diff --git a/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp b/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp index 27d00c8525ee..16d0846fd58a 100644 --- a/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp +++ b/dom/media/webrtc/transport/ipc/WebrtcTCPSocket.cpp @@ -465,7 +465,7 @@ nsresult WebrtcTCPSocket::OpenWithHttpProxy() { if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } - rv = httpChannel->SetConnectOnly(); + rv = httpChannel->SetConnectOnly(false); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp index e2063d0cebbc..79f6eb63656a 100644 --- a/netwerk/protocol/http/HttpBaseChannel.cpp +++ b/netwerk/protocol/http/HttpBaseChannel.cpp @@ -3768,7 +3768,7 @@ HttpBaseChannel::GetOnlyConnect(bool* aOnlyConnect) { } NS_IMETHODIMP -HttpBaseChannel::SetConnectOnly() { +HttpBaseChannel::SetConnectOnly(bool aTlsTunnel) { ENSURE_CALLED_BEFORE_CONNECT(); if (!mUpgradeProtocolCallback) { @@ -3776,6 +3776,9 @@ HttpBaseChannel::SetConnectOnly() { } mCaps |= NS_HTTP_CONNECT_ONLY; + if (aTlsTunnel) { + mCaps |= NS_HTTP_TLS_TUNNEL; + } mProxyResolveFlags = nsIProtocolProxyService::RESOLVE_PREFER_HTTPS_PROXY | nsIProtocolProxyService::RESOLVE_ALWAYS_TUNNEL; return SetLoadFlags(nsIRequest::INHIBIT_CACHING | nsIChannel::LOAD_ANONYMOUS | diff --git a/netwerk/protocol/http/HttpBaseChannel.h b/netwerk/protocol/http/HttpBaseChannel.h index 6c034329d23c..e66fa73a815b 100644 --- a/netwerk/protocol/http/HttpBaseChannel.h +++ b/netwerk/protocol/http/HttpBaseChannel.h @@ -273,7 +273,7 @@ class HttpBaseChannel : public nsHashPropertyBag, NS_IMETHOD GetRemoteAddress(nsACString& addr) override; NS_IMETHOD GetRemotePort(int32_t* port) override; NS_IMETHOD GetOnlyConnect(bool* aOnlyConnect) override; - NS_IMETHOD SetConnectOnly() override; + NS_IMETHOD SetConnectOnly(bool aTlsTunnel) override; NS_IMETHOD GetAllowSpdy(bool* aAllowSpdy) override; NS_IMETHOD SetAllowSpdy(bool aAllowSpdy) override; NS_IMETHOD GetAllowHttp3(bool* aAllowHttp3) override; diff --git a/netwerk/protocol/http/nsHttp.cpp b/netwerk/protocol/http/nsHttp.cpp index 76fc0f053a15..dc7ee0a53abf 100644 --- a/netwerk/protocol/http/nsHttp.cpp +++ b/netwerk/protocol/http/nsHttp.cpp @@ -1,3 +1,4 @@ + /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim:set ts=4 sw=2 sts=2 et cin: */ /* This Source Code Form is subject to the terms of the Mozilla Public diff --git a/netwerk/protocol/http/nsHttp.h b/netwerk/protocol/http/nsHttp.h index 5d40e902ff2f..38d1dd1e37ac 100644 --- a/netwerk/protocol/http/nsHttp.h +++ b/netwerk/protocol/http/nsHttp.h @@ -186,6 +186,10 @@ extern const nsCString kHttp3Versions[]; // When set, disallow to connect to a HTTP/2 proxy. #define NS_HTTP_DISALLOW_HTTP2_PROXY (1 << 28) +// When set, setup TLS tunnel even when HTTP proxy is used. +// Need to be used together with NS_HTTP_CONNECT_ONLY +#define NS_HTTP_TLS_TUNNEL (1 << 29) + #define NS_HTTP_TRR_FLAGS_FROM_MODE(x) ((static_cast(x) & 3) << 19) #define NS_HTTP_TRR_MODE_FROM_FLAGS(x) \ diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp index 7acaa7f60455..1a484ea36a06 100644 --- a/netwerk/protocol/http/nsHttpConnection.cpp +++ b/netwerk/protocol/http/nsHttpConnection.cpp @@ -1069,7 +1069,8 @@ void nsHttpConnection::HandleTunnelResponse(uint16_t responseStatus, nsresult rv; if (isHttps) { bool skipSSL = false; - if (mConnInfo->UsingHttpsProxy()) { + if (mConnInfo->UsingHttpsProxy() || + mTransactionCaps & NS_HTTP_TLS_TUNNEL) { LOG(("%p SetupSecondaryTLS %s %d\n", this, mConnInfo->Origin(), mConnInfo->OriginPort())); SetupSecondaryTLS(); diff --git a/netwerk/protocol/http/nsIHttpChannelInternal.idl b/netwerk/protocol/http/nsIHttpChannelInternal.idl index bd8848038239..68e91611f62e 100644 --- a/netwerk/protocol/http/nsIHttpChannelInternal.idl +++ b/netwerk/protocol/http/nsIHttpChannelInternal.idl @@ -211,8 +211,11 @@ interface nsIHttpChannelInternal : nsISupports * * Proxy resolve flags are set with RESOLVE_PREFER_HTTPS_PROXY and * RESOLVE_ALWAYS_TUNNEL. + * + * @param tlsTunnel + * When true, always setup TLS tunnel */ - [must_use] void setConnectOnly(); + [must_use] void setConnectOnly(in boolean tlsTunnel); /** * True iff the channel is CONNECT only. diff --git a/netwerk/test/unit/test_proxyconnect.js b/netwerk/test/unit/test_proxyconnect.js index 7de1fb39d420..00cf0c471525 100644 --- a/netwerk/test/unit/test_proxyconnect.js +++ b/netwerk/test/unit/test_proxyconnect.js @@ -229,7 +229,7 @@ function makeChan(url) { var internal = chan.QueryInterface(Ci.nsIHttpChannelInternal); internal.HTTPUpgrade(ALPN, upgradeListener); - internal.setConnectOnly(); + internal.setConnectOnly(false); return chan; } diff --git a/netwerk/test/unit/test_proxyconnect_https.js b/netwerk/test/unit/test_proxyconnect_https.js index 40e3cc54d208..a8c0ef1fa633 100644 --- a/netwerk/test/unit/test_proxyconnect_https.js +++ b/netwerk/test/unit/test_proxyconnect_https.js @@ -49,7 +49,7 @@ add_task(async function test_connect_only_https() { let chan = makeChan(`https://localhost:${server.port()}/test`); var internal = chan.QueryInterface(Ci.nsIHttpChannelInternal); internal.HTTPUpgrade("webrtc", upgradeListener); - internal.setConnectOnly(); + internal.setConnectOnly(false); await new Promise(resolve => { chan.asyncOpen(new ChannelListener(resolve, null, CL_ALLOW_UNKNOWN_CL)); });