fixup! Bug 13670.2: Isolate OCSP requests by first party domain

arthuredelstein · Jun 25, 2015 · c95f25a · c95f25a
1 parent 5602274
commit c95f25a
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 18 deletions.
diff --git a/dom/base/ThirdPartyUtil.cpp b/dom/base/ThirdPartyUtil.cpp
@@ -171,7 +171,16 @@ ThirdPartyUtil::GetOriginatingURI(nsIChannel *aChannel, nsIURI **aURI)
 
   // case 3)
   if (!topWin)
+  {
+    if (httpChannelInternal)
+    {
+      httpChannelInternal->GetDocumentURI(aURI);
+      if (*aURI) {
+        return NS_OK;
+      }
+    }
     return NS_ERROR_INVALID_ARG;
+  }
 
   // case 4)
   if (ourWin == topWin) {

diff --git a/netwerk/base/nsISocketTransport.idl b/netwerk/base/nsISocketTransport.idl
@@ -28,7 +28,7 @@ native NetAddr(mozilla::net::NetAddr);
  * NOTE: This is a free-threaded interface, meaning that the methods on
  * this interface may be called from any thread.
  */
-[scriptable, uuid(a0b3b547-d6f0-4b65-a3de-a99ffa368840)]
+[scriptable, uuid(4e2dc9d0-125e-4f8e-8c93-845f3de5cd8a)]
 interface nsISocketTransport : nsITransport 
 {
     /**

diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -1327,7 +1327,7 @@ nsHttpConnectionMgr::PipelineFeedbackInfo(nsHttpConnectionInfo *ci,
 }
 
 void
-nsHttpConnectionMgr::ReportFailedToProcess(nsIURI *uri, const nsACString& isolationDomain)
+nsHttpConnectionMgr::ReportFailedToProcess(nsIURI *uri)
 {
     MOZ_ASSERT(uri);
 

diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.h b/netwerk/protocol/http/nsHttpConnectionMgr.h
@@ -220,7 +220,7 @@ class nsHttpConnectionMgr : public nsIObserver
                                   nsHttpConnection *,
                                   uint32_t);
 
-    void ReportFailedToProcess(nsIURI *uri, const nsACString& isolationDomain);
+    void ReportFailedToProcess(nsIURI *uri);
 
     // Causes a large amount of connection diagnostic information to be
     // printed to the javascript console

diff --git a/netwerk/protocol/http/nsHttpHandler.cpp b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -1952,7 +1952,7 @@ nsHttpHandler::Observe(nsISupports *subject,
         nsCOMPtr<nsIURI> uri = do_QueryInterface(subject);
         // Ignore possibility of an isolation key:
         if (uri && mConnMgr) {
-            mConnMgr->ReportFailedToProcess(uri, EmptyCString());
+            mConnMgr->ReportFailedToProcess(uri);
         }
     } else if (!strcmp(topic, "last-pb-context-exited")) {
         mPrivateAuthCache.ClearAll();

diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -1146,7 +1146,7 @@ AuthCertificate(CertVerifier& certVerifier,
   rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
                                         time, infoObject,
                                         infoObject->GetHostNameRaw(),
-                                        infoObject->GetIsolationKey(),
+                                        infoObject->GetIsolationKeyRaw(),
                                         saveIntermediates, 0, &certList,
                                         &evOidPolicy, &ocspStaplingStatus,
                                         &keySizeStatus);

diff --git a/security/manager/ssl/src/TransportSecurityInfo.cpp b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -107,13 +107,6 @@ TransportSecurityInfo::SetIsolationKey(const char* isolationKey)
   return NS_OK;
 }
 
-nsresult
-TransportSecurityInfo::GetIsolationKey(char** isolationKey)
-{
-  *isolationKey = (mIsolationKey) ? NS_strdup(mIsolationKey) : nullptr;
-  return NS_OK;
-}
-
 PRErrorCode
 TransportSecurityInfo::GetErrorCode() const
 {

diff --git a/security/manager/ssl/src/TransportSecurityInfo.h b/security/manager/ssl/src/TransportSecurityInfo.h
@@ -62,8 +62,7 @@ class TransportSecurityInfo : public nsITransportSecurityInfo,
   nsresult GetPort(int32_t *aPort);
   nsresult SetPort(int32_t aPort);
 
-  nsresult GetIsolationKey(char **aIsolationKey);
-  const char* GetIsolationKey() const { return mIsolationKey.get(); }
+  const char* GetIsolationKeyRaw() const { return mIsolationKey.get(); }
   nsresult SetIsolationKey(const char *aIsolationKey);
 
   PRErrorCode GetErrorCode() const;

diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -106,13 +106,15 @@ nsHTTPDownloadEvent::Run()
 
   chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS);
 
-  // If we have an isolation key, use it as the isolation key for this channel.
+  // If we have an isolation key, use it as the  URI for this channel.
   if (!mRequestSession->mIsolationKey.IsEmpty()) {
     nsCOMPtr<nsIHttpChannelInternal> channelInternal(do_QueryInterface(chan));
     if (channelInternal) {
-      nsCOMPtr<nsIURI> pageURI;
-      nsresult rv = NS_NewURI(getter_AddRefs(pageURI), mRequestSession->mIsolationKey.get());
-      channelInternal->SetDocumentURI(pageURI);
+      nsCString documentURISpec("https://");
+      documentURISpec.Append(mRequestSession->mIsolationKey);
+      nsCOMPtr<nsIURI> documentURI;
+      /* nsresult rv = */ NS_NewURI(getter_AddRefs(documentURI), documentURISpec);
+      channelInternal->SetDocumentURI(documentURI);
     }
   }