bug 662692 - Do not allow mixed-content WebSockets r=smaug

This commit is contained in:
Patrick McManus 2011-07-10 12:31:41 -04:00
parent 0dc1e3045c
commit 58c63edee3
2 changed files with 16 additions and 0 deletions

View File

@ -1351,6 +1351,18 @@ nsWebSocket::Init(nsIPrincipal* aPrincipal,
rv = ParseURL(PromiseFlatString(aURL));
NS_ENSURE_SUCCESS(rv, rv);
// Don't allow https:// to open ws://
nsCOMPtr<nsIURI> originURI;
PRBool originHTTPS;
if (!mSecure &&
!Preferences::GetBool("network.websocket.allowInsecureFromHTTPS",
PR_FALSE) &&
NS_SUCCEEDED(NS_NewURI(getter_AddRefs(originURI), mUTF16Origin)) &&
NS_SUCCEEDED(originURI->SchemeIs("https", &originHTTPS)) &&
originHTTPS) {
return NS_ERROR_DOM_SECURITY_ERR;
}
// sets the protocol
if (!aProtocol.IsEmpty()) {
rv = SetProtocol(PromiseFlatString(aProtocol));

View File

@ -817,6 +817,10 @@ pref("network.websocket.extensions.stream-deflate", true);
// one time.
pref("network.websocket.max-connections", 200);
// by default scripts loaded from a https:// origin can only open secure
// (i.e. wss://) websockets.
pref("network.websocket.allowInsecureFromHTTPS", false);
// </ws>
// Server-Sent Events