summaryrefslogtreecommitdiffstats
path: root/dom/security
Commit message (Collapse)AuthorAgeLines
* Selectively allow ftp subresources in the blocked mode.wolfbeast2019-07-15-1/+21
| | | | | - Allow "Save As..." downloads - Allow subresource use if the top-level document is also on FTP
* Add preference to allow the loading of FTP subresources for corner caseswolfbeast2019-07-14-0/+3
|
* Prevent loading of document subresources over FTP.wolfbeast2019-03-09-0/+57
|
* Telemetry: Remove stubs and related codeadeshkp2019-01-12-17/+1
|
* backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across ↵Gaming4JC2018-09-25-1/+1
| | | | | | | | | | | | | | | origins Potential attack: session supercookie. [Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5): "The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that. What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak." [Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8): "nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers). So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
* Remove all C++ Telemetry Accumulation calls.wolfbeast2018-09-03-40/+1
| | | | | This creates a number of stubs and leaves some surrounding code that may be irrelevant (eg. recorded time stamps, status variables). Stub resolution/removal should be a follow-up to this.
* nsIContentPolicy::TYPE_DOCUMENT - Use "aLoadInfo->ContextForTopLevelLoad()" ↵janekptacijarabaci2018-07-05-1/+1
| | | | | | instead of "aLoadInfo->LoadingNode()" Issue #600
* Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is ↵janekptacijarabaci2018-06-23-2/+2
| | | | fixed (follow up)
* Bug 1469150 - Tests added to check scripts with valid nonce is allowed if ↵janekptacijarabaci2018-06-23-0/+0
| | | | URL redirects (follow up)
* Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirectsjanekptacijarabaci2018-06-21-1/+100
| | | | https://bugzilla.mozilla.org/show_bug.cgi?id=1469150
* Bug 1430758 - No CSP directive for nsIContentPolicy::TYPE_SAVEAS_DOWNLOADjanekptacijarabaci2018-06-17-0/+3
|
* Bug 1398229 - Save-link-as feature should use the loading principal - ↵janekptacijarabaci2018-06-17-0/+13
| | | | implementation of nsIContentPolicy.TYPE_SAVE_AS_DOWNLOAD
* Remove support and tests for HSTS priming from the tree. Fixes #384Gaming4JC2018-05-26-948/+8
|
* Remove MOZ_B2G leftovers and some dead B2G-only components.wolfbeast2018-05-12-9/+0
|
* Bug 1359204 - Do not query nested URI within CheckChannel in ↵janekptacijarabaci2018-04-30-7/+0
| | | | ContentSecurityManager
* Bug 1182569: Update ContentSecurityManager to handle docshell loadsjanekptacijarabaci2018-04-30-17/+64
|
* moebius#187: DOM - nsIContentPolicy - context (document)janekptacijarabaci2018-04-23-20/+43
| | | | https://github.com/MoonchildProductions/moebius/pull/187
* Revert "Bug 1182569: Update ContentSecurityManager to handle docshell loads"janekptacijarabaci2018-04-22-64/+17
| | | | This reverts commit 2e33335820b2816bee111e78588ac82e401c86ae.
* Bug 1182569: Update ContentSecurityManager to handle docshell loadsjanekptacijarabaci2018-04-22-17/+64
| | | | native in moebius
* Bug 1329288: Allow content policy consumers to identify contentPolicy checks ↵janekptacijarabaci2018-04-22-2/+3
| | | | from docshell
* Bug 1329288 - Test ContentPolicy blocks opening a new windowjanekptacijarabaci2018-04-22-0/+1
|
* moebius#230: Consider blocking top level window data: URIs (part 3/3 without ↵janekptacijarabaci2018-04-22-0/+49
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/230
* moebius#226: Consider blocking top level window data: URIs (part 2/2 without ↵janekptacijarabaci2018-04-22-57/+149
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/226
* moebius#223: Consider blocking top level window data: URIs (part 1/3 without ↵janekptacijarabaci2018-04-22-0/+476
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/223
* moebius#159: CSP - support for "frame-ancestors" in ↵janekptacijarabaci2018-04-14-8/+74
| | | | | | "Content-Security-Policy-Report-Only" https://github.com/MoonchildProductions/moebius/pull/159
* Bug 1288768 - Better error reporting for network errors in workersjanekptacijarabaci2018-04-04-11/+2
|
* Add support for CSP v3 "worker-src" directivewolfbeast2018-03-03-44/+463
|
* CSP: connect-src 'self' should always include https: and wss: schemesjanekptacijarabaci2018-02-22-11/+168
|
* CSP: Support IDNs in connect-srcjanekptacijarabaci2018-02-22-2/+135
|
* CSP: Ignore nonces on <img> per specjanekptacijarabaci2018-02-22-4/+111
|
* CSP: Upgrade SO navigational requests per spec.janekptacijarabaci2018-02-22-0/+184
|
* CSP 2 - ignore (x-)frame-options if CSP with frame-ancestors directive existsjanekptacijarabaci2018-02-22-0/+104
|
* Explicitly cancel channel after mixed content redirect.wolfbeast2018-02-08-1/+6
|
* CSP should only check host (not including path) when performing frame ↵wolfbeast2018-02-06-0/+19
| | | | | | ancestors checks. This has been explicitly stated in the CSP-3 spec.
* Add m-esr52 at 52.6.0Matt A. Tobin2018-02-02-0/+31574