Bug 1720458: Do not isolate https-only-load-insecure by origin attributes r=fluent-reviewers,settings-reviewers,flod,ckerschb,Gijs

Do not isolate `https-only-load-insecure` by origin attributes. This way the HTTPS-Only exceptions will behave similar to the `cookie` permission. This means that exceptions set in the system settings will also apply to private windows, but exceptions set in private windows via the identity pane will be reset after closing the browser.

Depends on D182761

Differential Revision: https://phabricator.services.mozilla.com/D183745

Author: maltejur

browser/base/content/browser-siteIdentity.js

@@ -234,10 +234,10 @@ var gIdentityHandler = {
       "identity-popup-security-httpsonlymode-menulist"
     ));
   },
-  get _identityPopupHttpsOnlyModeMenuListTempItem() {
-    delete this._identityPopupHttpsOnlyModeMenuListTempItem;
-    return (this._identityPopupHttpsOnlyModeMenuListTempItem =
-      document.getElementById("identity-popup-security-menulist-tempitem"));
+  get _identityPopupHttpsOnlyModeMenuListOffItem() {
+    delete this._identityPopupHttpsOnlyModeMenuListOffItem;
+    return (this._identityPopupHttpsOnlyModeMenuListOffItem =
+      document.getElementById("identity-popup-security-menulist-off-item"));
   },
   get _identityPopupSecurityEVContentOwner() {
     delete this._identityPopupSecurityEVContentOwner;
@@ -551,12 +551,6 @@ var gIdentityHandler = {
       return;
     }
 
-    // Permissions set in PMB get deleted anyway, but to make sure, let's make
-    // the permission session-only.
-    if (newValue === 1 && PrivateBrowsingUtils.isWindowPrivate(window)) {
-      newValue = 2;
-    }
-
     // We always want to set the exception for the HTTP version of the current URI,
     // since when we check wether we should upgrade a request, we are checking permissons
     // for the HTTP principal (Bug 1757297).
@@ -1054,16 +1048,8 @@ var gIdentityHandler = {
       //       in _getHttpsOnlyPermission
       let value = this._getHttpsOnlyPermission();
 
-      // Because everything in PBM is temporary anyway, we don't need to make the distinction
-      if (privateBrowsingWindow) {
-        if (value === 2) {
-          value = 1;
-        }
-        // Hide "off temporarily" option
-        this._identityPopupHttpsOnlyModeMenuListTempItem.style.display = "none";
-      } else {
-        this._identityPopupHttpsOnlyModeMenuListTempItem.style.display = "";
-      }
+      this._identityPopupHttpsOnlyModeMenuListOffItem.hidden =
+        privateBrowsingWindow && value != 1;
 
       this._identityPopupHttpsOnlyModeMenuList.value = value;
 

browser/components/controlcenter/content/identityPanel.inc.xhtml

@@ -68,9 +68,9 @@
                         oncommand="gIdentityHandler.changeHttpsOnlyPermission();" sizetopopup="none">
                 <menupopup>
                   <menuitem value="0" data-l10n-id="identity-https-only-dropdown-on" />
-                  <menuitem value="1" data-l10n-id="identity-https-only-dropdown-off" />
-                  <menuitem value="2" id="identity-popup-security-menulist-tempitem"
-                            data-l10n-id="identity-https-only-dropdown-off-temporarily" />
+                  <menuitem value="1" data-l10n-id="identity-https-only-dropdown-off"
+                            id="identity-popup-security-menulist-off-item" />
+                  <menuitem value="2" data-l10n-id="identity-https-only-dropdown-off-temporarily" />
                 </menupopup>
               </menulist>
               <vbox id="identity-popup-security-httpsonlymode-info">

browser/components/preferences/dialogs/permissions.js

@@ -38,7 +38,7 @@ const permissionExceptionsL10n = {
   },
   "https-only-load-insecure": {
     window: "permissions-exceptions-https-only-window2",
-    description: "permissions-exceptions-https-only-desc",
+    description: "permissions-exceptions-https-only-desc2",
   },
   install: {
     window: "permissions-exceptions-addons-window2",

browser/components/preferences/privacy.inc.xhtml

@@ -1177,7 +1177,7 @@
                       permissions-allow.label,
                       permissions-remove.label,
                       permissions-remove-all.label,
-                      permissions-exceptions-https-only-desc,
+                      permissions-exceptions-https-only-desc2,
                     " />
     </vbox>
   </hbox>

browser/components/preferences/privacy.js

@@ -204,6 +204,7 @@ Preferences.addAll([
   { id: "dom.security.https_only_mode", type: "bool" },
   { id: "dom.security.https_only_mode_pbm", type: "bool" },
   { id: "dom.security.https_first", type: "bool" },
+  { id: "dom.security.https_first_pbm", type: "bool" },
 
   // Windows SSO
   { id: "network.http.windows-sso.enabled", type: "bool" },
@@ -449,6 +450,9 @@ var gPrivacyPane = {
     let httpsFirstOnPref = Services.prefs.getBoolPref(
       "dom.security.https_first"
     );
+    let httpsFirstOnPBMPref = Services.prefs.getBoolPref(
+      "dom.security.https_first_pbm"
+    );
     let httpsOnlyRadioGroup = document.getElementById("httpsOnlyRadioGroup");
     let httpsOnlyExceptionButton = document.getElementById(
       "httpsOnlyExceptionButton"
@@ -462,7 +466,11 @@ var gPrivacyPane = {
       httpsOnlyRadioGroup.value = "disabled";
     }
 
-    httpsOnlyExceptionButton.disabled = !httpsOnlyOnPref && !httpsFirstOnPref;
+    httpsOnlyExceptionButton.disabled =
+      !httpsOnlyOnPref &&
+      !httpsFirstOnPref &&
+      !httpsOnlyOnPBMPref &&
+      !httpsFirstOnPBMPref;
 
     if (
       Services.prefs.prefIsLocked("dom.security.https_only_mode") ||
@@ -508,6 +516,9 @@ var gPrivacyPane = {
     Preferences.get("dom.security.https_first").on("change", () =>
       this.syncFromHttpsOnlyPref()
     );
+    Preferences.get("dom.security.https_first_pbm").on("change", () =>
+      this.syncFromHttpsOnlyPref()
+    );
   },
 
   get dnsOverHttpsResolvers() {

browser/components/preferences/tests/browser_https_only_exceptions.js

@@ -6,8 +6,9 @@
  * Checks if buttons are disabled/enabled and visible/hidden correctly.
  */
 add_task(async function testButtons() {
-  // Let's make sure HTTPS-Only Mode is off.
+  // Let's make sure HTTPS-Only and HTTPS-First Mode is off.
   await setHttpsOnlyPref("off");
+  await setHttpsFirstPref("off");
 
   // Open the privacy-pane in about:preferences
   await openPreferencesViaOpenPreferencesAPI("panePrivacy", {
@@ -28,8 +29,8 @@ add_task(async function testButtons() {
   await setHttpsOnlyPref("private");
   is(
     exceptionButton.disabled,
-    true,
-    "HTTPS-Only exception button should be disabled when HTTPS-Only Mode is only enabled in private browsing."
+    false,
+    "HTTPS-Only exception button should be enabled when HTTPS-Only Mode is only enabled in private browsing."
   );
 
   await setHttpsOnlyPref("everywhere");
@@ -40,11 +41,17 @@ add_task(async function testButtons() {
   );
 
   await setHttpsOnlyPref("off");
-  await setHttpsFirstPref("private");
   is(
     exceptionButton.disabled,
     true,
-    "HTTPS-Only exception button should be disabled when HTTPS-Only Mode is disabled and HTTPS-First Mode is only enabled in private browsing."
+    "Turning off HTTPS-Only should disable the exception button again."
+  );
+
+  await setHttpsFirstPref("private");
+  is(
+    exceptionButton.disabled,
+    false,
+    "HTTPS-Only exception button should be enabled when HTTPS-Only Mode is disabled and HTTPS-First Mode is only enabled in private browsing."
   );
 
   await setHttpsFirstPref("everywhere");

browser/locales/en-US/browser/preferences/permissions.ftl

@@ -109,7 +109,7 @@ permissions-exceptions-cookie-desc = You can specify which websites are always o
 permissions-exceptions-https-only-window2 =
     .title = Exceptions - HTTPS-Only Mode
     .style = { permissions-window2.style }
-permissions-exceptions-https-only-desc = You can turn off HTTPS-Only Mode for specific websites. { -brand-short-name } won’t attempt to upgrade the connection to secure HTTPS for those sites. Exceptions do not apply to private windows.
+permissions-exceptions-https-only-desc2 = You can turn off HTTPS-Only Mode for specific websites. { -brand-short-name } won’t attempt to upgrade the connection to secure HTTPS for those sites.
 
 ## Exceptions - Pop-ups
 

extensions/permissions/PermissionManager.cpp

@@ -132,7 +132,7 @@ static const nsLiteralCString kPreloadPermissions[] = {
     // interception when a user has disabled storage for a specific site.  Once
     // service worker interception moves to the parent process this should be
     // removed.  See bug 1428130.
-    "cookie"_ns};
+    "cookie"_ns, "https-only-load-insecure"_ns};
 
 // NOTE: nullptr can be passed as aType - if it is this function will return
 // "false" unconditionally.
@@ -156,8 +156,8 @@ bool IsPreloadPermission(const nsACString& aType) {
 // This is because perms are sent to the content process in bulk by perm key.
 // Non-preloaded, but OA stripped permissions would not be accessible by sites
 // in private browsing / non-default user context.
-static constexpr std::array<nsLiteralCString, 1> kStripOAPermissions = {
-    {"cookie"_ns}};
+static constexpr std::array<nsLiteralCString, 2> kStripOAPermissions = {
+    {"cookie"_ns, "https-only-load-insecure"_ns}};
 
 bool IsOAForceStripPermission(const nsACString& aType) {
   if (aType.IsEmpty()) {

extensions/permissions/test/unit/test_permmanager_oa_strip.js

@@ -8,7 +8,7 @@ const TEST_PERMISSION3 = "test/oastrip3";
 
 // List of permissions which are not isolated by private browsing or user context
 // as per array kStripOAPermissions in PermissionManager.cpp
-const STRIPPED_PERMS = ["cookie"];
+const STRIPPED_PERMS = ["cookie", "https-only-load-insecure"];
 
 let principal = Services.scriptSecurityManager.createContentPrincipal(
   TEST_URI,
@@ -204,10 +204,10 @@ function testOAIsolation(permIsolateUserContext, permIsolatePrivateBrowsing) {
         )
       );
     }
-  });
 
-  // Cleanup
-  pm.removeAll();
+    // Cleanup
+    pm.removeAll();
+  });
 }
 
 add_task(async function do_test() {