summaryrefslogtreecommitdiffstats
path: root/netwerk
Commit message (Collapse)AuthorAgeLines
* Merge pull request #791 from g4jc/session_supercookieMoonchild2018-09-27-67/+204
|\ | | | | Issue #792 - backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins
| * backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across ↵Gaming4JC2018-09-25-67/+204
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | origins Potential attack: session supercookie. [Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5): "The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that. What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak." [Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8): "nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers). So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
* | Merge pull request #789 from g4jc/sha256_leakfixMoonchild2018-09-27-14/+8
|\ \ | | | | | | backport mozbug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp r=mayhemer
| * | backport mozbug 1444532 - fix a leak in SHA256 in nsHttpConnectionInfo.cpp ↵Gaming4JC2018-09-26-14/+8
| |/ | | | | | | | | | | | | | | r=mayhemer The original code (from bug 1200802) declared an XPCOM object as a static bare pointer, which for future reference is probably never the right thing to do. It might have worked if it was cleared before shutdown but it never was.
* / backport mozbug 1344613 - Avoid possibility of null pointer crash in ↵Gaming4JC2018-09-25-0/+1
|/ | | | nsSOCKSIOLayer.cpp r=mayhemer
* Add a null check in nsHttpTransaction::Close.wolfbeast2018-09-19-1/+3
| | | | This resolves #776.
* Remove all C++ telemetry autotimerswolfbeast2018-09-04-27/+8
|
* Remove all C++ Telemetry Accumulation calls.wolfbeast2018-09-03-835/+8
| | | | | This creates a number of stubs and leaves some surrounding code that may be irrelevant (eg. recorded time stamps, status variables). Stub resolution/removal should be a follow-up to this.
* Remove support for TLS session caches in TLSServerSocket.wolfbeast2018-09-01-26/+2
| | | | This resolves #738
* Refresh nsStringBundleService and nsHttpHandler when the browser locale is ↵JustOff2018-08-25-15/+25
| | | | changed
* Reinstate RC4 and mark 3DES weak.wolfbeast2018-08-17-0/+2
| | | | Tag #709
* Remove the const to fix the -Wignored-qualifiers warning with GCC 8trav902018-08-10-1/+1
|
* Issue #686: Un-deprecate the Application Cache APISpockMan022018-08-05-25/+0
|
* Fixed misleading console error message for multiple CORS headersjanekptacijarabaci2018-07-31-1/+1
|
* Make nsAtomicFileOutputStream::DoOpen() fail if the file is read-only.wolfbeast2018-07-10-0/+7
| | | | This means we don't leave behind prefs-<n>.js files when prefs.js is read-only.
* Remove pref confusion around cache v2wolfbeast2018-07-03-8/+1
| | | | | | - Renames browser.cache.use_new_backend to browser.cache.backend - Sets browser.cache.backend to 1 (use cache v2) - Removes browser.cache.use_new_backend_temp
* Fix cache v1 compression crash in nsCompressOutputStreamWrapper::Close()wolfbeast2018-07-03-0/+6
|
* Merge branch 'ported-upstream'wolfbeast2018-07-02-0/+4
|\
| * Cherry-pick user sctp rev SVN8789a6da02e2c7c03522bc6f275b302f6ef977fePale Moon2018-06-30-0/+4
| |
* | Remove SSL Error Reporting telemetrywolfbeast2018-06-29-55/+0
|/
* WebRTC: Nullcheck DataChannel SendPacket calls.wolfbeast2018-06-29-2/+5
|
* Merge pull request #540 from janekptacijarabaci/security_csp_script_redirect_1Moonchild2018-06-24-2/+38
|\ | | | | Fix CSP: Scripts with valid nonce should not be blocked if URL redirects
| * CSP: Support for "LoadInfo::GetLoadingContext" and ↵janekptacijarabaci2018-06-21-2/+38
| | | | | | | | | | | | "LoadInfo::GetLoadingContextXPCOM()" https://bugzilla.mozilla.org/show_bug.cgi?id=1439713 (partially)
* | Fix SSL status ambiguity.wolfbeast2018-06-20-3/+20
|/ | | | | - Adds CipherSuite string with the full suite - Changes CipherName to be the actual cipher name instead of the (erroneous) full suite like Firefox does.
* Sanity-check in nsStandardURL::Deserialize(). r=mayhemer, a=RyanVMValentin Gosu2018-06-07-1/+19
| | | | | | Also add test for faulty nsStandardURL deserialization. See Bug 1392739.
* Revert "Disable TLS 1.3 by default for now until our NSS can be updated to ↵wolfbeast2018-06-06-1/+1
| | | | | | the latest spec." This reverts commit 6c3f95480a191ce432ddfb2aa400a6d70c4884a8.
* Port our stricter cookie gating.wolfbeast2018-06-05-13/+25
| | | | This addresses the critical section of #449.
* Build - throws a warning: 'rv': unreferenced local variablejanekptacijarabaci2018-05-31-1/+0
| | | | PR #412
* Merge pull request #412 from g4jc/hsts_priming_removal_backportMoonchild2018-05-30-680/+6
|\ | | | | Remove support and tests for HSTS priming from the tree. Fixes #384
| * Remove support and tests for HSTS priming from the tree. Fixes #384Gaming4JC2018-05-26-680/+6
| |
* | Fix sec pref locations and enable HPKP checking by default.wolfbeast2018-05-29-0/+11
|/ | | | Some prefs were incorrectly in all.js (ocsp and hpkp)
* Bug 1314968 - Explicitly specify the AccessPoint interface name. r=kanruJan Steffens2018-05-16-1/+1
| | | | | | | | | | | | | | | | | The DBus specification allows passing an empty string as the interface to the org.freedesktop.DBus.Properties.GetAll call to get all properties, throwing away the namespace (interface) information. However, GDBus does not allow this. When NetworkManager moved to using GDBus, Firefox lost the ability to retrieve access points from NetworkManager. Since we're only interested in properties from the org.freedesktop.NetworkManager.AccessPoint interface, name it explicitly. This works with both the old and the new NetworkManager. MozReview-Commit-ID: Kc5HaYvwfRZ --HG-- extra : rebase_source : e1550d327e5a4ea05b8d35d98ef7b27c0add709b
* Revert incorrect UAO optimization that broke SSUAOJustOff2018-05-15-89/+4
|
* Remove other gonk widget conditionals and unused files.wolfbeast2018-05-13-204/+5
| | | | Tag #288.
* Fix incorrectly removed #includeswolfbeast2018-05-13-0/+2
| | | | Tag #288.
* Remove MOZ_WIDGET_GONK [2/2]wolfbeast2018-05-13-333/+5
| | | | Tag #288
* Remove MOZ_B2G leftovers and some dead B2G-only components.wolfbeast2018-05-12-1/+1
|
* Remove nameprep.c from moz.buildtrav902018-05-04-1/+0
| | | | Follow up to e6d4a8daf3497986d55bd4b4cfd85b11bc5684d1
* Issue #325 Part 11: Fix up build files.wolfbeast2018-05-04-1/+1
|
* Issue #325 Part 1: Remove the legacy non-IDNA2008 code path from nsIDNService.wolfbeast2018-05-04-3209/+3
|
* Bug 1182569: Update ContentSecurityManager to handle docshell loadsjanekptacijarabaci2018-04-30-10/+4
|
* moebius#158: The Performance Resource Timing (added support for "workerStart")janekptacijarabaci2018-04-29-27/+426
| | | | https://github.com/MoonchildProductions/moebius/pull/158
* Disable TLS 1.3 by default for now until our NSS can be updated to the ↵wolfbeast2018-04-25-1/+1
| | | | latest spec.
* moebius#187: DOM - nsIContentPolicy - context (document)janekptacijarabaci2018-04-23-2/+30
| | | | https://github.com/MoonchildProductions/moebius/pull/187
* Revert "Bug 1182569: Update ContentSecurityManager to handle docshell loads"janekptacijarabaci2018-04-22-4/+10
| | | | This reverts commit 2e33335820b2816bee111e78588ac82e401c86ae.
* Bug 1182569: Update ContentSecurityManager to handle docshell loadsjanekptacijarabaci2018-04-22-10/+4
| | | | native in moebius
* Bug 1323683 - Fold nsIURIWithQuery into nsIURIjanekptacijarabaci2018-04-22-64/+45
| | | | native in moebius
* moebius#230: Consider blocking top level window data: URIs (part 3/3 without ↵janekptacijarabaci2018-04-22-0/+30
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/230
* moebius#226: Consider blocking top level window data: URIs (part 2/2 without ↵janekptacijarabaci2018-04-22-0/+33
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/226
* moebius#223: Consider blocking top level window data: URIs (part 1/3 without ↵janekptacijarabaci2018-04-22-0/+14
| | | | | | tests) https://github.com/MoonchildProductions/moebius/pull/223
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 12:55:35 +0000