import from UXP: Issue #2914 - Explicitly allow mixed content websockets on localhost. (151ef218)

dom/base/WebSocket.cpp

@@ -18,6 +18,7 @@
 #include "mozilla/dom/MessageEventBinding.h"
 #include "mozilla/dom/nsCSPContext.h"
 #include "mozilla/dom/nsCSPUtils.h"
+#include "mozilla/dom/nsMixedContentBlocker.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "mozilla/dom/WorkerPrivate.h"
 #include "mozilla/dom/WorkerRunnable.h"
@@ -1615,10 +1616,10 @@ WebSocketImpl::Init(JSContext* aCx,
                         mInnerWindowID);
   }
 
-  // Don't allow https:// to open ws://
+  // Don't allow https:// to open ws://, except when explicitly preffed or a loopback address.
   if (!mIsServerSide && !mSecure &&
-      !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS",
-                            false)) {
+      !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS", false) &&
+      !nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(mAsciiHost)) {
     // Confirmed we are opening plain ws:// and want to prevent this from a
     // secure context (e.g. https).
     nsCOMPtr<nsIPrincipal> principal;

dom/security/nsMixedContentBlocker.cpp

@@ -398,78 +398,85 @@ nsMixedContentBlocker::AsyncOnChannelRedirect(nsIChannel* aOldChannel,
 
   return NS_OK;
 }
-
-bool nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
-  nsAutoCString host;
-  nsresult rv = aURL->GetHost(host);
-  NS_ENSURE_SUCCESS(rv, false);
-
-  return host.EqualsLiteral("127.0.0.1") || host.EqualsLiteral("::1") ||
-         host.EqualsLiteral("localhost");
-}
 
-bool nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
-  // The following implements:
-  // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
-
-  nsAutoCString scheme;
-  nsresult rv = aURI->GetScheme(scheme);
-  if (NS_FAILED(rv)) {
-    return false;
-  }
-
-  // Blobs are expected to inherit their principal so we don't expect to have
-  // a codebase principal with scheme 'blob' here.  We can't assert that though
-  // since someone could mess with a non-blob URI to give it that scheme.
-  NS_WARNING_ASSERTION(!scheme.EqualsLiteral("blob"),
-                       "IsPotentiallyTrustworthyOrigin ignoring blob scheme");
-
-  // According to the specification, the user agent may choose to extend the
-  // trust to other, vendor-specific URL schemes. We use this for "resource:",
-  // which is technically a substituting protocol handler that is not limited to
-  // local resource mapping, but in practice is never mapped remotely as this
-  // would violate assumptions a lot of code makes.
-  if (scheme.EqualsLiteral("https") ||
-      scheme.EqualsLiteral("file") ||
-      scheme.EqualsLiteral("resource") ||
-      scheme.EqualsLiteral("app") ||
-      scheme.EqualsLiteral("moz-extension") ||
-      scheme.EqualsLiteral("wss")) {
-    return true;
-  }
-
-  nsAutoCString host;
-  rv = aURI->GetHost(host);
-  if (NS_FAILED(rv)) {
-    return false;
-  }
-
-  if (IsPotentiallyTrustworthyLoopbackURL(aURI)) {
-    return true;
-  }
-
-  // If a host is not considered secure according to the default algorithm, then
-  // check to see if it has been whitelisted by the user.  We only apply this
-  // whitelist for network resources, i.e., those with scheme "http" or "ws".
-  // The pref should contain a comma-separated list of hostnames.
-
-  if (!scheme.EqualsLiteral("http") && !scheme.EqualsLiteral("ws")) {
-    return false;
-  }
-
-  nsAdoptingCString whitelist = Preferences::GetCString("dom.securecontext.whitelist");
-  if (whitelist) {
-    nsCCharSeparatedTokenizer tokenizer(whitelist, ',');
-    while (tokenizer.hasMoreTokens()) {
-      const nsCSubstring& allowedHost = tokenizer.nextToken();
-      if (host.Equals(allowedHost)) {
-        return true;
-      }
-    }
-  }
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(const nsACString& aAsciiHost) {
+  return aAsciiHost.EqualsLiteral("127.0.0.1") ||
+         aAsciiHost.EqualsLiteral("::1") ||
+         aAsciiHost.EqualsLiteral("localhost");
+}
 
-  return false;
-}
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL) {
+  nsAutoCString asciiHost;
+  nsresult rv = aURL->GetAsciiHost(asciiHost);
+  NS_ENSURE_SUCCESS(rv, false);
+  return IsPotentiallyTrustworthyLoopbackHost(asciiHost);
+}
+
+bool
+nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(nsIURI* aURI) {
+  // The following implements:
+  // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+
+  nsAutoCString scheme;
+  nsresult rv = aURI->GetScheme(scheme);
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  // Blobs are expected to inherit their principal so we don't expect to have
+  // a codebase principal with scheme 'blob' here.  We can't assert that though
+  // since someone could mess with a non-blob URI to give it that scheme.
+  NS_WARNING_ASSERTION(!scheme.EqualsLiteral("blob"),
+                       "IsPotentiallyTrustworthyOrigin ignoring blob scheme");
+
+  // According to the specification, the user agent may choose to extend the
+  // trust to other, vendor-specific URL schemes. We use this for "resource:",
+  // which is technically a substituting protocol handler that is not limited to
+  // local resource mapping, but in practice is never mapped remotely as this
+  // would violate assumptions a lot of code makes.
+  if (scheme.EqualsLiteral("https") ||
+      scheme.EqualsLiteral("file") ||
+      scheme.EqualsLiteral("resource") ||
+      scheme.EqualsLiteral("app") ||
+      scheme.EqualsLiteral("moz-extension") ||
+      scheme.EqualsLiteral("wss")) {
+    return true;
+  }
+
+  nsAutoCString host;
+  rv = aURI->GetHost(host);
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  if (IsPotentiallyTrustworthyLoopbackURL(aURI)) {
+    return true;
+  }
+
+  // If a host is not considered secure according to the default algorithm, then
+  // check to see if it has been whitelisted by the user.  We only apply this
+  // whitelist for network resources, i.e., those with scheme "http" or "ws".
+  // The pref should contain a comma-separated list of hostnames.
+
+  if (!scheme.EqualsLiteral("http") && !scheme.EqualsLiteral("ws")) {
+    return false;
+  }
+
+  nsAdoptingCString whitelist = Preferences::GetCString("dom.securecontext.whitelist");
+  if (whitelist) {
+    nsCCharSeparatedTokenizer tokenizer(whitelist, ',');
+    while (tokenizer.hasMoreTokens()) {
+      const nsCSubstring& allowedHost = tokenizer.nextToken();
+      if (host.Equals(allowedHost)) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
 
 /* This version of ShouldLoad() is non-static and called by the Content Policy
  * API and AsyncOnChannelRedirect().  See nsIContentPolicy::ShouldLoad()
@@ -809,16 +816,16 @@ nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
     *aDecision = REJECT_REQUEST;
     return NS_OK;
   }
-
-  bool isHttpScheme = false;
-  rv = innerContentLocation->SchemeIs("http", &isHttpScheme);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  // Allow http requests for trusted origins (e.g. localhost or explicitly trusted contexts)
-  if (isHttpScheme && IsPotentiallyTrustworthyOrigin(innerContentLocation)) {
-    *aDecision = ACCEPT;
-    return NS_OK;
-  }
+
+  bool isHttpScheme = false;
+  rv = innerContentLocation->SchemeIs("http", &isHttpScheme);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Allow http requests for trusted origins (e.g. localhost or explicitly trusted contexts)
+  if (isHttpScheme && IsPotentiallyTrustworthyOrigin(innerContentLocation)) {
+    *aDecision = ACCEPT;
+    return NS_OK;
+  }
 
   // The page might have set the CSP directive 'upgrade-insecure-requests'. In such
   // a case allow the http: load to succeed with the promise that the channel will

dom/security/nsMixedContentBlocker.h

@@ -45,6 +45,7 @@ public:
 
   // See:
   // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+  static bool IsPotentiallyTrustworthyLoopbackHost(const nsACString& aAsciiHost);
   static bool IsPotentiallyTrustworthyLoopbackURL(nsIURI* aURL);
   static bool IsPotentiallyTrustworthyOrigin(nsIURI* aURI);