corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1728981 - Don't upgrade HTTP WebSocket requests of exempt principals. r=ckerschb

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D131094
This commit is contained in:
Tom Schuster
2021-11-24 14:50:35 +00:00
parent 484b692e24
commit a5221505d4
2 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
dom/security/nsHTTPSOnlyUtils.cpp
View File

@@ -220,6 +220,12 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(nsIURI* aURI,
return false; return false;
} }
// All subresources of an exempt triggering principal are also exempt.
if (!aLoadInfo->TriggeringPrincipal()->IsSystemPrincipal() &&
TestIfPrincipalIsExempt(aLoadInfo->TriggeringPrincipal())) {
return false;
}
// We can upgrade the request - let's log it to the console // We can upgrade the request - let's log it to the console
// Appending an 's' to the scheme for the logging. (ws -> wss) // Appending an 's' to the scheme for the logging. (ws -> wss)
nsAutoCString scheme; nsAutoCString scheme;

25
dom/websocket/WebSocket.cpp
View File

@@ -1640,22 +1640,19 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal,
// Disallowed by content policy // Disallowed by content policy
return NS_ERROR_CONTENT_BLOCKED; return NS_ERROR_CONTENT_BLOCKED;
} }
}
// If the HTTPS-Only mode is enabled, we need to upgrade the websocket // If the HTTPS-Only mode is enabled, we need to upgrade the websocket
// connection from ws:// to wss:// and mark it as secure. // connection from ws:// to wss:// and mark it as secure.
if (!mIsServerSide && !mSecure && originDoc && if (!mSecure && originDoc &&
!nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL( !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(
originDoc->GetDocumentURI())) { originDoc->GetDocumentURI())) {
nsCOMPtr<nsIURI> uri; nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), mURI); nsresult rv = NS_NewURI(getter_AddRefs(uri), mURI);
NS_ENSURE_SUCCESS(rv, rv); NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIChannel> channel = originDoc->GetChannel(); // secCheckLoadInfo is only used for the triggering principal, so this
if (channel) { // is okay.
nsCOMPtr<nsILoadInfo> loadInfo = channel->LoadInfo(); if (nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(uri, secCheckLoadInfo)) {
if (nsHTTPSOnlyUtils::ShouldUpgradeWebSocket(uri, loadInfo)) {
mURI.ReplaceSubstring("ws://", "wss://"); mURI.ReplaceSubstring("ws://", "wss://");
if (NS_WARN_IF(mURI.Find("wss://") != 0)) { if (NS_WARN_IF(mURI.Find("wss://") != 0)) {
return NS_OK; return NS_OK;