Loading dom/locales/en-US/chrome/security/security.properties +6 −0 Original line number Diff line number Diff line Loading @@ -140,6 +140,12 @@ HTTPSOnlyNoUpgradeException = Not upgrading insecure request “%1$S” because HTTPSOnlyFailedRequest = Upgrading insecure request “%1$S” failed. (%2$S) # LOCALIZATION NOTE: %S is the URL of the failed request; HTTPSOnlyFailedDowngradeAgain = Upgrading insecure request “%S” failed. Downgrading to “http” again. # LOCALIZATION NOTE: Hints or indicates a new transaction for a URL is likely coming soon. We use # a speculative connection to start a TCP connection so that the resource is immediately ready # when the transaction is actually submitted. HTTPS-Only and HTTPS-First will upgrade such # speculative TCP connections from http to https. # %1$S is the URL of the upgraded speculative TCP connection; %2$S is the upgraded scheme. HTTPSOnlyUpgradeSpeculativeConnection = Upgrading insecure speculative TCP connection “%1$S” to use “%2$S”. # LOCALIZATION NOTE: %S is the URL of the blocked request; IframeSandboxBlockedDownload = Download of “%S” was blocked because the triggering iframe has the sandbox flag set. Loading dom/security/nsHTTPSOnlyUtils.cpp +15 −9 Original line number Diff line number Diff line Loading @@ -179,10 +179,13 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); bool isSpeculative = aLoadInfo->GetExternalContentPolicyType() == ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI); nsHTTPSOnlyUtils::LogLocalizedString( isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" : "HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI); // If the status was not determined before, we now indicate that the request // will get upgraded, but no event-listener has been registered yet. Loading Loading @@ -339,9 +342,10 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, return false; } // 2. HTTPS-First only upgrades top-level loads if (aLoadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT) { // 2. HTTPS-First only upgrades top-level loads (and speculative connections) ExtContentPolicyType contentType = aLoadInfo->GetExternalContentPolicyType(); if (contentType != ExtContentPolicy::TYPE_DOCUMENT && contentType != ExtContentPolicy::TYPE_SPECULATIVE) { return false; } Loading Loading @@ -399,10 +403,12 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); bool isSpeculative = contentType == ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI, true); nsHTTPSOnlyUtils::LogLocalizedString( isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" : "HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI, true); // Set flag so we know that we upgraded the request httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST; Loading dom/security/test/https-first/browser.ini +2 −0 Original line number Diff line number Diff line Loading @@ -8,3 +8,5 @@ support-files = file_mixed_content_console.html [browser_downgrade_view_source.js] support-files = file_downgrade_view_source.sjs [browser_httpsfirst_speculative_connect.js] support-files = file_httpsfirst_speculative_connect.html dom/security/test/https-first/browser_httpsfirst_speculative_connect.js 0 → 100644 +69 −0 Original line number Diff line number Diff line "use strict"; const TEST_PATH_HTTP = getRootDirectory(gTestPath).replace( "chrome://mochitests/content", "http://example.com" ); let console_messages = [ { description: "Speculative Connection should get logged", expectLogLevel: Ci.nsIConsoleMessage.warn, expectIncludes: [ "Upgrading insecure speculative TCP connection", "to use", "example.com", "file_httpsfirst_speculative_connect.html", ], }, { description: "Upgrade should get logged", expectLogLevel: Ci.nsIConsoleMessage.warn, expectIncludes: [ "Upgrading insecure request", "to use", "example.com", "file_httpsfirst_speculative_connect.html", ], }, ]; function on_new_console_messages(msgObj) { const message = msgObj.message; const logLevel = msgObj.logLevel; if (message.includes("HTTPS-First Mode:")) { for (let i = 0; i < console_messages.length; i++) { const testCase = console_messages[i]; // Check if log-level matches if (logLevel !== testCase.expectLogLevel) { continue; } // Check if all substrings are included if (testCase.expectIncludes.some(str => !message.includes(str))) { continue; } ok(true, testCase.description); console_messages.splice(i, 1); break; } } } add_task(async function() { requestLongerTimeout(4); await SpecialPowers.pushPrefEnv({ set: [["dom.security.https_first", true]], }); Services.console.registerListener(on_new_console_messages); await BrowserTestUtils.loadURI( gBrowser.selectedBrowser, `${TEST_PATH_HTTP}file_httpsfirst_speculative_connect.html` ); await BrowserTestUtils.waitForCondition(() => console_messages.length === 0); Services.console.unregisterListener(on_new_console_messages); }); dom/security/test/https-first/browser_mixed_content_console.js +1 −1 Original line number Diff line number Diff line Loading @@ -34,7 +34,7 @@ function on_console_message(msgObj) { // The first console message is: // "HTTPS-First Mode: Upgrading insecure request // ‘http://example.com/browser/dom/security/test/https-first/file_mixed_content_console.html’ to use ‘https’" if (message.includes("HTTPS-First Mode:")) { if (message.includes("HTTPS-First Mode: Upgrading insecure request")) { ok(message.includes("Upgrading insecure request"), "request got upgraded"); ok( message.includes( Loading Loading
dom/locales/en-US/chrome/security/security.properties +6 −0 Original line number Diff line number Diff line Loading @@ -140,6 +140,12 @@ HTTPSOnlyNoUpgradeException = Not upgrading insecure request “%1$S” because HTTPSOnlyFailedRequest = Upgrading insecure request “%1$S” failed. (%2$S) # LOCALIZATION NOTE: %S is the URL of the failed request; HTTPSOnlyFailedDowngradeAgain = Upgrading insecure request “%S” failed. Downgrading to “http” again. # LOCALIZATION NOTE: Hints or indicates a new transaction for a URL is likely coming soon. We use # a speculative connection to start a TCP connection so that the resource is immediately ready # when the transaction is actually submitted. HTTPS-Only and HTTPS-First will upgrade such # speculative TCP connections from http to https. # %1$S is the URL of the upgraded speculative TCP connection; %2$S is the upgraded scheme. HTTPSOnlyUpgradeSpeculativeConnection = Upgrading insecure speculative TCP connection “%1$S” to use “%2$S”. # LOCALIZATION NOTE: %S is the URL of the blocked request; IframeSandboxBlockedDownload = Download of “%S” was blocked because the triggering iframe has the sandbox flag set. Loading
dom/security/nsHTTPSOnlyUtils.cpp +15 −9 Original line number Diff line number Diff line Loading @@ -179,10 +179,13 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); bool isSpeculative = aLoadInfo->GetExternalContentPolicyType() == ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI); nsHTTPSOnlyUtils::LogLocalizedString( isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" : "HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI); // If the status was not determined before, we now indicate that the request // will get upgraded, but no event-listener has been registered yet. Loading Loading @@ -339,9 +342,10 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, return false; } // 2. HTTPS-First only upgrades top-level loads if (aLoadInfo->GetExternalContentPolicyType() != ExtContentPolicy::TYPE_DOCUMENT) { // 2. HTTPS-First only upgrades top-level loads (and speculative connections) ExtContentPolicyType contentType = aLoadInfo->GetExternalContentPolicyType(); if (contentType != ExtContentPolicy::TYPE_DOCUMENT && contentType != ExtContentPolicy::TYPE_SPECULATIVE) { return false; } Loading Loading @@ -399,10 +403,12 @@ bool nsHTTPSOnlyUtils::ShouldUpgradeHttpsFirstRequest(nsIURI* aURI, NS_ConvertUTF8toUTF16 reportSpec(aURI->GetSpecOrDefault()); NS_ConvertUTF8toUTF16 reportScheme(scheme); bool isSpeculative = contentType == ExtContentPolicy::TYPE_SPECULATIVE; AutoTArray<nsString, 2> params = {reportSpec, reportScheme}; nsHTTPSOnlyUtils::LogLocalizedString("HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI, true); nsHTTPSOnlyUtils::LogLocalizedString( isSpeculative ? "HTTPSOnlyUpgradeSpeculativeConnection" : "HTTPSOnlyUpgradeRequest", params, nsIScriptError::warningFlag, aLoadInfo, aURI, true); // Set flag so we know that we upgraded the request httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST; Loading
dom/security/test/https-first/browser.ini +2 −0 Original line number Diff line number Diff line Loading @@ -8,3 +8,5 @@ support-files = file_mixed_content_console.html [browser_downgrade_view_source.js] support-files = file_downgrade_view_source.sjs [browser_httpsfirst_speculative_connect.js] support-files = file_httpsfirst_speculative_connect.html
dom/security/test/https-first/browser_httpsfirst_speculative_connect.js 0 → 100644 +69 −0 Original line number Diff line number Diff line "use strict"; const TEST_PATH_HTTP = getRootDirectory(gTestPath).replace( "chrome://mochitests/content", "http://example.com" ); let console_messages = [ { description: "Speculative Connection should get logged", expectLogLevel: Ci.nsIConsoleMessage.warn, expectIncludes: [ "Upgrading insecure speculative TCP connection", "to use", "example.com", "file_httpsfirst_speculative_connect.html", ], }, { description: "Upgrade should get logged", expectLogLevel: Ci.nsIConsoleMessage.warn, expectIncludes: [ "Upgrading insecure request", "to use", "example.com", "file_httpsfirst_speculative_connect.html", ], }, ]; function on_new_console_messages(msgObj) { const message = msgObj.message; const logLevel = msgObj.logLevel; if (message.includes("HTTPS-First Mode:")) { for (let i = 0; i < console_messages.length; i++) { const testCase = console_messages[i]; // Check if log-level matches if (logLevel !== testCase.expectLogLevel) { continue; } // Check if all substrings are included if (testCase.expectIncludes.some(str => !message.includes(str))) { continue; } ok(true, testCase.description); console_messages.splice(i, 1); break; } } } add_task(async function() { requestLongerTimeout(4); await SpecialPowers.pushPrefEnv({ set: [["dom.security.https_first", true]], }); Services.console.registerListener(on_new_console_messages); await BrowserTestUtils.loadURI( gBrowser.selectedBrowser, `${TEST_PATH_HTTP}file_httpsfirst_speculative_connect.html` ); await BrowserTestUtils.waitForCondition(() => console_messages.length === 0); Services.console.unregisterListener(on_new_console_messages); });
dom/security/test/https-first/browser_mixed_content_console.js +1 −1 Original line number Diff line number Diff line Loading @@ -34,7 +34,7 @@ function on_console_message(msgObj) { // The first console message is: // "HTTPS-First Mode: Upgrading insecure request // ‘http://example.com/browser/dom/security/test/https-first/file_mixed_content_console.html’ to use ‘https’" if (message.includes("HTTPS-First Mode:")) { if (message.includes("HTTPS-First Mode: Upgrading insecure request")) { ok(message.includes("Upgrading insecure request"), "request got upgraded"); ok( message.includes( Loading
