Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Do not merge) Partially implement blocking as mixed content #16320

Closed
wants to merge 9 commits into from
Closed

(Do not merge) Partially implement blocking as mixed content #16320

wants to merge 9 commits into from

Conversation

@nox
Copy link
Member

nox commented Apr 9, 2017
edited by larsbergstrom

This change is Reviewable
@highfive
Copy link

highfive commented Apr 9, 2017

Heads up! This PR modifies the following files:

  • @fitzgen: components/script/dom/request.rs, components/script/dom/xmlhttprequest.rs, components/script/dom/htmlscriptelement.rs, components/script/dom/window.rs, components/script_traits/lib.rs, components/script_traits/lib.rs, components/script/dom/document.rs, components/script/dom/workerglobalscope.rs, components/script/dom/htmlmediaelement.rs, components/script/stylesheet_loader.rs, components/script/dom/dedicatedworkerglobalscope.rs, components/script/dom/htmlimageelement.rs, components/script/script_thread.rs, components/script/dom/htmliframeelement.rs, components/script/dom/globalscope.rs, components/script/dom/bindings/trace.rs, components/script/dom/eventsource.rs, components/script/dom/serviceworkerglobalscope.rs
  • @KiChjang: components/script/dom/request.rs, components/script/dom/xmlhttprequest.rs, components/script/dom/htmlscriptelement.rs, components/net_traits/response.rs, components/net_traits/response.rs, components/script/dom/window.rs, components/script_traits/lib.rs, components/script_traits/lib.rs, components/script/dom/document.rs, components/net/http_loader.rs, components/script/dom/workerglobalscope.rs, components/net_traits/lib.rs, components/net_traits/lib.rs, components/script/dom/htmlmediaelement.rs, components/script/stylesheet_loader.rs, components/net/blob_loader.rs, components/script/dom/dedicatedworkerglobalscope.rs, components/script/dom/htmlimageelement.rs, components/script/script_thread.rs, components/script/dom/htmliframeelement.rs, components/net/fetch/methods.rs, components/script/dom/globalscope.rs, components/script/dom/bindings/trace.rs, components/script/dom/eventsource.rs, components/net_traits/request.rs, components/net_traits/request.rs, components/script/dom/serviceworkerglobalscope.rs
@highfive
Copy link

highfive commented Apr 9, 2017

warning Warning warning

  • These commits modify gfx, net, and script code, but no tests are modified. Please consider adding a test!
@nox
Copy link
Member Author

nox commented Apr 9, 2017

@bors-servo try
@bors-servo
Copy link
Contributor

bors-servo commented Apr 9, 2017

Trying commit 93a5f07 with merge 887456f...
bors-servo added a commit that referenced this pull request Apr 9, 2017
@bors-servo
Auto merge of #16320 - nox:mixed, r=<try>
Loading status checks…
887456f 
(Do not merge) Partially implement blocking as mixed content
@bors-servo
Copy link
Contributor

bors-servo commented Apr 9, 2017

☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css, mac-rel-wpt1, mac-rel-wpt2, windows-msvc-dev
State: approved= try=True
@nox nox force-pushed the nox:mixed branch from 93a5f07 to b1a49a0 Apr 9, 2017
@nox
Copy link
Member Author

nox commented Apr 9, 2017

This covers the script and style cases from #8582, AFAICT.
@mbrubeck mbrubeck removed their assignment Apr 9, 2017
@nox nox force-pushed the nox:mixed branch from b1a49a0 to 6d86380 Apr 9, 2017
@jdm
Copy link
Member

jdm commented Apr 9, 2017

This should modify script/layout_image.rs as well.
@jdm
Copy link
Member

jdm commented Apr 9, 2017

I'm interested in having @avadacatavra review this.
@nox nox force-pushed the nox:mixed branch from 6d86380 to addd811 Apr 10, 2017
@avadacatavra
Copy link
Contributor

avadacatavra commented Apr 10, 2017

Reviewed 7 of 7 files at r1, 1 of 1 files at r2, 1 of 1 files at r3, 19 of 19 files at r4.
Review status: 23 of 204 files reviewed at latest revision, 1 unresolved discussion.

components/net/http_loader.rs, line 1178 at r2 (raw file):

        "https" => HttpsState::Modern,
        "http" => HttpsState::None,
        _ => panic!("The current URL's scheme should be an HTTP(S) scheme here."),

do we want to panic here or return an error?

Comments from Reviewable
@nox nox force-pushed the nox:mixed branch from addd811 to fc92cbe Apr 11, 2017
This was referenced Apr 11, 2017
Open
Closed
Closed
Open
@nox nox force-pushed the nox:mixed branch from fc92cbe to 6b58fa0 Apr 11, 2017
@avadacatavra
avadacatavra reviewed Apr 11, 2017
View changes
components/net/http_loader.rs Outdated
@@ -1102,6 +1105,18 @@ fn http_network_fetch(request: &Request,
response.headers = res.response.headers.clone();
response.referrer = request.referrer.to_url().cloned();

{
let http_message = res.response.get_ref().downcast_ref::<Http11Message>().unwrap();

This comment has been minimized.

Sign in to view
Copy link
@avadacatavra

avadacatavra Apr 11, 2017

Contributor

all of this is to figure out if the response is served over https, right?

This comment has been minimized.

Sign in to view
Copy link
@nox

nox Apr 11, 2017

Author Member

Yes. I could more simply just check that the request's URL scheme was "https", but this checks that the very stream that handles the bits over the wire actually uses an HttpsStream, so I think that is better. And we will need that code when we will finally look at the actual cypher anyway.

This comment has been minimized.

Sign in to view
Copy link
@avadacatavra

avadacatavra Apr 11, 2017

Contributor

i agree :)
@nox nox force-pushed the nox:mixed branch from 6b58fa0 to 31cb651 Apr 11, 2017
@avadacatavra
avadacatavra reviewed Apr 11, 2017
View changes
components/net/Cargo.toml
@@ -15,9 +15,9 @@ brotli = "1.0.6"
cookie = "0.6"
devtools_traits = {path = "../devtools_traits"}
flate2 = "0.2.0"
hyper = "0.10"
hyper = "0.10.8"

This comment has been minimized.

Sign in to view
Copy link
@avadacatavra

avadacatavra Apr 11, 2017

Contributor

why do we need to specify 0.10.8 instead of just 0.10?

This comment has been minimized.

Sign in to view
Copy link
@nox

nox Apr 11, 2017

Author Member

Good practice, the get_ref functions are in hyper 0.10.8.
components/net/Cargo.toml
hyper_serde = "0.6"
hyper-openssl = "0.2.2"
hyper-openssl = "0.2.6"

This comment has been minimized.

Sign in to view
Copy link
@avadacatavra

avadacatavra Apr 11, 2017

Contributor

same question--why do we need to specify past 0.2?

This comment has been minimized.

Sign in to view
Copy link
@nox

nox Apr 11, 2017

Author Member

Same reason, though I ended up not using the lock function I introduced in 0.2.6, given we don't need to look at the cipher yet.
@jdm
jdm requested changes Apr 11, 2017
View changes
components/net/fetch/methods.rs
@@ -255,7 +271,12 @@ pub fn main_fetch(request: &mut Request,
// TODO: handle blocking by content security policy.
let blocked_error_response;
let internal_response =
if should_replace_with_nosniff_error {
if should_replace_with_mixed_content_error {

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm Apr 11, 2017

Member

Please remove the TODO comment about mixed content above this line.
components/net/fetch/methods.rs Outdated
is_potentially_trustworthy_url(url.as_url()) || url.scheme() == "data"
}

/// https://www.w3.org/TR/secure-contexts/#is-url-trustworthy

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm Apr 11, 2017

Member

https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
components/net/fetch/methods.rs Outdated
is_potentially_trustworthy_origin(url.origin())
}

/// https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm Apr 11, 2017

Member

https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
@nox
Fix enumeration of steps in HTMLScriptElement::prepare
d8d52c6
nox added 7 commits Apr 8, 2017
@nox
Move HttpsState to top of net_traits crate
e1b4be6
@nox
Kill WrappedHttpResponse
e1a2b96
@nox
Kill StreamedResponse
d0659d8
@nox
Update hyper to 0.10.8 and hyper-openssl to 0.2.6
bc2d820
@nox
Set response's HTTPS state as modern if served over https
70ea1a7
@nox
Pass HTTPS state through Fetch with net_traits::request::Client
2a22574
@nox
Enable mixed-content tests
6f4babd
@nox nox force-pushed the nox:mixed branch from 31cb651 to 3c7f3f8 Apr 13, 2017
@nox
Partially implement blocking as mixed content (fixes #14513)
Loading status checks…
fe2aee2
@nox nox force-pushed the nox:mixed branch from 3c7f3f8 to fe2aee2 Apr 13, 2017
@nox
Copy link
Member Author

nox commented May 1, 2017

r? @jdm
@highfive highfive assigned jdm and unassigned avadacatavra May 1, 2017
@jdm
jdm requested changes May 1, 2017
View changes
components/script/dom/xmlhttprequest.rs
unsafe_request: true,
// XXXManishearth figure out how to avoid this clone
body: extracted_or_serialized.as_ref().map(|e| e.0.clone()),
// TODO: handle request's client.

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm May 1, 2017

Member

This is handled now.
components/net/fetch/methods.rs

// Steps 3-4.
// TODO: handle whether response is an opaque filtered response.
// https://github.com/servo/servo/issues/16355

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm May 1, 2017

Member

This hasn't been addressed yet.
components/script/dom/window.rs

/// https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object
pub fn target_browsing_context_has_parent_browsing_context(&self) -> bool {
self.is_top_level()

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm May 1, 2017

Member

This check is backwards.
components/script/dom/window.rs
if responsible_document.https_state() != HttpsState::None {
return true;
}
match responsible_document.window().parent_info() {

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm May 1, 2017

Member

This is broken for cross-origin iframes. We will need to talk to the constellation to make this work correctly.
@bors-servo
Copy link
Contributor

bors-servo commented May 1, 2017

The latest upstream changes (presumably #16677) made this pull request unmergeable. Please resolve the merge conflicts.
@avadacatavra
Copy link
Contributor

avadacatavra commented Nov 14, 2017

@nox what's the status on this?
@jdm jdm mentioned this pull request Nov 15, 2017
Closed
@jdm
Copy link
Member

jdm commented Nov 15, 2017

Closing due to inactivity; tracking in #19243.
@jdm jdm closed this Nov 15, 2017
@jdm jdm mentioned this pull request Nov 15, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avadacatavra avadacatavra

@jdm jdm

Assignees

@jdm jdm

Labels
S-needs-code-changes S-needs-rebase
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
@nox @highfive @bors-servo @jdm @avadacatavra @mbrubeck
You can’t perform that action at this time.