import changes from tenfourfox:

- moar adblock (9f41a2b39) - #614: M1642792 M1650811 M1634872 (9e33379e7) - #614: update TLDs, HSTS (fee8edf77)
2026-05-26 06:25:03 +00:00 · 2020-08-01 08:06:19 +08:00
parent 3df190c042
commit d93177ee98
8 changed files with 3600 additions and 3443 deletions
@@ -875,6 +875,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
                
                BLOK("ads.rubiconproject.com") ||
                BLOK("fastlane.rubiconproject.com") ||
+                BLOK("optimized-by.rubiconproject.com") ||
                
                BLOK("cdn.engine.4dsply.com") ||
                
@@ -1234,6 +1235,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,

                BLOK("lockerdome.com") ||

+                BLOK("get.s-onetag.com") ||
+                BLOK("beacon.s-onetag.com") ||
+
+                BLOK("cdn.boomtrain.com") ||
+
+                BLOK("w.usabilla.com") ||
+
 #include "shavar-blocklist.h"

                    0) {
@@ -1040,14 +1040,16 @@ private:
    rv = NS_GetFinalChannelURI(channel, getter_AddRefs(finalURI));
    NS_ENSURE_SUCCESS(rv, rv);

-    nsCString filename;
-    rv = finalURI->GetSpec(filename);
-    NS_ENSURE_SUCCESS(rv, rv);
+    if (principal->Subsumes(channelPrincipal)) {
+      nsCString filename;
+      rv = finalURI->GetSpec(filename);
+      NS_ENSURE_SUCCESS(rv, rv);

-    if (!filename.IsEmpty()) {
-      // This will help callers figure out what their script url resolved to in
-      // case of errors.
-      aLoadInfo.mURL.Assign(NS_ConvertUTF8toUTF16(filename));
+      if (!filename.IsEmpty()) {
+        // This will help callers figure out what their script url resolved to in
+        // case of errors.
+        aLoadInfo.mURL.Assign(NS_ConvertUTF8toUTF16(filename));
+      }
    }

    // Update the principal of the worker and its base URI if we just loaded the
@@ -258,7 +258,7 @@ tas.gov.au
 vic.gov.au
 wa.gov.au
 // 4LDs
-education.tas.edu.au
+// education.tas.edu.au - Removed at the request of the Department of Education Tasmania
 schools.nsw.edu.au

 // aw : https://en.wikipedia.org/wiki/.aw
@@ -456,6 +456,7 @@ aju.br
 am.br
 anani.br
 aparecida.br
+app.br
 arq.br
 art.br
 ato.br
@@ -463,6 +464,7 @@ b.br
 barueri.br
 belem.br
 bhz.br
+bib.br
 bio.br
 blog.br
 bmd.br
@@ -477,14 +479,19 @@ cnt.br
 com.br
 contagem.br
 coop.br
+coz.br
 cri.br
 cuiaba.br
 curitiba.br
 def.br
+des.br
+det.br
+dev.br
 ecn.br
 eco.br
 edu.br
 emp.br
+enf.br
 eng.br
 esp.br
 etc.br
@@ -500,6 +507,7 @@ fot.br
 foz.br
 fst.br
 g12.br
+geo.br
 ggf.br
 goiania.br
 gov.br
@@ -543,6 +551,7 @@ jor.br
 jus.br
 leg.br
 lel.br
+log.br
 londrina.br
 macapa.br
 maceio.br
@@ -575,6 +584,7 @@ qsl.br
 radio.br
 rec.br
 recife.br
+rep.br
 ribeirao.br
 rio.br
 riobranco.br
@@ -585,6 +595,7 @@ santamaria.br
 santoandre.br
 saobernardo.br
 saogonca.br
+seg.br
 sjc.br
 slg.br
 slz.br
@@ -592,6 +603,7 @@ sorocaba.br
 srv.br
 taxi.br
 tc.br
+tec.br
 teo.br
 the.br
 tmp.br
@@ -7091,7 +7103,7 @@ org.zw

 // newGTLDs

-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-06-11T16:44:38Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2020-07-18T17:05:44Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@@ -7174,9 +7186,6 @@ agency
 // aig : 2014-12-18 American International Group, Inc.
 aig

-// aigo : 2015-08-06 aigo Digital Technology Co,Ltd.
-aigo
-
 // airbus : 2015-07-30 Airbus S.A.S.
 airbus

@@ -7300,7 +7309,7 @@ audi
 // audible : 2015-06-25 Amazon Registry Services, Inc.
 audible

-// audio : 2014-03-20 Uniregistry, Corp.
+// audio : 2014-03-20 UNR Corp.
 audio

 // auspost : 2015-08-13 Australian Postal Corporation
@@ -7438,7 +7447,7 @@ bio
 // black : 2014-01-16 Afilias Limited
 black

-// blackfriday : 2014-01-16 Uniregistry, Corp.
+// blackfriday : 2014-01-16 UNR Corp.
 blackfriday

 // blockbuster : 2015-07-30 Dish DBS Corporation
@@ -7678,7 +7687,7 @@ cheap
 // chintai : 2015-06-11 CHINTAI Corporation
 chintai

-// christmas : 2013-11-21 Uniregistry, Corp.
+// christmas : 2013-11-21 UNR Corp.
 christmas

 // chrome : 2014-07-24 Charleston Road Registry Inc.
@@ -7717,7 +7726,7 @@ claims
 // cleaning : 2013-12-05 Binky Moon, LLC
 cleaning

-// click : 2014-06-05 Uniregistry, Corp.
+// click : 2014-06-05 UNR Corp.
 click

 // clinic : 2014-03-20 Binky Moon, LLC
@@ -7930,7 +7939,7 @@ dhl
 // diamonds : 2013-09-22 Binky Moon, LLC
 diamonds

-// diet : 2014-06-26 Uniregistry, Corp.
+// diet : 2014-06-26 UNR Corp.
 diet

 // digital : 2014-03-06 Binky Moon, LLC
@@ -8179,7 +8188,7 @@ flir
 // florist : 2013-11-07 Binky Moon, LLC
 florist

-// flowers : 2014-10-09 Uniregistry, Corp.
+// flowers : 2014-10-09 UNR Corp.
 flowers

 // fly : 2014-05-08 Charleston Road Registry Inc.
@@ -8269,7 +8278,7 @@ gallo
 // gallup : 2015-02-19 Gallup, Inc.
 gallup

-// game : 2015-05-28 Uniregistry, Corp.
+// game : 2015-05-28 UNR Corp.
 game

 // games : 2015-05-28 Dog Beach, LLC
@@ -8407,7 +8416,7 @@ guge
 // guide : 2013-09-13 Binky Moon, LLC
 guide

-// guitars : 2013-11-14 Uniregistry, Corp.
+// guitars : 2013-11-14 UNR Corp.
 guitars

 // guru : 2013-08-27 Binky Moon, LLC
@@ -8440,7 +8449,7 @@ health
 // healthcare : 2014-06-12 Binky Moon, LLC
 healthcare

-// help : 2014-06-26 Uniregistry, Corp.
+// help : 2014-06-26 UNR Corp.
 help

 // helsinki : 2015-02-05 City of Helsinki
@@ -8455,7 +8464,7 @@ hermes
 // hgtv : 2015-07-02 Lifestyle Domain Holdings, Inc.
 hgtv

-// hiphop : 2014-03-06 Uniregistry, Corp.
+// hiphop : 2014-03-06 UNR Corp.
 hiphop

 // hisamitsu : 2015-07-16 Hisamitsu Pharmaceutical Co.,Inc.
@@ -8464,7 +8473,7 @@ hisamitsu
 // hitachi : 2014-10-31 Hitachi, Ltd.
 hitachi

-// hiv : 2014-03-13 Uniregistry, Corp.
+// hiv : 2014-03-13 UNR Corp.
 hiv

 // hkt : 2015-05-14 PCCW-HKT DataCom Services Limited
@@ -8503,7 +8512,7 @@ hospital
 // host : 2014-04-17 DotHost Inc.
 host

-// hosting : 2014-05-29 Uniregistry, Corp.
+// hosting : 2014-05-29 UNR Corp.
 hosting

 // hot : 2015-08-27 Amazon Registry Services, Inc.
@@ -8677,7 +8686,7 @@ jpmorgan
 // jprs : 2014-09-18 Japan Registry Services Co., Ltd.
 jprs

-// juegos : 2014-03-20 Uniregistry, Corp.
+// juegos : 2014-03-20 UNR Corp.
 juegos

 // juniper : 2015-07-30 JUNIPER NETWORKS, INC.
@@ -8845,7 +8854,7 @@ lincoln
 // linde : 2014-12-04 Linde Aktiengesellschaft
 linde

-// link : 2013-11-14 Uniregistry, Corp.
+// link : 2013-11-14 UNR Corp.
 link

 // lipsy : 2015-06-25 Lipsy Ltd
@@ -8863,7 +8872,7 @@ lixil
 // llc : 2017-12-14 Afilias Limited
 llc

-// llp : 2019-08-26 Uniregistry, Corp.
+// llp : 2019-08-26 UNR Corp.
 llp

 // loan : 2014-11-20 dot Loan Limited
@@ -8881,7 +8890,7 @@ locus
 // loft : 2015-07-30 Annco, Inc.
 loft

-// lol : 2015-01-30 Uniregistry, Corp.
+// lol : 2015-01-30 UNR Corp.
 lol

 // london : 2013-11-14 Dot London Domains Limited
@@ -9043,7 +9052,7 @@ moe
 // moi : 2014-12-18 Amazon Registry Services, Inc.
 moi

-// mom : 2015-04-16 Uniregistry, Corp.
+// mom : 2015-04-16 UNR Corp.
 mom

 // monash : 2013-09-30 Monash University
@@ -9118,7 +9127,7 @@ netflix
 // network : 2013-11-14 Binky Moon, LLC
 network

-// neustar : 2013-12-05 Registry Services, LLC
+// neustar : 2013-12-05 NeuStar, Inc.
 neustar

 // new : 2014-01-30 Charleston Road Registry Inc.
@@ -9319,7 +9328,7 @@ philips
 // phone : 2016-06-02 Dish DBS Corporation
 phone

-// photo : 2013-11-14 Uniregistry, Corp.
+// photo : 2013-11-14 UNR Corp.
 photo

 // photography : 2013-09-20 Binky Moon, LLC
@@ -9331,7 +9340,7 @@ photos
 // physio : 2014-05-01 PhysBiz Pty Ltd
 physio

-// pics : 2013-11-14 Uniregistry, Corp.
+// pics : 2013-11-14 UNR Corp.
 pics

 // pictet : 2014-06-26 Pictet Europe S.A.
@@ -9418,7 +9427,7 @@ promo
 // properties : 2013-12-05 Binky Moon, LLC
 properties

-// property : 2014-05-22 Uniregistry, Corp.
+// property : 2014-05-22 UNR Corp.
 property

 // protection : 2015-04-23 XYZ.COM LLC
@@ -9709,7 +9718,7 @@ sew
 // sex : 2014-11-13 ICM Registry SX LLC
 sex

-// sexy : 2013-09-11 Uniregistry, Corp.
+// sexy : 2013-09-11 UNR Corp.
 sexy

 // sfr : 2015-08-13 Societe Francaise du Radiotelephone - SFR
@@ -9913,9 +9922,6 @@ swiss
 // sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet
 sydney

-// symantec : 2014-12-04 Symantec Corporation
-symantec
-
 // systems : 2013-11-07 Binky Moon, LLC
 systems

@@ -9940,7 +9946,7 @@ tatamotors
 // tatar : 2014-04-24 Limited Liability Company "Coordination Center of Regional Domain of Tatarstan Republic"
 tatar

-// tattoo : 2013-08-30 Uniregistry, Corp.
+// tattoo : 2013-08-30 UNR Corp.
 tattoo

 // tax : 2014-03-20 Binky Moon, LLC
@@ -10483,9 +10489,6 @@ xin
 // xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V.
 飞利浦

-// xn--kpu716f : 2014-12-22 Richemont DNS Inc.
-手表
-
 // xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd
 手机

@@ -10540,9 +10543,6 @@ xin
 // xn--p1acf : 2013-12-12 Rusnames Limited
 рус

-// xn--pbt977c : 2014-12-22 Richemont DNS Inc.
-珠宝
-
 // xn--pssy2u : 2015-01-15 VeriSign Sarl
 大拿

@@ -12113,12 +12113,23 @@ iserv.dev
 iobb.net

 //Jelastic, Inc. : https://jelastic.com/
-// Submitetd by Ihor Kolodyuk <ik@jelastic.com>
+// Submited by Ihor Kolodyuk <ik@jelastic.com>
+jele.cloud
+jele.club
+dopaas.com
 hidora.com
+jcloud.ik-server.com
 demo.jelastic.com
 j.scaleforce.com.cy
+jele.host
 mircloud.host
+jele.io
+cloudjiffy.net
 jls-sto1.elastx.net
+jelastic.saveincloud.net
+jelastic.regruhosting.ru
+jele.site
+jelastic.team
 j.layershift.co.uk

 // Jino : https://www.jino.ru
@@ -12306,6 +12317,10 @@ azurewebsites.net
 azure-mobile.net
 cloudapp.net

+// minion.systems : http://minion.systems
+// Submitted by Robert Böttinger <r@minion.systems>
+csx.cc
+
 // Mozilla Corporation : https://mozilla.com
 // Submitted by Ben Francis <bfrancis@mozilla.com>
 mozilla-iot.org
@@ -12572,6 +12587,10 @@ cloudycluster.net
 // Submitted by Eddie Jones <eddie@onefoldmedia.com>
 nid.io

+// Open Social : https://www.getopensocial.com/
+// Submitted by Alexander Varwijk <security@getopensocial.com>
+opensocial.site
+
 // OpenCraft GmbH : http://opencraft.com/
 // Submitted by Sven Marnach <sven@opencraft.com>
 opencraft.hosting
@@ -12644,7 +12663,10 @@ on-web.fr

 // Platform.sh : https://platform.sh
 // Submitted by Nikola Kotur <nikola@platform.sh>
-*.platform.sh
+bc.platform.sh
+ent.platform.sh
+eu.platform.sh
+us.platform.sh
 *.platformsh.site

 // Platter: https://platter.dev
@@ -13158,6 +13180,10 @@ wedeploy.sh
 // Submitted by Jung Jin <jungseok.jin@wdc.com>
 remotewd.com

+// WIARD Enterprises : https://wiardweb.com
+// Submitted by Kidd Hustle <kiddhustle@wiardweb.com>
+pages.wiardweb.com
+
 // Wikimedia Labs : https://wikitech.wikimedia.org
 // Submitted by Arturo Borrero Gonzalez <aborrero@wikimedia.org>
 wmflabs.org
@@ -13177,6 +13203,10 @@ diskussionsbereich.de
 community-pro.net
 meinforum.net

+// www.com.vc : http://www.com.vc
+// Submitted by Li Hui <lihui@sinopub.com>
+cn.vu
+
 // XenonCloud GbR: https://xenoncloud.net
 // Submitted by Julian Uphoff <publicsuffixlist@xenoncloud.net>
 half.host
@@ -13241,4 +13271,8 @@ enterprisecloud.nu
 // Submitted by Ben Aubin <security@mintere.com>
 mintere.site

+// WP Engine : https://wpengine.com/
+// Submitted by Michael Smith <michael.smith@wpengine.com>
+wpenginepowered.com
+
 // ===END PRIVATE DOMAINS===
@@ -2517,6 +2517,27 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
 		/* cookie too small */
 		return (NULL);
 	}
+#if defined(__Userspace__)
+	/*
+	 * Recover the AF_CONN addresses within the cookie.
+	 * This needs to be done in the buffer provided for later processing
+	 * of the cookie and in the mbuf chain for HMAC validation.
+	 */
+	if ((cookie->addr_type == SCTP_CONN_ADDRESS) && (src->sa_family == AF_CONN)) {
+		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)src;
+
+		memcpy(cookie->address, &sconnp->sconn_addr , sizeof(void *));
+		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, address),
+		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+	}
+	if ((cookie->laddr_type == SCTP_CONN_ADDRESS) && (dst->sa_family == AF_CONN)) {
+		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)dst;
+
+		memcpy(cookie->laddress, &sconnp->sconn_addr , sizeof(void *));
+		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, laddress),
+		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
+	}
+#endif
 	/*
 	 * split off the signature into its own mbuf (since it should not be
 	 * calculated in the sctp_hmac_m() call).
@@ -6492,6 +6492,27 @@ sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
 			  (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
 			  SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
 			  (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
+#if defined(__Userspace__)
+	/*
+	 * Don't put AF_CONN addresses on the wire, in case this is critical
+	 * for the application. However, they are protected by the HMAC and
+	 * need to be reconstructed before checking the HMAC.
+	 * Clearing is only done in the mbuf chain, since the local stc is
+	 * not used anymore.
+	 */
+	if (stc.addr_type == SCTP_CONN_ADDRESS) {
+		const void *p = NULL;
+
+		m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, address),
+		           (int)sizeof(void *), (caddr_t)&p);
+	}
+	if (stc.laddr_type == SCTP_CONN_ADDRESS) {
+		const void *p = NULL;
+
+		m_copyback(m_cookie, sizeof(struct sctp_paramhdr) + offsetof(struct sctp_state_cookie, laddress),
+		           (int)sizeof(void *), (caddr_t)&p);
+	}
+#endif
 	/*
 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
 	 * here since the timer will drive a retranmission.
@@ -1149,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {

 static const int32_t kUnknownId = -1;

-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1600956497108000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1603721907070000);
@@ -101,35 +101,55 @@ EncodeInputStream_Encoder(nsIInputStream* aStream,
                          uint32_t aCount,
                          uint32_t* aWriteCount)
 {
-  NS_ASSERTION(aCount > 0, "Er, what?");
+  MOZ_ASSERT(aCount > 0, "Er, what?");

  EncodeInputStream_State<T>* state =
    static_cast<EncodeInputStream_State<T>*>(aClosure);

+  // We consume the whole data always.
+  *aWriteCount = aCount;
+
  // If we have any data left from last time, encode it now.
  uint32_t countRemaining = aCount;
  const unsigned char* src = (const unsigned char*)aFromSegment;
  if (state->charsOnStack) {
+    MOZ_ASSERT(state->charsOnStack == 1 || state->charsOnStack == 2);
+
+    // Not enough data to compose a triple.
+    if (state->charsOnStack == 1 && countRemaining == 1) {
+      state->charsOnStack = 2;
+      state->c[1] = src[0];
+      return NS_OK;
+    }
+
+    uint32_t consumed = 0;
    unsigned char firstSet[4];
    if (state->charsOnStack == 1) {
      firstSet[0] = state->c[0];
      firstSet[1] = src[0];
-      firstSet[2] = (countRemaining > 1) ? src[1] : '\0';
+      firstSet[2] = src[1];
      firstSet[3] = '\0';
+      consumed = 2;
    } else /* state->charsOnStack == 2 */ {
      firstSet[0] = state->c[0];
      firstSet[1] = state->c[1];
      firstSet[2] = src[0];
      firstSet[3] = '\0';
+      consumed = 1;
    }
    Encode(firstSet, 3, state->buffer);
    state->buffer += 4;
-    countRemaining -= (3 - state->charsOnStack);
-    src += (3 - state->charsOnStack);
+    countRemaining -= consumed;
+    src += consumed;
    state->charsOnStack = 0;
+
+    // Nothing is left.
+    if (!countRemaining) {
+      return NS_OK;
+    }
  }

-  // Encode the bulk of the
+  // Encode as many full triplets as possible.
  uint32_t encodeLength = countRemaining - countRemaining % 3;
  MOZ_ASSERT(encodeLength % 3 == 0,
             "Should have an exact number of triplets!");
@@ -138,9 +158,6 @@ EncodeInputStream_Encoder(nsIInputStream* aStream,
  src += encodeLength;
  countRemaining -= encodeLength;

-  // We must consume all data, so if there's some data left stash it
-  *aWriteCount = aCount;
-
  if (countRemaining) {
    // We should never have a full triplet left at this point.
    MOZ_ASSERT(countRemaining < 3, "We should have encoded more!");