+[scriptable, uuid(4e2dc9d0-125e-4f8e-8c93-845f3de5cd8a)]
 interface nsISocketTransport : nsITransport 
 {
     /**
diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
index f6fde3c..4713560 100644
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -1327,7 +1327,7 @@ nsHttpConnectionMgr::PipelineFeedbackInfo(nsHttpConnectionInfo *ci,
 }
 
 void
-nsHttpConnectionMgr::ReportFailedToProcess(nsIURI *uri, const nsACString& isolationDomain)
+nsHttpConnectionMgr::ReportFailedToProcess(nsIURI *uri)
 {
     MOZ_ASSERT(uri);
 
diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h
index 55b5d06..f64b756 100644
--- a/netwerk/protocol/http/nsHttpConnectionMgr.h
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.h
@@ -220,7 +220,7 @@ public:
                                   nsHttpConnection *,
                                   uint32_t);
 
-    void ReportFailedToProcess(nsIURI *uri, const nsACString& isolationDomain);
+    void ReportFailedToProcess(nsIURI *uri);
 
     // Causes a large amount of connection diagnostic information to be
     // printed to the javascript console
diff --git a/netwerk/protocol/http/nsHttpHandler.cpp b/netwerk/protocol/http/nsHttpHandler.cpp
index 3f1ca3e..0fdd827 100644
--- a/netwerk/protocol/http/nsHttpHandler.cpp
+++ b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -1952,7 +1952,7 @@ nsHttpHandler::Observe(nsISupports *subject,
         nsCOMPtr<nsIURI> uri = do_QueryInterface(subject);
         // Ignore possibility of an isolation key:
         if (uri && mConnMgr) {
-            mConnMgr->ReportFailedToProcess(uri, EmptyCString());
+            mConnMgr->ReportFailedToProcess(uri);
         }
     } else if (!strcmp(topic, "last-pb-context-exited")) {
         mPrivateAuthCache.ClearAll();
diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp
index e436ed0..eeb430d 100644
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -1146,7 +1146,7 @@ AuthCertificate(CertVerifier& certVerifier,
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
                                         time, infoObject,
                                         infoObject->GetHostNameRaw(),
-                                        infoObject->GetIsolationKey(),
+                                        infoObject->GetIsolationKeyRaw(),
                                         saveIntermediates, 0, &certList,
                                         &evOidPolicy, &ocspStaplingStatus,
                                         &keySizeStatus);
diff --git a/security/manager/ssl/src/TransportSecurityInfo.cpp b/security/manager/ssl/src/TransportSecurityInfo.cpp
index 8351916..c715688 100644
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -107,13 +107,6 @@ TransportSecurityInfo::SetIsolationKey(const char* isolationKey)
   return NS_OK;
 }
 
-nsresult
-TransportSecurityInfo::GetIsolationKey(char** isolationKey)
-{
-  *isolationKey = (mIsolationKey) ? NS_strdup(mIsolationKey) : nullptr;
-  return NS_OK;
-}
-
 PRErrorCode
 TransportSecurityInfo::GetErrorCode() const
 {
diff --git a/security/manager/ssl/src/TransportSecurityInfo.h b/security/manager/ssl/src/TransportSecurityInfo.h
index d916adb..e0061e6d 100644
--- a/security/manager/ssl/src/TransportSecurityInfo.h
+++ b/security/manager/ssl/src/TransportSecurityInfo.h
@@ -62,8 +62,7 @@ public:
   nsresult GetPort(int32_t *aPort);
   nsresult SetPort(int32_t aPort);
 
-  nsresult GetIsolationKey(char **aIsolationKey);
-  const char* GetIsolationKey() const { return mIsolationKey.get(); }
+  const char* GetIsolationKeyRaw() const { return mIsolationKey.get(); }
   nsresult SetIsolationKey(const char *aIsolationKey);
 
   PRErrorCode GetErrorCode() const;
diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp
index 40d2baf..2c6cca4 100644
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -106,13 +106,15 @@ nsHTTPDownloadEvent::Run()
 
   chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS);
 
-  // If we have an isolation key, use it as the isolation key for this channel.
+  // If we have an isolation key, use it as the  URI for this channel.
   if (!mRequestSession->mIsolationKey.IsEmpty()) {
     nsCOMPtr<nsIHttpChannelInternal> channelInternal(do_QueryInterface(chan));
     if (channelInternal) {
-      nsCOMPtr<nsIURI> pageURI;
-      nsresult rv = NS_NewURI(getter_AddRefs(pageURI), mRequestSession->mIsolationKey.get());
-      channelInternal->SetDocumentURI(pageURI);
+      nsCString documentURISpec("https://");
+      documentURISpec.Append(mRequestSession->mIsolationKey);
+      nsCOMPtr<nsIURI> documentURI;
+      /* nsresult rv = */ NS_NewURI(getter_AddRefs(documentURI), documentURISpec);
+      channelInternal->SetDocumentURI(documentURI);
     }
   }

More information about the tor-commits mailing list