Bug 1885949 - Do not copy over HTTPS-First upgrade flag into new loadinfo r=necko-reviewers,freddyb,simonf,jesup

maltejur · maltejur · commit 0b87e0cf2a2d · 2024-04-17T12:35:56.000Z
Differential Revision: https://phabricator.services.mozilla.com/D205048
diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp
@@ -200,6 +200,7 @@
 #include "mozilla/dom/NetErrorInfoBinding.h"
 #include "mozilla/dom/NodeInfo.h"
 #include "mozilla/dom/NodeIterator.h"
+#include "mozilla/dom/nsHTTPSOnlyUtils.h"
 #include "mozilla/dom/PContentChild.h"
 #include "mozilla/dom/PWindowGlobalChild.h"
 #include "mozilla/dom/PageTransitionEvent.h"
diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp
@@ -902,6 +902,13 @@ bool nsHTTPSOnlyUtils::IsEqualURIExceptSchemeAndRef(nsIURI* aHTTPSSchemeURI,
 
   return uriEquals;
 }
+
+/* static */
+uint32_t nsHTTPSOnlyUtils::GetStatusForSubresourceLoad(
+    uint32_t aHttpsOnlyStatus) {
+  return aHttpsOnlyStatus & ~nsILoadInfo::HTTPS_ONLY_UPGRADED_HTTPS_FIRST;
+}
+
 /////////////////////////////////////////////////////////////////////
 // Implementation of TestHTTPAnswerRunnable
 
diff --git a/dom/security/nsHTTPSOnlyUtils.h b/dom/security/nsHTTPSOnlyUtils.h
@@ -164,6 +164,18 @@ class nsHTTPSOnlyUtils {
                                            nsIURI* aOtherURI,
                                            nsILoadInfo* aLoadInfo);
 
+  /**
+   * Determines which HTTPS-Only status flags should get propagated to
+   * sub-resources or sub-documents. As sub-resources and sub-documents are
+   * exempt when the top-level document is exempt, we need to copy the "exempt"
+   * flag. The HTTPS-First "upgraded" flag should not be copied to prevent a
+   * unwanted downgrade (Bug 1885949).
+   * @param aHttpsOnlyStatus The HTTPS-Only status of the top-level document.
+   * @return The HTTPS-Only status that the sub-resource/document should
+   * receive.
+   */
+  static uint32_t GetStatusForSubresourceLoad(uint32_t aHttpsOnlyStatus);
+
  private:
   /**
    * Checks if it can be ruled out that the error has something
diff --git a/dom/security/test/https-first/browser.toml b/dom/security/test/https-first/browser.toml
@@ -40,6 +40,12 @@ support-files = [
 ["browser_navigation.js"]
 support-files = ["file_navigation.html"]
 
+["browser_subdocument_downgrade.js"]
+support-files = [
+  "file_empty.html",
+  "file_subdocument_downgrade.sjs",
+]
+
 ["browser_schemeless.js"]
 
 ["browser_slow_download.js"]
diff --git a/dom/security/test/https-first/browser_subdocument_downgrade.js b/dom/security/test/https-first/browser_subdocument_downgrade.js
@@ -0,0 +1,60 @@
+/* Any copyright is dedicated to the Public Domain.
+   https://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const EMPTY_URL =
+  "http://example.com/browser/dom/security/test/https-first/file_empty.html";
+const SUBDOCUMENT_URL =
+  "https://example.com/browser/dom/security/test/https-first/file_subdocument_downgrade.sjs";
+
+add_task(async function test_subdocument_downgrade() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      // We want to test HTTPS-First
+      ["dom.security.https_first", true],
+      // Makes it easier to detect the error
+      ["security.mixed_content.block_active_content", false],
+    ],
+  });
+
+  // Open a empty document with origin http://example.com, which gets upgraded
+  // to https://example.com by HTTPS-First and thus is marked as
+  // HTTPS_ONLY_UPGRADED_HTTPS_FIRST.
+  await BrowserTestUtils.withNewTab(EMPTY_URL, async browser => {
+    await SpecialPowers.spawn(
+      browser,
+      [SUBDOCUMENT_URL],
+      async SUBDOCUMENT_URL => {
+        function isCrossOriginIframe(iframe) {
+          try {
+            return !iframe.contentDocument;
+          } catch (e) {
+            return true;
+          }
+        }
+        const subdocument = content.document.createElement("iframe");
+        // We open https://example.com/.../file_subdocument_downgrade.sjs in a
+        // iframe, which sends a invalid response if the scheme is https. Thus
+        // we should get an error. But if we accidentally copy the
+        // HTTPS_ONLY_UPGRADED_HTTPS_FIRST flag from the parent into the iframe
+        // loadinfo, HTTPS-First will try to downgrade the iframe. We test that
+        // this doesn't happen.
+        subdocument.src = SUBDOCUMENT_URL;
+        const loadPromise = new Promise(resolve => {
+          subdocument.addEventListener("load", () => {
+            ok(
+              // If the iframe got downgraded, it should now have the origin
+              // http://example.com, which we can detect as being cross-origin.
+              !isCrossOriginIframe(subdocument),
+              "Subdocument should not be downgraded"
+            );
+            resolve();
+          });
+        });
+        content.document.body.appendChild(subdocument);
+        await loadPromise;
+      }
+    );
+  });
+});
diff --git a/dom/security/test/https-first/file_empty.html b/dom/security/test/https-first/file_empty.html
@@ -0,0 +1 @@
+<!doctype html><html><body></body></html>
diff --git a/dom/security/test/https-first/file_subdocument_downgrade.sjs b/dom/security/test/https-first/file_subdocument_downgrade.sjs
@@ -0,0 +1,8 @@
+function handleRequest(request, response) {
+  if (request.scheme === "https") {
+    response.setStatusLine("1.1", 429, "Too Many Requests");
+  } else {
+    response.setHeader("Content-Type", "text/html", false);
+    response.write("<!doctype html><html><body></body></html>");
+  }
+}
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
@@ -20,6 +20,7 @@
 #include "mozilla/dom/ToJSValue.h"
 #include "mozilla/dom/BrowsingContext.h"
 #include "mozilla/dom/WindowGlobalParent.h"
+#include "mozilla/dom/nsHTTPSOnlyUtils.h"
 #include "mozilla/net/CookieJarSettings.h"
 #include "mozilla/NullPrincipal.h"
 #include "mozilla/StaticPrefs_network.h"
@@ -216,8 +217,9 @@ LoadInfo::LoadInfo(
     mDocumentHasUserInteracted =
         aLoadingContext->OwnerDoc()->UserHasInteracted();
 
-    // Inherit HTTPS-Only Mode flags from parent document
-    mHttpsOnlyStatus |= aLoadingContext->OwnerDoc()->HttpsOnlyStatus();
+    // Inherit HTTPS-Only Mode flags from parent document.
+    mHttpsOnlyStatus |= nsHTTPSOnlyUtils::GetStatusForSubresourceLoad(
+        aLoadingContext->OwnerDoc()->HttpsOnlyStatus());
 
     // When the element being loaded is a frame, we choose the frame's window
     // for the window ID and the frame element's window as the parent
@@ -528,7 +530,9 @@ LoadInfo::LoadInfo(dom::WindowGlobalParent* aParentWGP,
         parentBC->UsePrivateBrowsing());
   }
 
-  mHttpsOnlyStatus |= aParentWGP->HttpsOnlyStatus();
+  // Inherit HTTPS-Only Mode flags from embedder document.
+  mHttpsOnlyStatus |= nsHTTPSOnlyUtils::GetStatusForSubresourceLoad(
+      aParentWGP->HttpsOnlyStatus());
 
   // For chrome BC, the mPrivateBrowsingId remains 0 even its
   // UsePrivateBrowsing() is true, so we only update the mPrivateBrowsingId in

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<!doctype html><html><body></body></html>`