diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 8ec45ef8060..6626cfde97b 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -1448,6 +1448,10 @@ pref("network.http.enforce-framing.soft", true); // See http://www.w3.org/TR/web-packaging/#streamable-package-format pref("network.http.enable-packaged-apps", false); +// Enable this to bring in the signature verification if the signature exists. +// Set to false if you don't need the signed packaged web app support (i.e. NSec). +pref("network.http.packaged-signed-apps-enabled", false); + // Enable this pref to skip verification process. The packaged app // will be considered signed no matter the package has a valid/invalid // signature or no signature. diff --git a/netwerk/protocol/http/PackagedAppService.cpp b/netwerk/protocol/http/PackagedAppService.cpp index 25341fc6a18..df660ad472b 100644 --- a/netwerk/protocol/http/PackagedAppService.cpp +++ b/netwerk/protocol/http/PackagedAppService.cpp @@ -479,6 +479,12 @@ PackagedAppService::PackagedAppDownloader::OnStartRequest(nsIRequest *aRequest, NS_WARN_IF(NS_FAILED(rv)); EnsureVerifier(aRequest); + + if (!mVerifier->WouldVerify()) { + // It means there's no signature or the signed app is disabled. + return NS_OK; + } + mVerifier->OnStartRequest(nullptr, uri); // Since the header is considered as a part of the streaming data, @@ -640,7 +646,7 @@ PackagedAppService::PackagedAppDownloader::OnStopRequest(nsIRequest *aRequest, // Chances to get here: // 1) Very likely the package has been cached or // 2) Less likely the package is malformed. - if (!mVerifier) { + if (!mVerifier || !mVerifier->WouldVerify()) { FinalizeDownload(aStatusCode); } else { // We've got a broken last part and some resources might be still @@ -676,6 +682,12 @@ PackagedAppService::PackagedAppDownloader::OnStopRequest(nsIRequest *aRequest, nsRefPtr info = new ResourceCacheInfo(uri, entry, aStatusCode, lastPart); + if (!mVerifier->WouldVerify()) { + // No manifest at all. Everything is simply a resource. + OnResourceVerified(info, true); + return NS_OK; + } + mVerifier->OnStopRequest(nullptr, info, aStatusCode); return NS_OK; @@ -704,6 +716,11 @@ PackagedAppService::PackagedAppDownloader::ConsumeData(nsIInputStream *aStream, self->mWriter->ConsumeData(aFromRawSegment, aCount, aWriteCount); + if (!self->mVerifier->WouldVerify()) { + // No signature or signed app support is disabled. + return NS_OK; + } + if (self->mProcessingFirstRequest) { // mProcessingFirstRequest will be set to false on the first OnStopRequest. self->mManifestContent.Append(aFromRawSegment, aCount); diff --git a/netwerk/protocol/http/PackagedAppVerifier.cpp b/netwerk/protocol/http/PackagedAppVerifier.cpp index b30bb71ea89..d823b29dcd2 100644 --- a/netwerk/protocol/http/PackagedAppVerifier.cpp +++ b/netwerk/protocol/http/PackagedAppVerifier.cpp @@ -22,6 +22,7 @@ static const short kResourceHashType = nsICryptoHash::SHA256; // If it's true, all the verification will be skipped and the package will // be treated signed. static bool gDeveloperMode = false; +static bool gSignedAppEnabled = false; namespace mozilla { namespace net { @@ -69,6 +70,8 @@ NS_IMETHODIMP PackagedAppVerifier::Init(nsIPackagedAppVerifierListener* aListene if (!onceThru) { Preferences::AddBoolVarCache(&gDeveloperMode, "network.http.packaged-apps-developer-mode", false); + Preferences::AddBoolVarCache(&gSignedAppEnabled, + "network.http.packaged-signed-apps-enabled", false); onceThru = true; } @@ -418,6 +421,12 @@ PackagedAppVerifier::SetHasBrokenLastPart(nsresult aStatusCode) mPendingResourceCacheInfoList.insertBack(info); } +bool +PackagedAppVerifier::WouldVerify() const +{ + return gSignedAppEnabled && !mSignature.IsEmpty(); +} + //--------------------------------------------------------------- // nsIPackagedAppVerifier. //--------------------------------------------------------------- diff --git a/netwerk/protocol/http/PackagedAppVerifier.h b/netwerk/protocol/http/PackagedAppVerifier.h index b733bc46cbe..4241bbeba4b 100644 --- a/netwerk/protocol/http/PackagedAppVerifier.h +++ b/netwerk/protocol/http/PackagedAppVerifier.h @@ -114,6 +114,8 @@ public: return mPackageOrigin; } + bool WouldVerify() const; + static const char* kSignedPakOriginMetadataKey; private: diff --git a/netwerk/test/mochitests/test_signed_web_packaged_app.html b/netwerk/test/mochitests/test_signed_web_packaged_app.html index 7eae7b89568..b1d0b6eda2c 100644 --- a/netwerk/test/mochitests/test_signed_web_packaged_app.html +++ b/netwerk/test/mochitests/test_signed_web_packaged_app.html @@ -22,6 +22,7 @@ var Cr = SpecialPowers.Cr; SpecialPowers.pushPrefEnv( { "set": [["network.http.enable-packaged-apps", true], ["network.http.packaged-apps-developer-mode", true], + ["network.http.packaged-signed-apps-enabled", true], ["dom.ipc.processPriorityManager.testMode", true], ["dom.ipc.processPriorityManager.enabled", true], ["dom.ipc.tabs.disabled", false], diff --git a/netwerk/test/unit/test_packaged_app_channel.js b/netwerk/test/unit/test_packaged_app_channel.js index 171f48f8140..6c361f06ec6 100644 --- a/netwerk/test/unit/test_packaged_app_channel.js +++ b/netwerk/test/unit/test_packaged_app_channel.js @@ -118,6 +118,7 @@ function contentHandlerWithSignature(metadata, response) var httpserver = null; var originalPref = false; var originalDevMode = false; +var originalSignedAppEnabled = false; function run_test() { @@ -131,8 +132,10 @@ function run_test() // Enable the feature and save the original pref value originalPref = Services.prefs.getBoolPref("network.http.enable-packaged-apps"); originalDevMode = Services.prefs.getBoolPref("network.http.packaged-apps-developer-mode"); + originalSignedAppEnabled = Services.prefs.getBoolPref("network.http.packaged-signed-apps-enabled"); Services.prefs.setBoolPref("network.http.enable-packaged-apps", true); Services.prefs.setBoolPref("network.http.packaged-apps-developer-mode", false); + Services.prefs.setBoolPref("network.http.packaged-signed-apps-enabled", true); do_register_cleanup(reset_pref); add_test(test_channel); @@ -206,4 +209,5 @@ function reset_pref() { // Set the pref to its original value Services.prefs.setBoolPref("network.http.enable-packaged-apps", originalPref); Services.prefs.setBoolPref("network.http.packaged-apps-developer-mode", originalDevMode); + Services.prefs.setBoolPref("network.http.packaged-signed-apps-enabled", originalSignedAppEnabled); } diff --git a/netwerk/test/unit/test_packaged_app_service.js b/netwerk/test/unit/test_packaged_app_service.js index bebb875890f..3014ff9dd2c 100644 --- a/netwerk/test/unit/test_packaged_app_service.js +++ b/netwerk/test/unit/test_packaged_app_service.js @@ -155,12 +155,15 @@ function run_test() // TODO: To be removed in Bug 1178518. do_register_cleanup(function() { gPrefs.clearUserPref("network.http.packaged-apps-developer-mode"); + gPrefs.clearUserPref("network.http.packaged-signed-apps-enabled"); }); paservice = Cc["@mozilla.org/network/packaged-app-service;1"] .getService(Ci.nsIPackagedAppService); ok(!!paservice, "test service exists"); + gPrefs.setBoolPref("network.http.packaged-signed-apps-enabled", true); + add_test(test_bad_args); add_test(test_callback_gets_called);