summaryrefslogtreecommitdiffstats
path: root/netwerk/protocol/http
Commit message (Collapse)AuthorAgeLines
* Merge pull request #791 from g4jc/session_supercookieMoonchild2018-09-27-57/+194
|\ | | | | Issue #792 - backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins
| * backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across ↵Gaming4JC2018-09-25-57/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | origins Potential attack: session supercookie. [Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5): "The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that. What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak." [Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8): "nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers). So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
* | backport mozbug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp ↵Gaming4JC2018-09-26-14/+8
|/ | | | | | | | r=mayhemer The original code (from bug 1200802) declared an XPCOM object as a static bare pointer, which for future reference is probably never the right thing to do. It might have worked if it was cleared before shutdown but it never was.
* Add a null check in nsHttpTransaction::Close.wolfbeast2018-09-19-1/+3
| | | | This resolves #776.
* Remove all C++ Telemetry Accumulation calls.wolfbeast2018-09-03-342/+3
| | | | | This creates a number of stubs and leaves some surrounding code that may be irrelevant (eg. recorded time stamps, status variables). Stub resolution/removal should be a follow-up to this.
* Refresh nsStringBundleService and nsHttpHandler when the browser locale is ↵JustOff2018-08-25-15/+25
| | | | changed
* Issue #686: Un-deprecate the Application Cache APISpockMan022018-08-05-25/+0
|
* Fixed misleading console error message for multiple CORS headersjanekptacijarabaci2018-07-31-1/+1
|
* Remove SSL Error Reporting telemetrywolfbeast2018-06-29-55/+0
|
* Build - throws a warning: 'rv': unreferenced local variablejanekptacijarabaci2018-05-31-1/+0
| | | | PR #412
* Remove support and tests for HSTS priming from the tree. Fixes #384Gaming4JC2018-05-26-607/+4
|
* Revert incorrect UAO optimization that broke SSUAOJustOff2018-05-15-67/+4
|
* Remove MOZ_WIDGET_GONK [2/2]wolfbeast2018-05-13-79/+0
| | | | Tag #288
* moebius#158: The Performance Resource Timing (added support for "workerStart")janekptacijarabaci2018-04-29-26/+374
| | | | https://github.com/MoonchildProductions/moebius/pull/158
* Fix GCC -Wreorder warnings.trav902018-04-15-1/+1
|
* Bug 1431095 - Change Content-Type-Options: nosniff allowed script MIME types ↵janekptacijarabaci2018-04-03-1/+1
| | | | to match the spec
* Bug 1440775 - Make fetch API force-cache and only-if-cached use ↵Ben Kelly2018-03-14-4/+4
| | | | | | | | | | VALIDATE_NEVER instead of LOAD_FROM_CACHE. r=mayhemer, a=RyanVM --HG-- extra : source : 60fb09de57ec145923da102f856399d3323f632b extra : amend_source : b42db87defcc5615773cfa4659af9ff5b9cd4b72 extra : intermediate-source : 599641c7992def734cb352d9413aa51bf0e9793f extra : histedit_source : 1d42c837225bdf000d3a68bef46a862be87d4044
* Bug 1334465 - Set mIPCClosed to true before calling SendDeleteSelf in order ↵Valentin Gosu2018-03-14-1/+1
| | | | | | | | | | | | | | | | | | to avoid race. r=bagder, a=ritu In the previous code, a race condition could cause us to call SendSetPriority() after calling SendDeleteSelf. For example: T1: SendDeleteSelf() T2: if (!mIPCClosed) SendSetPriority() T1: mIPCClosed = true MozReview-Commit-ID: 3XOwCaphb2o --HG-- extra : rebase_source : d6e6886402d1e0b0afed23c25a9fb18d8ca29ad6 extra : intermediate-source : cfc9afe916091e6449f7d748991e2a19187dc817 extra : source : 4ebdab0e332892378558817e30d0138c95199ce5
* Bug 1334465 - Make HttpChannelParent::mIPCClosed atomic. r=bagder, a=rituValentin Gosu2018-03-14-1/+1
| | | | | | | | | MozReview-Commit-ID: 6irCJMAjzjW --HG-- extra : rebase_source : 2357ab0b9d1d693dac9e5f4f16f34f370c6591b5 extra : intermediate-source : 48b9f6671588c3c2b8d3b4ea6ba1267f5e297f83 extra : source : bd315ae86709c3459a3dbf0778022ff3b1908723
* Bug 1416529. r=mcmanus, a=rituNicholas Hurley2018-03-14-9/+24
| | | | | | | MozReview-Commit-ID: CD1l5vLB4yy --HG-- extra : rebase_source : d74f8ca96dab4e0d25d79948fcddbf8dab98bb36
* DevTools - network - implement the secureConnectionStart property for the ↵janekptacijarabaci2018-03-01-3/+123
| | | | | | | PerformanceTiming https://github.com/MoonchildProductions/moebius/pull/116 ("/testing" and "/toolkit" in in the previous commit)
* Merge branch 'security_tls_1-3_1' into TLS-1.3wolfbeast2018-02-23-86/+377
|\
| * Style clean upjanekptacijarabaci2018-02-11-1/+0
| |
| * Bug 1328955 - When a client tries TLS1.3 with EarlyData and a server falls ↵janekptacijarabaci2018-02-11-3/+8
| | | | | | | | back to tls1.2,we should reconnect using tls1.3 without EarlyData
| * Bug 1351392 - Fix transport status events for http2 and ftpjanekptacijarabaci2018-02-11-0/+2
| |
| * Bug 1344890 - h2 tls 1.3 early data problem with https://echo.filippo.io/foojanekptacijarabaci2018-02-11-0/+5
| |
| * Bug 1322373 - TLS 1.3 early-data for http/2janekptacijarabaci2018-02-11-82/+342
| |
| * Bug 1345240 - h2 stalls on failed early data hard reloadjanekptacijarabaci2018-02-11-0/+6
| |
| * Bug 1343600 - Add TLS handshake Start/Stop eventsjanekptacijarabaci2018-02-11-1/+15
| |
| * Bug 1340164 - Fix socket transport status eventsjanekptacijarabaci2018-02-11-0/+49
| |
* | Merge branch '_native_52ESR_http_events_1' into TLS-1.3wolfbeast2018-02-23-0/+49
|\ \
| * | Fix socket transport status eventsjanekptacijarabaci2018-02-04-0/+49
| | | | | | | | | | | | | | | | | | Bug(s): https://bugzilla.mozilla.org/show_bug.cgi?id=1340164 (native in moebius)
* | | Identify as Goanna + set Goanna platform version.wolfbeast2018-02-21-1/+1
| | |
* | | Read Firefox UA compatmode from a pref instead of hard-coded.wolfbeast2018-02-21-7/+24
| | | | | | | | | | | | In case of a missing pref, a hard-coded value is still used from the ctor.
* | | Update UA construction.wolfbeast2018-02-21-10/+56
| | |
* | | Two (and more) extensions together - http resume - basilisk crashesjanekptacijarabaci2018-02-18-1/+23
| |/ |/|
* | Limit displayed user/host strings to sane lengths.wolfbeast2018-02-07-0/+30
|/
* Add m-esr52 at 52.6.0Matt A. Tobin2018-02-02-0/+67920