Bug 1323538 - use conservative TLS settings for XHR in chrome code f?ehsan
With the recent introduction of TLS 1.3, there's evidence of updates not working
due to middleboxes that haven't caught up. Since there are many places in
the tree that use XHR from chrome code for updates, using the "conservative"
setting in TLS for chrome XHR seems appropriate.
Note that content still gets bleeding-edge TLS changes, this is mostly a
hedge against updates and other internal Firefox features being broken.
MozReview-Commit-ID: Gy1MxhfsfdW
--- a/dom/xhr/XMLHttpRequestMainThread.cpp
+++ b/dom/xhr/XMLHttpRequestMainThread.cpp
@@ -2531,16 +2531,24 @@ XMLHttpRequestMainThread::CreateChannel(
rv = httpChannel->SetRequestMethod(mRequestMethod);
NS_ENSURE_SUCCESS(rv, rv);
// Set the initiator type
nsCOMPtr<nsITimedChannel> timedChannel(do_QueryInterface(httpChannel));
if (timedChannel) {
timedChannel->SetInitiatorType(NS_LITERAL_STRING("xmlhttprequest"));
}
+
+ // Disable cutting edge features in chrome requests, like TLS 1.3,
+ // where middleboxes might brick us.
+ // Allow these features in content requests.
+ nsCOMPtr<nsIHttpChannelInternal> httpInternal = do_QueryInterface(httpChannel);
+ if (httpInternal) {
+ httpInternal->SetBeConservative(nsContentUtils::IsSystemPrincipal(mPrincipal));
+ }
}
// Using the provided principal as the triggeringPrincipal is fine, since we
// want to be able to access any of the origins that the principal has access
// to during the security checks, but we don't want a document to inherit an
// expanded principal, so in that case we need to select the principal in the
// expanded principal's whitelist that can load our URL as principalToInherit.
nsCOMPtr<nsIPrincipal> resultingDocumentPrincipal(mPrincipal);
--- a/dom/xhr/tests/mochitest.ini
+++ b/dom/xhr/tests/mochitest.ini
@@ -108,8 +108,9 @@ skip-if = (buildapp == 'b2g' && (toolkit
[test_XHR_timeout.html]
skip-if = buildapp == 'b2g' || (android_version == '18' && debug) # b2g(flaky on B2G, bug 960743) b2g-debug(flaky on B2G, bug 960743) b2g-desktop(flaky on B2G, bug 960743)
support-files = test_XHR_timeout.js
[test_xhr_withCredentials.html]
[test_XHRDocURI.html]
[test_XHRResponseURL.html]
[test_XHRSendData.html]
[test_sync_xhr_document_write_with_iframe.html]
+[test_xhr_conservative_tls.html]
new file mode 100644
--- /dev/null
+++ b/dom/xhr/tests/test_xhr_conservative_tls.html
@@ -0,0 +1,49 @@
+<!--
+ Any copyright is dedicated to the Public Domain.
+ http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<!DOCTYPE HTML>
+<html>
+<!--
+Tests that chrome XHR uses conservative TLS (Bug 1323538 )
+-->
+<head>
+ <title>Tests that chrome XHR uses conservative TLS (Bug 1323538 )</title>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1323538">chrome XHR uses conservative TLS (Bug 1323538)</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+"use strict";
+
+const NORMAL_URL = "http://example.com/tests/dom/xhr/tests/test_xhr_conservative_tls.html";
+
+add_task(function* test_xhr_content() {
+ let xhr = new XMLHttpRequest();
+ xhr.open("GET", NORMAL_URL, true);
+
+ let channel = SpecialPowers.wrap(xhr).channel.QueryInterface(SpecialPowers.Ci.nsIHttpChannelInternal);
+ ok("beConservative" in channel, "conservative TLS settings are set in internal channel");
+ ok(!channel.beConservative, "conservative TLS settings are not used from content");
+});
+
+add_task(function* test_xhr_chrome() {
+ let xhr = SpecialPowers.Cc["@mozilla.org/xmlextras/xmlhttprequest;1"].createInstance()
+ xhr.open("GET", NORMAL_URL, true);
+
+ let channel = xhr.channel.QueryInterface(SpecialPowers.Ci.nsIHttpChannelInternal);
+ ok("beConservative" in channel, "conservative TLS settings are set in internal channel");
+ ok(channel.beConservative, "conservative TLS settings are used from chrome");
+});
+
+</script>
+</pre>
+</body>
+</html>