mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Backed out changeset 03bc3379822a
This commit is contained in:
parent
bd9db67c3e
commit
2fe71d8086
@ -150,14 +150,6 @@ interface nsISocketTransport : nsITransport
|
||||
*/
|
||||
const unsigned long BYPASS_CACHE = (1 << 0);
|
||||
|
||||
/**
|
||||
* When setting this flag, the socket will not apply any
|
||||
* credentials when establishing a connection. For example,
|
||||
* an SSL connection would not send any client-certificates
|
||||
* if this flag is set.
|
||||
*/
|
||||
const unsigned long ANONYMOUS_CONNECT = (1 << 1);
|
||||
|
||||
};
|
||||
|
||||
%{C++
|
||||
|
@ -1002,9 +1002,6 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
|
||||
|
||||
if (mProxyTransparentResolvesHost)
|
||||
proxyFlags |= nsISocketProvider::PROXY_RESOLVES_HOST;
|
||||
|
||||
if (mConnectionFlags & nsISocketTransport::ANONYMOUS_CONNECT)
|
||||
proxyFlags |= nsISocketProvider::ANONYMOUS_CONNECT;
|
||||
|
||||
nsCOMPtr<nsISupports> secinfo;
|
||||
if (i == 0) {
|
||||
@ -1029,7 +1026,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
|
||||
proxyFlags, fd,
|
||||
getter_AddRefs(secinfo));
|
||||
}
|
||||
// proxyFlags = 0; not used below this point...
|
||||
proxyFlags = 0;
|
||||
if (NS_FAILED(rv))
|
||||
break;
|
||||
|
||||
|
@ -108,10 +108,6 @@ typedef PRUint8 nsHttpVersion;
|
||||
// bypass the local DNS cache
|
||||
#define NS_HTTP_REFRESH_DNS (1<<3)
|
||||
|
||||
// a transaction with this caps flag will not pass SSL client-certificates
|
||||
// to the server (see bug #466080), but is may also be used for other things
|
||||
#define NS_HTTP_LOAD_ANONYMOUS (1<<4)
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
// some default values
|
||||
//-----------------------------------------------------------------------------
|
||||
|
@ -657,11 +657,6 @@ nsHttpChannel::SetupTransaction()
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
NS_ADDREF(mTransaction);
|
||||
|
||||
// See bug #466080. Transfer LOAD_ANONYMOUS flag to socket-layer.
|
||||
if (mLoadFlags & LOAD_ANONYMOUS) {
|
||||
mCaps |= NS_HTTP_LOAD_ANONYMOUS;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIAsyncInputStream> responseStream;
|
||||
rv = mTransaction->Init(mCaps, mConnectionInfo, &mRequestHead,
|
||||
mUploadStream, mUploadStreamHasHeaders,
|
||||
|
@ -452,14 +452,8 @@ nsHttpConnection::CreateTransport(PRUint8 caps)
|
||||
getter_AddRefs(strans));
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
PRUint32 tmpFlags = 0;
|
||||
if (caps & NS_HTTP_REFRESH_DNS)
|
||||
tmpFlags = nsISocketTransport::BYPASS_CACHE;
|
||||
|
||||
if (caps & NS_HTTP_LOAD_ANONYMOUS)
|
||||
tmpFlags |= nsISocketTransport::ANONYMOUS_CONNECT;
|
||||
|
||||
strans->SetConnectionFlags(tmpFlags);
|
||||
strans->SetConnectionFlags(nsISocketTransport::BYPASS_CACHE);
|
||||
|
||||
// NOTE: these create cyclical references, which we break inside
|
||||
// nsHttpConnection::Close
|
||||
|
@ -106,15 +106,6 @@ interface nsISocketProvider : nsISupports
|
||||
* later connect et al. request.
|
||||
*/
|
||||
const long PROXY_RESOLVES_HOST = 1 << 0;
|
||||
|
||||
/**
|
||||
* When setting this flag, the socket will not apply any
|
||||
* credentials when establishing a connection. For example,
|
||||
* an SSL connection would not send any client-certificates
|
||||
* if this flag is set.
|
||||
*/
|
||||
const long ANONYMOUS_CONNECT = 1 << 1;
|
||||
|
||||
};
|
||||
|
||||
%{C++
|
||||
|
@ -1996,15 +1996,14 @@ nsSSLIOLayerNewSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc **fd,
|
||||
nsISupports** info,
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad)
|
||||
PRBool forSTARTTLS)
|
||||
{
|
||||
|
||||
PRFileDesc* sock = PR_OpenTCPSocket(family);
|
||||
if (!sock) return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxyHost, proxyPort,
|
||||
sock, info, forSTARTTLS, anonymousLoad);
|
||||
sock, info, forSTARTTLS);
|
||||
if (NS_FAILED(rv)) {
|
||||
PR_Close(sock);
|
||||
return rv;
|
||||
@ -3111,8 +3110,7 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
|
||||
static PRFileDesc*
|
||||
nsSSLIOLayerImportFD(PRFileDesc *fd,
|
||||
nsNSSSocketInfo *infoObject,
|
||||
const char *host,
|
||||
PRBool anonymousLoad)
|
||||
const char *host)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
PRFileDesc* sslSock = SSL_ImportFD(nsnull, fd);
|
||||
@ -3122,15 +3120,9 @@ nsSSLIOLayerImportFD(PRFileDesc *fd,
|
||||
}
|
||||
SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*)infoObject);
|
||||
SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
|
||||
|
||||
// Disable this hook if we connect anonymously. See bug 466080.
|
||||
if (anonymousLoad) {
|
||||
SSL_GetClientAuthDataHook(sslSock, NULL, infoObject);
|
||||
} else {
|
||||
SSL_GetClientAuthDataHook(sslSock,
|
||||
SSL_GetClientAuthDataHook(sslSock,
|
||||
(SSLGetClientAuthData)nsNSS_SSLGetClientAuthData,
|
||||
infoObject);
|
||||
}
|
||||
SSL_AuthCertificateHook(sslSock, AuthCertificateCallback, 0);
|
||||
|
||||
PRInt32 ret = SSL_SetURL(sslSock, host);
|
||||
@ -3149,7 +3141,7 @@ loser:
|
||||
static nsresult
|
||||
nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
|
||||
const char *proxyHost, const char *host, PRInt32 port,
|
||||
PRBool anonymousLoad, nsNSSSocketInfo *infoObject)
|
||||
nsNSSSocketInfo *infoObject)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (forSTARTTLS || proxyHost) {
|
||||
@ -3200,13 +3192,7 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
|
||||
}
|
||||
|
||||
// Set the Peer ID so that SSL proxy connections work properly.
|
||||
char *peerId;
|
||||
if (anonymousLoad) { // See bug #466080. Separate the caches.
|
||||
peerId = PR_smprintf("anon:%s:%d", host, port);
|
||||
} else {
|
||||
peerId = PR_smprintf("%s:%d", host, port);
|
||||
}
|
||||
|
||||
char *peerId = PR_smprintf("%s:%d", host, port);
|
||||
if (SECSuccess != SSL_SetSockPeerID(fd, peerId)) {
|
||||
PR_smprintf_free(peerId);
|
||||
return NS_ERROR_FAILURE;
|
||||
@ -3224,8 +3210,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc* fd,
|
||||
nsISupports** info,
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad)
|
||||
PRBool forSTARTTLS)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
PRFileDesc* layer = nsnull;
|
||||
@ -3239,7 +3224,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
infoObject->SetHostName(host);
|
||||
infoObject->SetPort(port);
|
||||
|
||||
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host, anonymousLoad);
|
||||
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
|
||||
if (!sslSock) {
|
||||
NS_ASSERTION(PR_FALSE, "NSS: Error importing socket");
|
||||
goto loser;
|
||||
@ -3247,8 +3232,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
|
||||
infoObject->SetFileDescPtr(sslSock);
|
||||
|
||||
rv = nsSSLIOLayerSetOptions(sslSock,
|
||||
forSTARTTLS, proxyHost, host, port, anonymousLoad,
|
||||
rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, proxyHost, host, port,
|
||||
infoObject);
|
||||
|
||||
if (NS_FAILED(rv))
|
||||
|
@ -272,8 +272,7 @@ nsresult nsSSLIOLayerNewSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc **fd,
|
||||
nsISupports **securityInfo,
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad);
|
||||
PRBool forSTARTTLS);
|
||||
|
||||
nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
const char *host,
|
||||
@ -282,8 +281,7 @@ nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc *fd,
|
||||
nsISupports **securityInfo,
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad);
|
||||
PRBool forSTARTTLS);
|
||||
|
||||
nsresult nsSSLIOLayerFreeTLSIntolerantSites();
|
||||
nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);
|
||||
|
@ -68,8 +68,7 @@ nsSSLSocketProvider::NewSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
_result,
|
||||
securityInfo,
|
||||
PR_FALSE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
PR_FALSE);
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
||||
@ -91,8 +90,7 @@ nsSSLSocketProvider::AddToSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
aSocket,
|
||||
securityInfo,
|
||||
PR_FALSE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
PR_FALSE);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
@ -68,8 +68,7 @@ nsTLSSocketProvider::NewSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
_result,
|
||||
securityInfo,
|
||||
PR_TRUE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
PR_TRUE);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
@ -92,8 +91,7 @@ nsTLSSocketProvider::AddToSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
aSocket,
|
||||
securityInfo,
|
||||
PR_TRUE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
PR_TRUE);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
@ -45,11 +45,9 @@ relativesrcdir = security/ssl
|
||||
include $(DEPTH)/config/autoconf.mk
|
||||
include $(topsrcdir)/config/rules.mk
|
||||
|
||||
_CHROME_FILES = \
|
||||
test_bug466080.html \
|
||||
bug466080.sjs \
|
||||
$(NULL)
|
||||
# _CHROME_FILES = \
|
||||
# $(NULL)
|
||||
# test_bug413909.html \ # Leaks the world.
|
||||
|
||||
libs:: $(_CHROME_FILES)
|
||||
$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
|
||||
# libs:: $(_CHROME_FILES)
|
||||
# $(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
|
||||
|
@ -1,17 +0,0 @@
|
||||
|
||||
function handleRequest(request, response)
|
||||
{
|
||||
var body = "loaded";
|
||||
var origin = "localhost";
|
||||
try {
|
||||
var origin = request.getHeader("Origin");
|
||||
} catch(e) {}
|
||||
|
||||
response.setHeader("Access-Control-Allow-Origin",
|
||||
origin,
|
||||
false);
|
||||
response.setHeader("Access-Control-Allow-Credentials", "true", false);
|
||||
response.setHeader("Connection", "Keep-alive", false);
|
||||
|
||||
response.bodyOutputStream.write(body, body.length);
|
||||
}
|
@ -1,113 +0,0 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Test bug 466080</title>
|
||||
<script type="text/javascript" src="chrome://mochikit/content/MochiKit/packed.js"></script>
|
||||
<script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body onload="onWindowLoad()">
|
||||
<iframe id="frame1"
|
||||
src="https://requireclientcert.example.com/chrome/security/ssl/bug466080.sjs"
|
||||
onload="document.iframeWasLoaded = true">
|
||||
|
||||
This iframe should load the resource via the src-attribute from
|
||||
a secure server which requires a client-cert. Doing this is
|
||||
supposed to work, but further below in the test we try to load
|
||||
the resource from the same url using a XHR, which should not work.
|
||||
|
||||
TODO : What if we change 'src' from JS? Would/should it load?
|
||||
|
||||
</iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
||||
document.iframeWasLoaded = false;
|
||||
|
||||
var alltests = [
|
||||
|
||||
// load resource from a relative url - this should work
|
||||
{ url:"bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR from relative URL"},
|
||||
|
||||
// TODO - load the resource from a relative url via https..?
|
||||
|
||||
// load a non-existing resource - should get "404 Not Found"
|
||||
{ url:"bug466080-does-not.exist",
|
||||
status_check:"==404",
|
||||
error:"XHR loading non-existing resource"},
|
||||
|
||||
// load resource from cross-site non-secure server
|
||||
{ url:"http://test1.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR from cross-site plaintext server"},
|
||||
|
||||
// load resource from cross-site secure server - should work since no credentials are needed
|
||||
{ url:"https://test1.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR from cross-site secure server"},
|
||||
|
||||
// load resource from cross-site secure server - should work since the server just requests certs
|
||||
{ url:"https://requestclientcert.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR from cross-site secure server requesting certificate"},
|
||||
|
||||
// load resource from cross-site secure server - should NOT work since the server requires cert
|
||||
// note that this is the url which is used in the iframe.src above
|
||||
{ url:"https://requireclientcert.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"!=200",
|
||||
error:"XHR from cross-site secure server requiring certificate"},
|
||||
|
||||
// repeat previous, - should NOT work
|
||||
{ url:"https://requireclientcert.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR w/ credentials from cross-site secure server requiring certificate",
|
||||
withCredentials:"true"},
|
||||
|
||||
// repeat previous, but with credentials - should work
|
||||
{ url:"https://requireclientcert.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"==200",
|
||||
error:"XHR w/ credentials from cross-site secure server requiring certificate",
|
||||
withCredentials:"true"},
|
||||
|
||||
// repeat previous, withCredentials but using a weird method to force preflight
|
||||
// should NOT work since our preflight is anonymous and will fail with our simple server
|
||||
{ url:"https://requireclientcert.example.com/chrome/security/ssl/bug466080.sjs",
|
||||
status_check:"!=200",
|
||||
error:"XHR PREFLIGHT from cross-site secure server requiring certificate",
|
||||
withCredentials:"true",
|
||||
method:"XMETHOD"},
|
||||
|
||||
];
|
||||
|
||||
function onWindowLoad() {
|
||||
// First, check that resource was loaded into the iframe
|
||||
// This check in fact depends on bug #444165... :)
|
||||
ok(document.iframeWasLoaded, "Loading resource via src-attribute");
|
||||
|
||||
for each (test in alltests) {
|
||||
|
||||
var xhr = new XMLHttpRequest();
|
||||
|
||||
var method = "GET";
|
||||
if (test.method != null) { method = test.method; }
|
||||
xhr.open(method, test.url, false);
|
||||
|
||||
xhr.withCredentials = test.withCredentials;
|
||||
xhr.setRequestHeader("Connection", "Keep-Alive", false);
|
||||
try {
|
||||
xhr.send();
|
||||
} catch(e) {
|
||||
}
|
||||
var success = eval(xhr.status + test.status_check);
|
||||
ok(success, test.error);
|
||||
}
|
||||
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user