bug 1003566 - part 1 - allowSTS attribute to nsIHttpChannel r=honzab

netwerk/ipc/NeckoChannelParams.ipdlh

@@ -40,6 +40,7 @@ struct HttpChannelOpenArgs
   uint16_t                    priority;
   uint8_t                     redirectionLimit;
   bool                        allowPipelining;
+  bool                        allowSTS;
   bool                        forceAllowThirdPartyCookie;
   bool                        resumeAt;
   uint64_t                    startPos;

netwerk/protocol/http/HttpBaseChannel.cpp

@@ -51,6 +51,7 @@ HttpBaseChannel::HttpBaseChannel()
   , mRequestObserversCalled(false)
   , mResponseHeadersModified(false)
   , mAllowPipelining(true)
+  , mAllowSTS(true)
   , mForceAllowThirdPartyCookie(false)
   , mUploadStreamHasHeaders(false)
   , mInheritApplicationCache(true)
@@ -1194,6 +1195,23 @@ HttpBaseChannel::SetAllowPipelining(bool value)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+HttpBaseChannel::GetAllowSTS(bool *value)
+{
+  NS_ENSURE_ARG_POINTER(value);
+  *value = mAllowSTS;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+HttpBaseChannel::SetAllowSTS(bool value)
+{
+  ENSURE_CALLED_BEFORE_CONNECT();
+
+  mAllowSTS = value;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 HttpBaseChannel::GetRedirectionLimit(uint32_t *value)
 {
@@ -1931,8 +1949,9 @@ HttpBaseChannel::SetupReplacementChannel(nsIURI       *newURI,
   // convey the referrer if one was used for this channel to the next one
   if (mReferrer)
     httpChannel->SetReferrer(mReferrer);
-  // convey the mAllowPipelining flag
+  // convey the mAllowPipelining and mAllowSTS flags
   httpChannel->SetAllowPipelining(mAllowPipelining);
+  httpChannel->SetAllowSTS(mAllowSTS);
   // convey the new redirection limit
   httpChannel->SetRedirectionLimit(mRedirectionLimit - 1);
 

netwerk/protocol/http/HttpBaseChannel.h

@@ -128,6 +128,8 @@ public:
   NS_IMETHOD VisitResponseHeaders(nsIHttpHeaderVisitor *visitor);
   NS_IMETHOD GetAllowPipelining(bool *value);
   NS_IMETHOD SetAllowPipelining(bool value);
+  NS_IMETHOD GetAllowSTS(bool *value);
+  NS_IMETHOD SetAllowSTS(bool value);
   NS_IMETHOD GetRedirectionLimit(uint32_t *value);
   NS_IMETHOD SetRedirectionLimit(uint32_t value);
   NS_IMETHOD IsNoStoreResponse(bool *value);
@@ -309,6 +311,7 @@ protected:
   uint32_t                          mRequestObserversCalled     : 1;
   uint32_t                          mResponseHeadersModified    : 1;
   uint32_t                          mAllowPipelining            : 1;
+  uint32_t                          mAllowSTS                   : 1;
   uint32_t                          mForceAllowThirdPartyCookie : 1;
   uint32_t                          mUploadStreamHasHeaders     : 1;
   uint32_t                          mInheritApplicationCache    : 1;

netwerk/protocol/http/HttpChannelChild.cpp

@@ -1261,6 +1261,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
   openArgs.priority() = mPriority;
   openArgs.redirectionLimit() = mRedirectionLimit;
   openArgs.allowPipelining() = mAllowPipelining;
+  openArgs.allowSTS() = mAllowSTS;
   openArgs.forceAllowThirdPartyCookie() = mForceAllowThirdPartyCookie;
   openArgs.resumeAt() = mSendResumeAt;
   openArgs.startPos() = mStartPos;

netwerk/protocol/http/HttpChannelParent.cpp

@@ -83,7 +83,7 @@ HttpChannelParent::Init(const HttpChannelCreationArgs& aArgs)
                        a.apiRedirectTo(), a.loadFlags(), a.requestHeaders(),
                        a.requestMethod(), a.uploadStream(),
                        a.uploadStreamHasHeaders(), a.priority(),
-                       a.redirectionLimit(), a.allowPipelining(),
+                       a.redirectionLimit(), a.allowPipelining(), a.allowSTS(),
                        a.forceAllowThirdPartyCookie(), a.resumeAt(),
                        a.startPos(), a.entityID(), a.chooseApplicationCache(),
                        a.appCacheClientID(), a.allowSpdy(), a.fds());
@@ -154,6 +154,7 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
                                  const uint16_t&            priority,
                                  const uint8_t&             redirectionLimit,
                                  const bool&              allowPipelining,
+                                 const bool&              allowSTS,
                                  const bool&              forceAllowThirdPartyCookie,
                                  const bool&                doResumeAt,
                                  const uint64_t&            startPos,
@@ -243,6 +244,7 @@ HttpChannelParent::DoAsyncOpen(  const URIParams&           aURI,
     mChannel->SetPriority(priority);
   mChannel->SetRedirectionLimit(redirectionLimit);
   mChannel->SetAllowPipelining(allowPipelining);
+  mChannel->SetAllowSTS(allowSTS);
   mChannel->SetForceAllowThirdPartyCookie(forceAllowThirdPartyCookie);
   mChannel->SetAllowSpdy(allowSpdy);
 

netwerk/protocol/http/HttpChannelParent.h

@@ -84,6 +84,7 @@ protected:
                    const uint16_t&            priority,
                    const uint8_t&             redirectionLimit,
                    const bool&                allowPipelining,
+                   const bool&                allowSTS,
                    const bool&                forceAllowThirdPartyCookie,
                    const bool&                doResumeAt,
                    const uint64_t&            startPos,

netwerk/protocol/http/nsHttpChannel.cpp

@@ -282,7 +282,7 @@ nsHttpChannel::Connect()
     rv = mURI->SchemeIs("https", &usingSSL);
     NS_ENSURE_SUCCESS(rv,rv);
 
-    if (!usingSSL) {
+    if (mAllowSTS && !usingSSL) {
         // enforce Strict-Transport-Security
         nsISiteSecurityService* sss = gHttpHandler->GetSSService();
         NS_ENSURE_TRUE(sss, NS_ERROR_OUT_OF_MEMORY);

netwerk/protocol/http/nsIHttpChannel.idl

@@ -14,7 +14,7 @@ interface nsIHttpHeaderVisitor;
  * the inspection of the resulting HTTP response status and headers when they
  * become available.
  */
-[scriptable, uuid(a01362a0-5c45-11e2-bcfd-0800200c9a66)]
+[scriptable, uuid(22816a32-2179-4b81-9b29-e31d6f9a36c2)]
 interface nsIHttpChannel : nsIChannel
 {
     /**************************************************************************
@@ -123,6 +123,20 @@ interface nsIHttpChannel : nsIChannel
      */
     attribute boolean allowPipelining;
 
+    /**
+     * This attribute of the channel indicates whether or not
+     * the underlying HTTP transaction should be honor stored Strict Transport
+     * Security directives for its principal. It defaults to true. Using
+     * OCSP to bootstrap the HTTPs is the likely use case for setting it to
+     * false.
+     *
+     * This attribute may only be set before the channel is opened.
+     *
+     * @throws NS_ERROR_IN_PROGRESS or NS_ERROR_ALREADY_OPENED
+     *         if called after the channel has been opened.
+     */
+    attribute boolean allowSTS;
+
     /**
      * This attribute specifies the number of redirects this channel is allowed
      * to make.  If zero, the channel will fail to redirect and will generate

netwerk/protocol/viewsource/nsViewSourceChannel.cpp

@@ -648,6 +648,20 @@ nsViewSourceChannel::SetAllowPipelining(bool aAllowPipelining)
         mHttpChannel->SetAllowPipelining(aAllowPipelining);
 }
 
+NS_IMETHODIMP
+nsViewSourceChannel::GetAllowSTS(bool *aAllowSTS)
+{
+    return !mHttpChannel ? NS_ERROR_NULL_POINTER :
+        mHttpChannel->GetAllowSTS(aAllowSTS);
+}
+
+NS_IMETHODIMP
+nsViewSourceChannel::SetAllowSTS(bool aAllowSTS)
+{
+    return !mHttpChannel ? NS_ERROR_NULL_POINTER :
+        mHttpChannel->SetAllowSTS(aAllowSTS);
+}
+
 NS_IMETHODIMP
 nsViewSourceChannel::GetRedirectionLimit(uint32_t *aRedirectionLimit)
 {