Skip to content

Commit 42efa58

Browse files
author
Christoph Kerschbaumer
committed
Bug 1877195: Expand mixed-content download protection to all http downloads, r=freddyb,Gijs,anti-tracking-reviewers,pbz
Differential Revision: https://phabricator.services.mozilla.com/D200267
1 parent 9f4df07 commit 42efa58

File tree

28 files changed

+388
-59
lines changed

28 files changed

+388
-59
lines changed

browser/base/content/test/general/browser_save_link-perwindowpb.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ function triggerSave(aWindow, aCallback) {
1414
let testBrowser = aWindow.gBrowser.selectedBrowser;
1515
// This page sets a cookie if and only if a cookie does not exist yet
1616
let testURI =
17-
"http://mochi.test:8888/browser/browser/base/content/test/general/bug792517-2.html";
17+
"https://example.com/browser/browser/base/content/test/general/bug792517-2.html";
1818
BrowserTestUtils.startLoadingURIString(testBrowser, testURI);
1919
BrowserTestUtils.browserLoaded(testBrowser, false, testURI).then(() => {
2020
waitForFocus(function () {
@@ -132,7 +132,7 @@ function test() {
132132
info("onExamineResponse with " + channel.URI.spec);
133133
if (
134134
channel.URI.spec !=
135-
"http://mochi.test:8888/browser/browser/base/content/test/general/bug792517.sjs"
135+
"https://example.com/browser/browser/base/content/test/general/bug792517.sjs"
136136
) {
137137
info("returning");
138138
return;
@@ -158,7 +158,7 @@ function test() {
158158
info("onModifyRequest with " + channel.URI.spec);
159159
if (
160160
channel.URI.spec !=
161-
"http://mochi.test:8888/browser/browser/base/content/test/general/bug792517.sjs"
161+
"https://example.com/browser/browser/base/content/test/general/bug792517.sjs"
162162
) {
163163
return;
164164
}

browser/base/content/test/general/browser_save_link_when_window_navigates.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ function triggerSave(aWindow, aCallback) {
3636
var fileName;
3737
let testBrowser = aWindow.gBrowser.selectedBrowser;
3838
let testURI =
39-
"http://mochi.test:8888/browser/browser/base/content/test/general/navigating_window_with_download.html";
39+
"https://example.com/browser/browser/base/content/test/general/navigating_window_with_download.html";
4040

4141
// Only observe the UTC dialog if it's enabled by pref
4242
if (Services.prefs.getBoolPref(ALWAYS_ASK_PREF)) {

browser/base/content/test/general/browser_save_video.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ add_task(async function () {
1414
let loadPromise = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser);
1515
BrowserTestUtils.startLoadingURIString(
1616
gBrowser,
17-
"http://mochi.test:8888/browser/browser/base/content/test/general/web_video.html"
17+
"https://example.com/browser/browser/base/content/test/general/web_video.html"
1818
);
1919
await loadPromise;
2020

browser/base/content/test/general/navigating_window_with_download.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,6 @@
22
<html>
33
<head><title>This window will navigate while you're downloading something</title></head>
44
<body>
5-
<iframe src="http://mochi.test:8888/browser/browser/base/content/test/general/unknownContentType_file.pif"></iframe>
5+
<iframe src="https://example.com/browser/browser/base/content/test/general/unknownContentType_file.pif"></iframe>
66
</body>
77
</html>

browser/components/downloads/DownloadsCommon.sys.mjs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -696,7 +696,7 @@ export var DownloadsCommon = {
696696
message = s.unblockTypePotentiallyUnwanted2;
697697
break;
698698
case lazy.Downloads.Error.BLOCK_VERDICT_INSECURE:
699-
message = s.unblockInsecure2;
699+
message = s.unblockInsecure3;
700700
break;
701701
default:
702702
// Assume Downloads.Error.BLOCK_VERDICT_MALWARE

browser/components/downloads/DownloadsViewUI.sys.mjs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -888,7 +888,7 @@ DownloadsViewUI.DownloadElementShell.prototype = {
888888
case lazy.Downloads.Error.BLOCK_VERDICT_INSECURE:
889889
return [
890890
s.blockedPotentiallyInsecure,
891-
[s.unblockInsecure2, s.unblockTip2],
891+
[s.unblockInsecure3, s.unblockTip2],
892892
];
893893
case lazy.Downloads.Error.BLOCK_VERDICT_POTENTIALLY_UNWANTED:
894894
return [

browser/components/downloads/test/browser/browser_download_overwrite.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55

66
const TEST_ROOT = getRootDirectory(gTestPath).replace(
77
"chrome://mochitests/content",
8-
"http://example.com"
8+
"https://example.com"
99
);
1010

1111
var MockFilePicker = SpecialPowers.MockFilePicker;

browser/components/originattributes/test/browser/browser_firstPartyIsolation_saveAs.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ add_setup(async function () {
3838
set: [
3939
["privacy.firstparty.isolate", true],
4040
["dom.security.https_first", false],
41+
["dom.block_download_insecure", false],
4142
],
4243
});
4344

browser/locales/en-US/chrome/browser/downloads/downloads.properties

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ fileDeleted=File deleted
4747
# LOCALIZATION NOTE (unblockHeaderUnblock, unblockHeaderOpen,
4848
# unblockTypeMalware, unblockTypePotentiallyUnwanted2,
4949
# unblockTypeUncommon2, unblockTip2, unblockButtonOpen,
50-
# unblockButtonUnblock, unblockButtonConfirmBlock, unblockInsecure2):
50+
# unblockButtonUnblock, unblockButtonConfirmBlock, unblockInsecure3):
5151
# These strings are displayed in the dialog shown when the user asks a blocked
5252
# download to be unblocked. The severity of the threat is expressed in
5353
# descending order by the unblockType strings, it is higher for files detected
@@ -57,7 +57,7 @@ unblockHeaderOpen=Are you sure you want to open this file?
5757
unblockTypeMalware=This file contains a virus or other malware that will harm your computer.
5858
unblockTypePotentiallyUnwanted2=This file is disguised as a helpful download, but it can make unexpected changes to your programs and settings.
5959
unblockTypeUncommon2=This file is not commonly downloaded and may not be safe to open. It may contain a virus or make unexpected changes to your programs and settings.
60-
unblockInsecure2=The download is offered over HTTP even though the current document was delivered over a secure HTTPS connection. If you proceed, the download may be corrupted or tampered with during the download process.
60+
unblockInsecure3=You are trying to download this file on a connection that’s not secure. If you continue, the file might be changed, used to steal your info or harm your device.
6161
unblockTip2=You can search for an alternate download source or try again later.
6262
unblockButtonOpen=Open
6363
unblockButtonUnblock=Allow download

dom/locales/en-US/chrome/security/security.properties

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ LoadingMixedActiveContent2=Loading mixed (insecure) active content “%1$S” on
4444
LoadingMixedDisplayContent2=Loading mixed (insecure) display content “%1$S” on a secure page
4545
LoadingMixedDisplayObjectSubrequestDeprecation=Loading mixed (insecure) content “%1$S” within a plugin on a secure page is discouraged and will be blocked soon.
4646
# LOCALIZATION NOTE: "%S" is the URI of the insecure mixed content download
47-
MixedContentBlockedDownload = Blocked downloading insecure content “%S”.
47+
BlockedInsecureDownload = We blocked a download that’s not secure: “%S”.
4848

4949
# LOCALIZATION NOTE: Do not translate "allow-scripts", "allow-same-origin", "sandbox" or "iframe"
5050
BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing.

0 commit comments

Comments
 (0)