Issue #2914 - Explicitly allow mixed content websockets on localhost.

This carves out an exception for hard-coded loopback addresses to allow
`ws:` connections from `https:` to allow mixed-mode from secure pages.

Resolves #2914

dom/base/WebSocket.cpp

@@ -17,6 +17,7 @@
 #include "mozilla/dom/MessageEventBinding.h"
 #include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/nsCSPUtils.h"
+#include "mozilla/dom/nsMixedContentBlocker.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "mozilla/dom/WorkerPrivate.h"
 #include "mozilla/dom/WorkerRunnable.h"
@@ -1604,10 +1605,10 @@ WebSocketImpl::Init(JSContext* aCx,
                         mInnerWindowID);
   }
 
-  // Don't allow https:// to open ws://
+  // Don't allow https:// to open ws://, except when explicitly preffed or a loopback address.
   if (!mIsServerSide && !mSecure &&
-      !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS",
-                            false)) {
+      !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS", false) &&
+      !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(mAsciiHost)) {
     // Confirmed we are opening plain ws:// and want to prevent this from a
     // secure context (e.g. https).
     nsCOMPtr<nsIPrincipal> principal;

dom/security/nsMixedContentBlocker.cpp

@@ -334,16 +334,23 @@ nsMixedContentBlocker::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
   return NS_OK;
 }
 
-bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
-  nsAutoCString host;
-  nsresult rv = aURL->GetHost(host);
-  NS_ENSURE_SUCCESS(rv, false);
-
-  return host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("::1") ||
-         host.EqualsLiteral("localhost");
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(const nsACString& aAsciiHost) {
+  return aAsciiHost.EqualsLiteral("127.0.0.1") ||
+         aAsciiHost.EqualsLiteral("::1") ||
+         aAsciiHost.EqualsLiteral("localhost");
 }
 
-bool nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
+  nsAutoCString asciiHost;
+  nsresult rv = aURL->GetAsciiHost(asciiHost);
+  NS_ENSURE_SUCCESS(rv, false);
+  return IsPotentiallyTrustworthyLoopbackHost(asciiHost);
+}
+
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
   // The following implements:
   // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
 

dom/security/nsMixedContentBlocker.h

@@ -44,6 +44,7 @@ public:
 
   // See:
   // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+  static bool IsPotentiallyTrustworthyLoopbackHost(const nsACString& aAsciiHost);
   static bool IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL);
   static bool IsPotentiallyTrustworthyOrigin(nsIURI* aURI);