import changes from tenfourfox:

- #602: CSP semantics update, fix wss: access (5785a7c36)
- #601: empty img behaviour M1196668 M1616537 M1506592 (see also M1549742) (a7f14df01)
- #603: M1347489 (17da05f15)
- #605: update HSTS, TLDs (a7d2c071d)
- #605: M1632908 (subparts M1631576 M1608895 only) (0d0dc62a8)
- #605: update HSTS, TLDs (8304421b7)

dom/base/nsIImageLoadingContent.idl

@@ -60,7 +60,7 @@ interface nsIImageLoadingContent : imgINotificationObserver
    * the image was blocked.  This status always refers to the
    * CURRENT_REQUEST load.
    */
-  readonly attribute short imageBlockingStatus;
+  [infallible] readonly attribute short imageBlockingStatus;
 
   /**
    * Used to register an image decoder observer.  Typically, this will

dom/security/nsCSPParser.cpp

@@ -574,7 +574,8 @@ nsCSPParser::keywordSource()
   // Special case handling for 'self' which is not stored internally as a keyword,
   // but rather creates a nsCSPHostSrc using the selfURI
   if (CSP_IsKeyword(mCurToken, CSP_SELF)) {
-    return CSP_CreateHostSrcFromURI(mSelfURI);
+    // TenFourFox issue 602
+    return CSP_CreateHostSrcFromURI(mSelfURI, /* aIsSelf */ true);
   }
 
   if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_INLINE)) {

dom/security/nsCSPUtils.cpp

@@ -191,7 +191,7 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
 }
 
 nsCSPHostSrc*
-CSP_CreateHostSrcFromURI(nsIURI* aURI)
+CSP_CreateHostSrcFromURI(nsIURI* aURI, bool aIsSelf)
 {
   // Create the host first
   nsCString host;
@@ -211,6 +211,10 @@ CSP_CreateHostSrcFromURI(nsIURI* aURI)
     portStr.AppendInt(port);
     hostsrc->setPort(portStr);
   }
+
+  // Mark if this came from 'self' originally (TenFourFox issue 602).
+  hostsrc->setCameFromSelf(aIsSelf);
+
   return hostsrc;
 }
 
@@ -303,6 +307,14 @@ permitsScheme(const nsAString& aEnforcementScheme,
     return true;
   }
 
+  // TenFourFox issue 602: allow loading wss if the enforcement scheme is TLS,
+  // or if we are promised an upgrade of ws.
+  if (aEnforcementScheme.EqualsASCII("https") &&
+      (scheme.EqualsASCII("wss") ||
+       (aUpgradeInsecure && !aReportOnly && scheme.EqualsASCII("ws")))) {
+    return true;
+  }
+
   // Allow the load when enforcing upgrade-insecure-requests with the
   // promise the request gets upgraded from http to https and ws to wss.
   // See nsHttpChannel::Connect() and also WebSocket.cpp. Please note,
@@ -316,6 +328,7 @@ permitsScheme(const nsAString& aEnforcementScheme,
 /* ===== nsCSPSrc ============================ */
 
 nsCSPBaseSrc::nsCSPBaseSrc()
+  : mCameFromSelf(false) // TenFourFox issue 602
 {
 }
 
@@ -323,6 +336,18 @@ nsCSPBaseSrc::~nsCSPBaseSrc()
 {
 }
 
+/* TenFourFox issue 602 */
+bool
+nsCSPBaseSrc::getCameFromSelf() const
+{
+   return mCameFromSelf;
+}
+void
+nsCSPBaseSrc::setCameFromSelf(bool aIsSelf)
+{
+   mCameFromSelf = aIsSelf;
+}
+
 // ::permits is only called for external load requests, therefore:
 // nsCSPKeywordSrc and nsCSPHashSource fall back to this base class
 // implementation which will never allow the load.
@@ -338,8 +363,7 @@ nsCSPBaseSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   return false;
 }
 
-// ::allows is only called for inlined loads, therefore:
-// nsCSPSchemeSrc, nsCSPHostSrc fall back
+// ::allows is only called for inlined loads, therefore externals fall back
 // to this base class implementation which will never allow the load.
 bool
 nsCSPBaseSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const
@@ -534,6 +558,13 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
   return true;
 }
 
+// TenFourFox issue 602. Called for inlined loads only.
+bool
+nsCSPHostSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const
+{
+  return getCameFromSelf();
+}
+
 void
 nsCSPHostSrc::toString(nsAString& outStr) const
 {

dom/security/nsCSPUtils.h

@@ -169,7 +169,8 @@ inline CSPKeyword CSP_KeywordToEnum(const nsAString& aKey)
 
 class nsCSPHostSrc;
 
-nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI);
+// TenFourFox issue 602
+nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI, bool aIsSelf = false);
 bool CSP_IsValidDirective(const nsAString& aDir);
 bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
 bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
@@ -188,6 +189,12 @@ class nsCSPBaseSrc {
                          bool aReportOnly, bool aUpgradeInsecure) const;
     virtual bool allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const;
     virtual void toString(nsAString& outStr) const = 0;
+
+/* TenFourFox issue 602 */
+    bool getCameFromSelf() const;
+    void setCameFromSelf(bool isSelf);
+ private:
+    bool mCameFromSelf;
 };
 
 /* =============== nsCSPSchemeSrc ============ */
@@ -214,6 +221,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
 
     bool permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected,
                  bool aReportOnly, bool aUpgradeInsecure) const;
+/* TenFourFox issue 602 */
+    bool allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const;
+
     void toString(nsAString& outStr) const;
 
     void setScheme(const nsAString& aScheme);

js/src/jsstr.cpp

@@ -1366,7 +1366,8 @@ class StringSegmentRange
 {
     // If malloc() shows up in any profiles from this vector, we can add a new
     // StackAllocPolicy which stashes a reusable freed-at-gc buffer in the cx.
-    Rooted<StringVector> stack;
+    using StackVector = js::TraceableVector<JSString*, 16>;
+    Rooted<StackVector> stack;
     RootedLinearString cur;
 
     bool settle(JSString* str) {
@@ -1382,7 +1383,7 @@ class StringSegmentRange
 
   public:
     explicit StringSegmentRange(JSContext* cx)
-      : stack(cx, StringVector(cx)), cur(cx)
+      : stack(cx, StackVector(cx)), cur(cx)
     {}
 
     MOZ_WARN_UNUSED_RESULT bool init(JSString* str) {

layout/generic/nsImageFrame.cpp

@@ -115,7 +115,7 @@ static bool HaveSpecifiedSize(const nsStylePosition* aStylePosition)
 
 // Decide whether we can optimize away reflows that result from the
 // image's intrinsic size changing.
-inline bool HaveFixedSize(const nsHTMLReflowState& aReflowState)
+static bool HaveFixedSize(const nsHTMLReflowState& aReflowState)
 {
   NS_ASSERTION(aReflowState.mStylePosition, "crappy reflowState - null stylePosition");
   // Don't try to make this optimization when an image has percentages
@@ -437,8 +437,23 @@ nsImageFrame::SourceRectToDest(const nsIntRect& aRect)
     (!(_state).HasAtLeastOneOfStates(NS_EVENT_STATE_BROKEN | NS_EVENT_STATE_USERDISABLED) && \
      (_state).HasState(NS_EVENT_STATE_LOADING) && (_loadingOK)))
 
-/* static */
-bool
+static bool HasAltText(Element* aElement)
+{
+  // We always return some alternate text for <input>, see
+  // nsCSSFrameConstructor::GetAlternateTextFor.
+  if (aElement->IsHTMLElement(nsGkAtoms::input)) {
+    return true;
+  }
+
+  MOZ_ASSERT(aElement->IsHTMLElement(nsGkAtoms::img));
+  nsAutoString altText;
+  return aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::alt, altText) && !altText.IsEmpty();
+}
+
+// Check if we want to use an image frame or just let the frame constructor make
+// us into an inline.
+
+/* static */ bool
 nsImageFrame::ShouldCreateImageFrameFor(Element* aElement,
                                         nsStyleContext* aStyleContext)
 {
@@ -449,44 +464,26 @@ nsImageFrame::ShouldCreateImageFrameFor(Element* aElement,
     return true;
   }
 
-  // Check if we want to use a placeholder box with an icon or just
-  // let the presShell make us into inline text.  Decide as follows:
-  //
-  //  - if our special "force icons" style is set, show an icon
-  //  - else if our "do not show placeholders" pref is set, skip the icon
-  //  - else:
-  //  - if there is a src attribute, there is no alt attribute,
-  //    and this is not an <object> (which could not possibly have
-  //    such an attribute), show an icon.
-  //  - if QuirksMode, and the IMG has a size show an icon.
-  //  - otherwise, skip the icon
-  bool useSizedBox;
-  
+  // If our special "force icons" style is set, show an icon
   if (aStyleContext->StyleUIReset()->mForceBrokenImageIcon) {
-    useSizedBox = true;
-  }
-  else if (gIconLoad && gIconLoad->mPrefForceInlineAltText) {
-    useSizedBox = false;
-  }
-  else if (aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::src) &&
-           !aElement->HasAttr(kNameSpaceID_None, nsGkAtoms::alt) &&
-           !aElement->IsHTMLElement(nsGkAtoms::object) &&
-           !aElement->IsHTMLElement(nsGkAtoms::input)) {
-    // Use a sized box if we have no alt text.  This means no alt attribute
-    // and the node is not an object or an input (since those always have alt
-    // text).
-    useSizedBox = true;
-  }
-  else if (aStyleContext->PresContext()->CompatibilityMode() !=
-           eCompatibility_NavQuirks) {
-    useSizedBox = false;
-  }
-  else {
-    // check whether we have specified size
-    useSizedBox = HaveSpecifiedSize(aStyleContext->StylePosition());
+    return true;
   }
 
-  return useSizedBox;
+  // If our "do not show placeholders" pref is set, skip the icon
+  if (gIconLoad && gIconLoad->mPrefForceInlineAltText) {
+    return false;
+  }
+
+  // If there is no Alt text, always create an image frame (regardless of src)
+  if (!HasAltText(aElement)) {
+    return true;
+  }
+
+  if (aStyleContext->PresContext()->CompatibilityMode() == eCompatibility_NavQuirks) {
+    return HaveSpecifiedSize(aStyleContext->StylePosition());
+  }
+
+  return false;
 }
 
 nsresult
@@ -767,6 +764,34 @@ nsImageFrame::PredictedDestRect(const nsRect& aFrameContentBox)
                                               StylePosition());
 }
 
+bool nsImageFrame::ShouldShowBrokenImageIcon() const
+{
+  bool imageBroken = false;
+  // Check for broken images. valid null images (eg. img src="") are
+  // not considered broken because they have no image requests
+  nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(mContent);
+  if (imageLoader) {
+    // <img alt=""> is special, and it shouldn't draw the broken image icon,
+    // unlike the no-alt attribute or non-empty-alt-attribute case.
+    if (mContent->HasAttr(kNameSpaceID_None, nsGkAtoms::alt)) {
+      nsAutoString altText;
+      mContent->GetAttr(kNameSpaceID_None, nsGkAtoms::alt, altText);
+      if (altText.IsEmpty())
+        return false;
+    }
+
+    nsCOMPtr<imgIRequest> currentRequest;
+    imageLoader->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
+                            getter_AddRefs(currentRequest));
+    uint32_t imageStatus;
+    imageBroken =
+      currentRequest &&
+      NS_SUCCEEDED(currentRequest->GetImageStatus(&imageStatus)) &&
+      (imageStatus & imgIRequest::STATUS_ERROR);
+  }
+  return imageBroken;
+}
+
 void
 nsImageFrame::EnsureIntrinsicSizeAndRatio()
 {
@@ -776,22 +801,21 @@ nsImageFrame::EnsureIntrinsicSizeAndRatio()
       mIntrinsicSize.width.GetCoordValue() == 0 &&
       mIntrinsicSize.height.GetUnit() == eStyleUnit_Coord &&
       mIntrinsicSize.height.GetCoordValue() == 0) {
-
     if (mImage) {
       UpdateIntrinsicSize(mImage);
       UpdateIntrinsicRatio(mImage);
     } else {
-      // image request is null or image size not known, probably an
-      // invalid image specified
-      // - make the image big enough for the icon (it may not be
-      // used if inline alt expansion is used instead)
+      // Image request is null or image size not known.
       if (!(GetStateBits() & NS_FRAME_GENERATED_CONTENT)) {
-        nscoord edgeLengthToUse =
-          nsPresContext::CSSPixelsToAppUnits(
-            ICON_SIZE + (2 * (ICON_PADDING + ALT_BORDER_WIDTH)));
-        mIntrinsicSize.width.SetCoordValue(edgeLengthToUse);
-        mIntrinsicSize.height.SetCoordValue(edgeLengthToUse);
-        mIntrinsicRatio.SizeTo(1, 1);
+        // Likely an invalid image. Check if we should display it as broken.
+        if (ShouldShowBrokenImageIcon()) {
+          nscoord edgeLengthToUse =
+            nsPresContext::CSSPixelsToAppUnits(
+              ICON_SIZE + (2 * (ICON_PADDING + ALT_BORDER_WIDTH)));
+          mIntrinsicSize.width.SetCoordValue(edgeLengthToUse);
+          mIntrinsicSize.height.SetCoordValue(edgeLengthToUse);
+          mIntrinsicRatio.SizeTo(1, 1);
+        }
       }
     }
   }
@@ -1362,7 +1386,8 @@ nsImageFrame::DisplayAltFeedback(nsRenderingContext& aRenderingContext,
   DrawResult result = DrawResult::NOT_READY;
 
   // Check if we should display image placeholders
-  if (!gIconLoad->mPrefShowPlaceholders ||
+  if (!ShouldShowBrokenImageIcon() ||
+      !gIconLoad->mPrefShowPlaceholders ||
       (isLoading && !gIconLoad->mPrefShowLoadingPlaceholder)) {
     result = DrawResult::SUCCESS;
   } else {

layout/generic/nsImageFrame.h

@@ -104,6 +104,8 @@ public:
                                     nsIAtom* aAttribute,
                                     int32_t aModType) override;
 
+  bool ShouldShowBrokenImageIcon() const;
+
 #ifdef ACCESSIBILITY
   virtual mozilla::a11y::AccType AccessibleType() override;
 #endif

netwerk/dns/effective_tld_names.dat

@@ -7092,7 +7092,7 @@ org.zw
 
 // newGTLDs
 
-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-04-02T18:20:31Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-05-06T16:23:34Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@@ -7241,7 +7241,7 @@ analytics
 // android : 2014-08-07 Charleston Road Registry Inc.
 android
 
-// anquan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD.
+// anquan : 2015-01-08 Beijing Qihu Keji Co., Ltd.
 anquan
 
 // anz : 2015-07-31 Australia and New Zealand Banking Group Limited
@@ -9749,7 +9749,7 @@ shop
 // shopping : 2016-03-31 Binky Moon, LLC
 shopping
 
-// shouji : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD.
+// shouji : 2015-01-08 Beijing Qihu Keji Co., Ltd.
 shouji
 
 // show : 2015-03-05 Binky Moon, LLC
@@ -10313,7 +10313,7 @@ xerox
 // xfinity : 2015-07-09 Comcast IP Holdings I, LLC
 xfinity
 
-// xihuan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD.
+// xihuan : 2015-01-08 Beijing Qihu Keji Co., Ltd.
 xihuan
 
 // xin : 2014-12-11 Elegant Leader Limited
@@ -10634,7 +10634,7 @@ you
 // youtube : 2014-05-01 Charleston Road Registry Inc.
 youtube
 
-// yun : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD.
+// yun : 2015-01-08 Beijing Qihu Keji Co., Ltd.
 yun
 
 // zappos : 2015-06-25 Amazon Registry Services, Inc.

security/manager/ssl/StaticHPKPins.h

@@ -1149,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1596467303493000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1598536948620000);

security/nss/automation/taskcluster/windows/build_gyp.sh

@@ -19,7 +19,7 @@ pushd gyp
 python -m virtualenv test-env
 test-env/Scripts/python setup.py install
 test-env/Scripts/python -m pip install --upgrade pip
-test-env/Scripts/pip install --upgrade setuptools
+test-env/Scripts/pip install --upgrade 'setuptools<45.0.0'
 # Fool GYP.
 touch "${VSPATH}/VC/vcvarsall.bat"
 export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"

security/nss/lib/freebl/dsa.c

@@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params,
 
 static SECStatus
 dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
-               const unsigned char *kb)
+               const unsigned char *kbytes)
 {
     mp_int p, q, g; /* PQG parameters */
     mp_int x, k;    /* private key & pseudo-random integer */
     mp_int r, s;    /* tuple (r, s) is signature) */
     mp_int t;       /* holding tmp values */
     mp_int ar;      /* holding blinding values */
+    mp_digit fuzz;  /* blinding multiplier for q */
     mp_err err = MP_OKAY;
     SECStatus rv = SECSuccess;
     unsigned int dsa_subprime_len, dsa_signature_len, offset;
@@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
     CHECK_MPI_OK(mp_init(&s));
     CHECK_MPI_OK(mp_init(&t));
     CHECK_MPI_OK(mp_init(&ar));
+
     /*
     ** Convert stored PQG and private key into MPI integers.
     */
@@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
     SECITEM_TO_MPINT(key->params.subPrime, &q);
     SECITEM_TO_MPINT(key->params.base, &g);
     SECITEM_TO_MPINT(key->privateValue, &x);
-    OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
+    OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len);
+
+    /* k blinding  create a single value that has the high bit set in
+     * the mp_digit*/
+    if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        rv = SECFailure;
+        goto cleanup;
+    }
+    fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
     /*
     ** FIPS 186-1, Section 5, Step 1
     **
     ** r = (g**k mod p) mod q
     */
-    CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */
-    CHECK_MPI_OK(mp_mod(&r, &q, &r));         /* r = r mod q    */
+    CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */
+    CHECK_MPI_OK(mp_add(&k, &t, &t));     /* t = k+q*fuzz */
+    /* length of t is now fixed, bits in k have been blinded */
+    CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */
+    /* r is now g**(k+q*fuzz) == g**k mod p */
+    CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q    */
+
     /*
     ** FIPS 186-1, Section 5, Step 2
     **
@@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
     /* Using mp_invmod on k directly would leak bits from k. */
     CHECK_MPI_OK(mp_mul(&k, &ar, &k));       /* k = k * ar */
     CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
-    CHECK_MPI_OK(mp_invmod(&k, &q, &k));     /* k = k**-1 mod q */
+    /* k is now k*t*ar */
+    CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
+    /* k is now (k*t*ar)**-1 */
     CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
-    SECITEM_TO_MPINT(localDigest, &s);       /* s = HASH(M)     */
+    /* k is now (k*ar)**-1 */
+    SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M)     */
     /* To avoid leaking secret bits here the addition is blinded. */
-    CHECK_MPI_OK(mp_mul(&x, &ar, &x));        /* x = x * ar */
-    CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x));  /* x = x * r mod q */
+    CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
+    /* x is now x*ar */
+    CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
+    /* x is now x*r*ar */
     CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
-    CHECK_MPI_OK(mp_add(&t, &x, &s));         /* s = t + x */
-    CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s));  /* s = s * k mod q */
+    /* t is now hash(M)*ar */
+    CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
+    /* s is now (HASH(M)+x*r)*ar */
+    CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
+    /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */
+
     /*
     ** verify r != 0 and s != 0
     ** mentioned as optional in FIPS 186-1.