diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 84f97c041..9006910f1 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -102,6 +102,9 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) // We dissallow using FTP resources as a subresource everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + if (!mozilla::net::nsIOService::BlockFTPSubresources()) { + return NS_OK; + } nsCOMPtr loadInfo = aChannel->GetLoadInfo(); if (!loadInfo) { diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 837a9eb02..e8bd211cb 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -5575,6 +5575,9 @@ pref ("security.mixed_content.hsts_priming_request_timeout", 3000); // URL-Bar will not be blocked when flipping this pref. pref("security.data_uri.block_toplevel_data_uri_navigations", true); +// If true, all FTP subresource loads will be blocked. +pref("security.block_ftp_subresources", true); + // Disable Storage api in release builds. #ifdef NIGHTLY_BUILD pref("dom.storageManager.enabled", true); diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp index 0244807f3..3b7d28264 100644 --- a/netwerk/base/nsIOService.cpp +++ b/netwerk/base/nsIOService.cpp @@ -188,6 +188,7 @@ uint32_t nsIOService::gDefaultSegmentCount = 24; bool nsIOService::sTelemetryEnabled = false; bool nsIOService::sBlockToplevelDataUriNavigations = false; +bool nsIOService::sBlockFTPSubresources = false; //////////////////////////////////////////////////////////////////////////////// @@ -269,6 +270,8 @@ nsIOService::Init() Preferences::AddBoolVarCache(&sTelemetryEnabled, "toolkit.telemetry.enabled", false); Preferences::AddBoolVarCache(&sBlockToplevelDataUriNavigations, "security.data_uri.block_toplevel_data_uri_navigations", false); + Preferences::AddBoolVarCache(&sBlockFTPSubresources, + "security.block_ftp_subresources", true); Preferences::AddBoolVarCache(&mOfflineMirrorsConnectivity, OFFLINE_MIRRORS_CONNECTIVITY, true); gIOService = this; @@ -1902,5 +1905,11 @@ nsIOService::BlockToplevelDataUriNavigations() return sBlockToplevelDataUriNavigations; } +/*static*/ bool +nsIOService::BlockFTPSubresources() +{ + return sBlockFTPSubresources; +} + } // namespace net } // namespace mozilla diff --git a/netwerk/base/nsIOService.h b/netwerk/base/nsIOService.h index e592c4d1c..a7063d416 100644 --- a/netwerk/base/nsIOService.h +++ b/netwerk/base/nsIOService.h @@ -97,6 +97,8 @@ public: static bool BlockToplevelDataUriNavigations(); + static bool BlockFTPSubresources(); + // Used to trigger a recheck of the captive portal status nsresult RecheckCaptivePortal(); private: @@ -180,6 +182,8 @@ private: static bool sBlockToplevelDataUriNavigations; + static bool sBlockFTPSubresources; + // These timestamps are needed for collecting telemetry on PR_Connect, // PR_ConnectContinue and PR_Close blocking time. If we spend very long // time in any of these functions we want to know if and what network