import changes from `dev' branch of rmottola/Arctic-Fox:

- remove a fix of PM now part of original bug 1280454 (63a48bffc) - Bug 1004703 - ignore 'unsafe-inline' if nonce- or hash-source specified (r=sstamm) (26c3f1d83) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - document changes (r=smaug) Bug 1139297 - Implement CSP upgrade-insecure-requests directive - csp changes (r=sstamm) (6ae99cb91) - Bug 1175480 - Expose the external content policy type from the load info objects; r=smaug (bad7acb0b) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - loadinfo changes (r=sicking,sworkman) (f1e5caa97) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - mcb changes (r=tanvi) (3c3086263) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - cors changes (r=smaug) (7181cf6af) - Bug 1159945 - Add telemetry to measure HSTS usage (9950700e5) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - netwerk changes (r=sworkman) (e8a18ecec) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - websocket changes (r=baku) (e2175bc25) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - form changes (r=baku) (80e178c19) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - devtool changes (r=sstamm,bholley) (ab9ed53dd) - Bug 1168538 - Add compiled code test for referrer directive to TestCSPParser. r=ckerschb (964893684) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - parser tests (r=sstamm) (b1e0342c9) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - simple upgrade tests (r=tanvi,sstamm) (8e3dfedc8) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - reports (r=sstamm) (949e85987) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - tests referrer (r=sstamm) (835f4d143) - Bug 1139297 - Implement CSP upgrade-insecure-requests directive - cors tests (r=smaug) (18054ab57) - Bug 1179123 - Avoid crash when calling ExitFullscreenInDocTree with a detached fullscreen document with its root exited fullscreen state. r=smaug (cb84e0aa7) - Bug 1173215, don't set mChromeXHRDocURI when dealing with non-XHR documents, r=bz (cbe06329e) - Bug 1178860 - Add dom.meta-viewport.enabled to gfxPrefs. r=dvander (060738800) - Bug 1175228: Skip profiler_tracing call for requestAnimationFrame callbacks, if we don't have any callbacks. r=BenWa (b52166626) - Bug 1175245: Convert nsRefreshDriver.cpp to use range-based "for" loops. r=tn (b5366155b) - Bug 1177764 - Use nsTObserverArray in APZCCallbackHelper, r=kats, r=dholbert (745e67b73)
2026-05-26 14:30:27 +00:00 · 2021-06-08 14:53:21 +08:00
parent ece7c7b7fe
commit 2da2bfc91b
43 changed files with 1644 additions and 212 deletions
@@ -12,6 +12,8 @@
 #include "mozilla/EventStateManager.h"
 #include "mozilla/EventStates.h"
 #include "mozilla/dom/AutocompleteErrorEvent.h"
+#include "mozilla/dom/nsCSPUtils.h"
+#include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/HTMLFormControlsCollection.h"
 #include "mozilla/dom/HTMLFormElementBinding.h"
 #include "mozilla/Move.h"
@@ -41,6 +43,7 @@
 #include "nsCategoryManagerUtils.h"
 #include "nsISimpleEnumerator.h"
 #include "nsRange.h"
+#include "nsIScriptError.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsNetUtil.h"
 #include "nsIInterfaceRequestorUtils.h"
@@ -1745,6 +1748,40 @@ HTMLFormElement::GetActionURL(nsIURI** aActionURL,
    }
  }

+  // Potentially the page uses the CSP directive 'upgrade-insecure-requests'. In
+  // such a case we have to upgrade the action url from http:// to https://.
+  // If the actionURL is not http, then there is nothing to do.
+  bool isHttpScheme = false;
+  rv = actionURL->SchemeIs("http", &isHttpScheme);
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (isHttpScheme && document->GetUpgradeInsecureRequests()) {
+    // let's use the old specification before the upgrade for logging
+    nsAutoCString spec;
+    rv = actionURL->GetSpec(spec);
+    NS_ENSURE_SUCCESS(rv, rv);
+    NS_ConvertUTF8toUTF16 reportSpec(spec);
+
+    // upgrade the actionURL from http:// to use https://
+    rv = actionURL->SetScheme(NS_LITERAL_CSTRING("https"));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // let's log a message to the console that we are upgrading a request
+    nsAutoCString scheme;
+    rv = actionURL->GetScheme(scheme);
+    NS_ENSURE_SUCCESS(rv, rv);
+    NS_ConvertUTF8toUTF16 reportScheme(scheme);
+
+    const char16_t* params[] = { reportSpec.get(), reportScheme.get() };
+    CSP_LogLocalizedStr(NS_LITERAL_STRING("upgradeInsecureRequest").get(),
+                        params, ArrayLength(params),
+                        EmptyString(), // aSourceFile
+                        EmptyString(), // aScriptSample
+                        0, // aLineNumber
+                        0, // aColumnNumber
+                        nsIScriptError::warningFlag, "CSP",
+                        document->InnerWindowID());
+  }
+
  //
  // Assign to the output
  //