Bug 1190623 - Adding a pref to consider object sub requests as active
MozReview-Commit-ID: Br2F89IfWng
--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@@ -48,16 +48,18 @@ enum nsMixedContentBlockerMessageType {
eBlocked = 0x00,
eUserOverride = 0x01
};
// Is mixed script blocking (fonts, plugin content, scripts, stylesheets,
// iframes, websockets, XHR) enabled?
bool nsMixedContentBlocker::sBlockMixedScript = false;
+bool nsMixedContentBlocker::sBlockMixedObjectSubrequest = false;
+
// Is mixed display content blocking (images, audio, video, <a ping>) enabled?
bool nsMixedContentBlocker::sBlockMixedDisplay = false;
// Do we move HSTS before mixed-content
bool nsMixedContentBlocker::sUseHSTS = false;
// Do we send an HSTS priming request
bool nsMixedContentBlocker::sSendHSTSPriming = false;
// Default HSTS Priming failure timeout to 7 days, in seconds
@@ -251,16 +253,19 @@ private:
nsMixedContentBlocker::nsMixedContentBlocker()
{
// Cache the pref for mixed script blocking
Preferences::AddBoolVarCache(&sBlockMixedScript,
"security.mixed_content.block_active_content");
+ Preferences::AddBoolVarCache(&sBlockMixedObjectSubrequest,
+ "security.mixed_content.block_object_subrequest");
+
// Cache the pref for mixed display blocking
Preferences::AddBoolVarCache(&sBlockMixedDisplay,
"security.mixed_content.block_display_content");
// Cache the pref for HSTS
Preferences::AddBoolVarCache(&sUseHSTS,
"security.mixed_content.use_hsts");
@@ -585,18 +590,24 @@ nsMixedContentBlocker::ShouldLoad(bool a
case TYPE_SAVEAS_DOWNLOAD:
*aDecision = ACCEPT;
return NS_OK;
// Static display content is considered moderate risk for mixed content so
// these will be blocked according to the mixed display preference
case TYPE_IMAGE:
case TYPE_MEDIA:
+ classification = eMixedDisplay;
+ break;
case TYPE_OBJECT_SUBREQUEST:
- classification = eMixedDisplay;
+ if (sBlockMixedObjectSubrequest) {
+ classification = eMixedScript;
+ } else {
+ classification = eMixedDisplay;
+ }
break;
// Active content (or content with a low value/risk-of-blocking ratio)
// that has been explicitly evaluated; listed here for documentation
// purposes and to avoid the assertion and warning for the default case.
case TYPE_BEACON:
case TYPE_CSP_REPORT:
case TYPE_DTD:
--- a/dom/security/nsMixedContentBlocker.h
+++ b/dom/security/nsMixedContentBlocker.h
@@ -95,16 +95,17 @@ public:
*/
static nsresult GetHSTSPrimingFromRequestingContext(nsIURI* aURI,
nsISupports* aRequestingContext,
bool* aSendPrimingRequest,
bool* aMixedContentWouldBlock);
static bool sBlockMixedScript;
+ static bool sBlockMixedObjectSubrequest;
static bool sBlockMixedDisplay;
// Do we move HSTS before mixed-content
static bool sUseHSTS;
// Do we send an HSTS priming request
static bool sSendHSTSPriming;
// Default HSTS Priming failure timeout in seconds
static uint32_t sHSTSPrimingCacheTimeout;
};
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2526,16 +2526,23 @@ pref("security.csp.enableStrictDynamic",
// Default Content Security Policy to apply to signed contents.
pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");
// Mixed content blocking
pref("security.mixed_content.block_active_content", false);
pref("security.mixed_content.block_display_content", false);
+// Block sub requests that happen within an object
+#ifdef EARLY_BETA_OR_EARLIER
+pref("security.mixed_content.block_object_subrequest", true);
+#else
+pref("security.mixed_content.block_object_subrequest", false);
+#endif
+
// Sub-resource integrity
pref("security.sri.enable", true);
// Block scripts with wrong MIME type such as image/ or video/.
pref("security.block_script_with_wrong_mime", true);
// Block images of wrong MIME for XCTO: nosniff.
pref("security.xcto_nosniff_block_images", false);