Bug 1909396 - Remove HTTPS-Only exception button in iframes r=freddyb,fluent-reviewers (2cae2c63) · Commits · The Tor Project / Applications / Tor Browser

dom/ipc/WindowGlobalParent.cpp

+4 −11

Original line number	Diff line number	Diff line
		@@ -1378,18 +1378,11 @@ mozilla::ipc::IPCResult WindowGlobalParent::RecvReloadWithHttpsOnlyException() {
		return IPC_FAIL(this, "HTTPS-only mode: Illegal state");
		}

		// If the error page is within an iFrame, we create an exception for whatever
		// scheme the top-level site is currently on, because the user wants to
		// unbreak the iFrame and not the top-level page. When the error page shows up
		// on a top-level request, then we replace the scheme with http, because the
		// user wants to unbreak the whole page.
		// We replace the scheme with http, because the user wants to unbreak the
		// whole page.
		nsCOMPtr<nsIURI> newURI;
		if (!BrowsingContext()->IsTop()) {
		newURI = innerURI;
		} else {
		Unused << NS_MutateURI(innerURI).SetScheme("http"_ns).Finalize(
		getter_AddRefs(newURI));
		}

		OriginAttributes originAttributes =
		TopWindowContext()->DocumentPrincipal()->OriginAttributesRef();

+3 −0

Original line number	Diff line number	Diff line
		@@ -29,6 +29,9 @@ support-files = [
		["browser_httpsonly_speculative_connect.js"]
		support-files = ["file_httpsonly_speculative_connect.html"]

		["browser_iframe_buttons.js"]
		support-files = ["file_iframe_buttons.html"]

		["browser_iframe_test.js"]
		skip-if = [
		"os == 'linux' && bits == 64", # Bug 1735565

0 → 100644

+50 −0

Original line number	Diff line number	Diff line
		/* Any copyright is dedicated to the Public Domain.
		https://creativecommons.org/publicdomain/zero/1.0/ */

		"use strict";

		// Ensure the buttons at the buttom of the HTTPS-Only error page do not get
		// displayed in an iframe (Bug 1909396).

		add_task(async function test_iframe_buttons() {
		await BrowserTestUtils.withNewTab(
		"https://example.com/browser/dom/security/test/https-only/file_iframe_buttons.html",
		async function (browser) {
		await SpecialPowers.pushPrefEnv({
		set: [["dom.security.https_only_mode", true]],
		});

		await SpecialPowers.spawn(browser, [], async function () {
		const iframe = content.document.getElementById("iframe");
		// eslint-disable-next-line @microsoft/sdl/no-insecure-url
		iframe.src = "http://nocert.example.com";

		await ContentTaskUtils.waitForCondition(
		() => iframe.contentWindow.document.readyState === "interactive",
		"Iframe error page should have loaded"
		);

		ok(
		!!iframe.contentWindow.document.getElementById("explanation-iframe"),
		"#explanation-iframe should exist"
		);

		is(
		iframe.contentWindow.document
		.getElementById("explanation-iframe")
		.getAttribute("hidden"),
		null,
		"#explanation-iframe should not be hidden"
		);

		for (const id of ["explanation-continue", "goBack", "openInsecure"]) {
		is(
		iframe.contentWindow.document.getElementById(id),
		null,
		`#${id} should have been removed`
		);
		}
		});
		}
		);
		});

0 → 100644

+9 −0

Original line number	Diff line number	Diff line
		<!DOCTYPE html>
		<html lang="en">
		<head>
		<meta charset="UTF-8">
		</head>
		<body>
		<iframe id="iframe" frameborder="0"></iframe>
		</body>
		</html>

+10 −0

Original line number	Diff line number	Diff line
		@@ -70,6 +70,16 @@
		inert
		></button>
		</div>

		<p id="explanation-iframe" hidden>
		<span data-l10n-id="about-httpsonly-explanation-iframe"></span>
		<a
		id="mixedContentLearnMoreLink"
		target="_blank"
		data-l10n-id="about-httpsonly-link-learn-more"
		></a>
		</p>

		<div class="suggestion-box" hidden>
		<h2 data-l10n-id="about-httpsonly-suggestion-box-header"></h2>
		</div>