diff --git a/netwerk/protocol/http/NullHttpTransaction.cpp b/netwerk/protocol/http/NullHttpTransaction.cpp index 7818edcb095..5c2eba9199d 100644 --- a/netwerk/protocol/http/NullHttpTransaction.cpp +++ b/netwerk/protocol/http/NullHttpTransaction.cpp @@ -152,7 +152,7 @@ NullHttpTransaction::TakeSubTransactions( } void -NullHttpTransaction::SetSSLConnectFailed() +NullHttpTransaction::SetProxyConnectFailed() { } diff --git a/netwerk/protocol/http/NullHttpTransaction.h b/netwerk/protocol/http/NullHttpTransaction.h index 2bdc5be1dfa..5e2fa1eeeaa 100644 --- a/netwerk/protocol/http/NullHttpTransaction.h +++ b/netwerk/protocol/http/NullHttpTransaction.h @@ -18,7 +18,7 @@ // This is the minimal nsAHttpTransaction implementation. A NullHttpTransaction // can be used to drive connection level semantics (such as SSL handshakes // tunnels) so that a nsHttpConnection becomes fully established in -// anticiation of a real transaction needing to use it soon. +// anticipation of a real transaction needing to use it soon. namespace mozilla { namespace net { diff --git a/netwerk/protocol/http/SpdySession2.cpp b/netwerk/protocol/http/SpdySession2.cpp index b2cbfe24b0b..20fd0240f02 100644 --- a/netwerk/protocol/http/SpdySession2.cpp +++ b/netwerk/protocol/http/SpdySession2.cpp @@ -2176,9 +2176,9 @@ SpdySession2::GetSecurityCallbacks(nsIInterfaceRequestor **, } void -SpdySession2::SetSSLConnectFailed() +SpdySession2::SetProxyConnectFailed() { - NS_ABORT_IF_FALSE(false, "SpdySession2::SetSSLConnectFailed()"); + NS_ABORT_IF_FALSE(false, "SpdySession2::SetProxyConnectFailed()"); } bool diff --git a/netwerk/protocol/http/SpdySession3.cpp b/netwerk/protocol/http/SpdySession3.cpp index 153df88dabd..6cb3691a103 100644 --- a/netwerk/protocol/http/SpdySession3.cpp +++ b/netwerk/protocol/http/SpdySession3.cpp @@ -2233,9 +2233,9 @@ SpdySession3::GetSecurityCallbacks(nsIInterfaceRequestor **, } void -SpdySession3::SetSSLConnectFailed() +SpdySession3::SetProxyConnectFailed() { - NS_ABORT_IF_FALSE(false, "SpdySession3::SetSSLConnectFailed()"); + NS_ABORT_IF_FALSE(false, "SpdySession3::SetProxyConnectFailed()"); } bool diff --git a/netwerk/protocol/http/nsAHttpTransaction.h b/netwerk/protocol/http/nsAHttpTransaction.h index f82e1de2972..803b9942957 100644 --- a/netwerk/protocol/http/nsAHttpTransaction.h +++ b/netwerk/protocol/http/nsAHttpTransaction.h @@ -63,8 +63,8 @@ public: // called to close the transaction virtual void Close(nsresult reason) = 0; - // called to indicate a failure at the SSL setup level - virtual void SetSSLConnectFailed() = 0; + // called to indicate a failure with proxy CONNECT + virtual void SetProxyConnectFailed() = 0; // called to retrieve the request headers of the transaction virtual nsHttpRequestHead *RequestHead() = 0; @@ -149,7 +149,7 @@ public: nsresult ReadSegments(nsAHttpSegmentReader *, uint32_t, uint32_t *); \ nsresult WriteSegments(nsAHttpSegmentWriter *, uint32_t, uint32_t *); \ void Close(nsresult reason); \ - void SetSSLConnectFailed(); \ + void SetProxyConnectFailed(); \ nsHttpRequestHead *RequestHead(); \ uint32_t Http1xTransactionCount(); \ nsresult TakeSubTransactions(nsTArray > &outTransactions); \ diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp index bff3cad8eeb..62db41d8ed4 100644 --- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -722,8 +722,8 @@ nsHttpChannel::SetupTransaction() if (!mAllowSpdy) mCaps |= NS_HTTP_DISALLOW_SPDY; - // use the URI path if not proxying (transparent proxying such as SSL proxy - // does not count here). also, figure out what version we should be speaking. + // Use the URI path if not proxying (transparent proxying such as proxy + // CONNECT does not count here). Also figure out what HTTP version to use. nsCAutoString buf, path; nsCString* requestURI; if (mConnectionInfo->UsingConnect() || @@ -1005,21 +1005,21 @@ nsHttpChannel::CallOnStartRequest() } nsresult -nsHttpChannel::ProcessFailedSSLConnect(uint32_t httpStatus) +nsHttpChannel::ProcessFailedProxyConnect(uint32_t httpStatus) { - // Failure to set up SSL proxy tunnel means one of the following: + // Failure to set up a proxy tunnel via CONNECT means one of the following: // 1) Proxy wants authorization, or forbids. // 2) DNS at proxy couldn't resolve target URL. // 3) Proxy connection to target failed or timed out. - // 4) Eve noticed our proxy CONNECT, and is replying with malicious HTML. - // - // Our current architecture will parse response content with the - // permission of the target URL! Given #4, we must avoid rendering the - // body of the reply, and instead give the user a (hopefully helpful) + // 4) Eve intercepted our CONNECT, and is replying with malicious HTML. + // + // Our current architecture would parse the proxy's response content with + // the permission of the target URL. Given #4, we must avoid rendering the + // body of the reply, and instead give the user a (hopefully helpful) // boilerplate error page, based on just the HTTP status of the reply. NS_ABORT_IF_FALSE(mConnectionInfo->UsingConnect(), - "SSL connect failed but not using SSL?"); + "proxy connect failed but not using CONNECT?"); nsresult rv; switch (httpStatus) { @@ -1070,21 +1070,13 @@ nsHttpChannel::ProcessFailedSSLConnect(uint32_t httpStatus) rv = NS_ERROR_PROXY_CONNECTION_REFUSED; break; } - LOG(("Cancelling failed SSL proxy connection [this=%p httpStatus=%u]\n", + LOG(("Cancelling failed proxy CONNECT [this=%p httpStatus=%u]\n", this, httpStatus)); Cancel(rv); CallOnStartRequest(); return rv; } -bool -nsHttpChannel::ShouldSSLProxyResponseContinue(uint32_t httpStatus) -{ - // When SSL connect has failed, allow proxy reply to continue only if it's - // a 407 (proxy authentication required) response - return (httpStatus == 407); -} - /** * Decide whether or not to remember Strict-Transport-Security, and whether * or not to enforce channel integrity. @@ -1182,10 +1174,11 @@ nsHttpChannel::ProcessResponse() LOG(("nsHttpChannel::ProcessResponse [this=%p httpStatus=%u]\n", this, httpStatus)); - if (mTransaction->SSLConnectFailed()) { - if (!ShouldSSLProxyResponseContinue(httpStatus)) - return ProcessFailedSSLConnect(httpStatus); - // If SSL proxy response needs to complete, wait to process connection + if (mTransaction->ProxyConnectFailed()) { + // Only allow 407 (authentication required) to continue + if (httpStatus != 407) + return ProcessFailedProxyConnect(httpStatus); + // If proxy CONNECT response needs to complete, wait to process connection // for Strict-Transport-Security. } else { // Given a successful connection, process any STS data that's relevant. @@ -1290,7 +1283,7 @@ nsHttpChannel::ProcessResponse() case 407: rv = mAuthProvider->ProcessAuthentication( httpStatus, mConnectionInfo->UsingSSL() && - mTransaction->SSLConnectFailed()); + mTransaction->ProxyConnectFailed()); if (rv == NS_ERROR_IN_PROGRESS) { // authentication prompt has been invoked and result // is expected asynchronously @@ -1305,8 +1298,8 @@ nsHttpChannel::ProcessResponse() } else if (NS_FAILED(rv)) { LOG(("ProcessAuthentication failed [rv=%x]\n", rv)); - if (mTransaction->SSLConnectFailed()) - return ProcessFailedSSLConnect(httpStatus); + if (mTransaction->ProxyConnectFailed()) + return ProcessFailedProxyConnect(httpStatus); if (!mAuthRetryPending) mAuthProvider->CheckForSuperfluousAuth(); rv = ProcessNormal(); @@ -1376,8 +1369,8 @@ nsHttpChannel::ContinueProcessResponse(nsresult rv) } LOG(("ContinueProcessResponse got failure result [rv=%x]\n", rv)); - if (mTransaction->SSLConnectFailed()) { - return ProcessFailedSSLConnect(mRedirectType); + if (mTransaction->ProxyConnectFailed()) { + return ProcessFailedProxyConnect(mRedirectType); } return ProcessNormal(); } diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h index 493c18f055e..703f927ef4c 100644 --- a/netwerk/protocol/http/nsHttpChannel.h +++ b/netwerk/protocol/http/nsHttpChannel.h @@ -163,8 +163,7 @@ private: nsresult AsyncProcessRedirection(uint32_t httpStatus); nsresult ContinueProcessRedirection(nsresult); nsresult ContinueProcessRedirectionAfterFallback(nsresult); - bool ShouldSSLProxyResponseContinue(uint32_t httpStatus); - nsresult ProcessFailedSSLConnect(uint32_t httpStatus); + nsresult ProcessFailedProxyConnect(uint32_t httpStatus); nsresult ProcessFallback(bool *waitingForRedirectCallback); nsresult ContinueProcessFallback(nsresult); void HandleAsyncAbort(); diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp index 0084564dbe2..607c2f0c1e9 100644 --- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp +++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp @@ -112,7 +112,7 @@ nsHttpChannelAuthProvider::ProcessAuthentication(uint32_t httpStatus, if (mProxyAuth) { // only allow a proxy challenge if we have a proxy server configured. - // otherwise, we could inadvertantly expose the user's proxy + // otherwise, we could inadvertently expose the user's proxy // credentials to an origin server. We could attempt to proceed as // if we had received a 401 from the server, but why risk flirting // with trouble? IE similarly rejects 407s when a proxy server is diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp index db62a61a607..ba9e24e2fc7 100644 --- a/netwerk/protocol/http/nsHttpConnection.cpp +++ b/netwerk/protocol/http/nsHttpConnection.cpp @@ -833,9 +833,9 @@ nsHttpConnection::OnHeadersAvailable(nsAHttpTransaction *trans, if (!mProxyConnectStream) HandleAlternateProtocol(responseHead); - // if we're doing an SSL proxy connect, then we need to check whether or not - // the connect was successful. if so, then we have to reset the transaction - // and step-up the socket connection to SSL. finally, we have to wake up the + // If we're doing a proxy connect, we need to check whether or not + // it was successful. If so, we have to reset the transaction and step-up + // the socket connection if using SSL. Finally, we have to wake up the // socket write request. if (mProxyConnectStream) { NS_ABORT_IF_FALSE(!mUsingSpdyVersion, @@ -860,7 +860,7 @@ nsHttpConnection::OnHeadersAvailable(nsAHttpTransaction *trans, else { LOG(("proxy CONNECT failed! ssl=%s\n", mConnInfo->UsingSSL() ? "true" :"false")); - mTransaction->SetSSLConnectFailed(); + mTransaction->SetProxyConnectFailed(); } } @@ -1199,8 +1199,8 @@ nsHttpConnection::OnSocketWritable() do { mSocketOutCondition = NS_OK; - // if we're doing an SSL proxy connect, then we need to bypass calling - // into the transaction. + // If we're doing a proxy connect, then we need to bypass calling into + // the transaction. // // NOTE: this code path can't be shared since the transaction doesn't // implement nsIInputStream. doing so is not worth the added cost of diff --git a/netwerk/protocol/http/nsHttpPipeline.cpp b/netwerk/protocol/http/nsHttpPipeline.cpp index 628be4ec373..9e598787dbc 100644 --- a/netwerk/protocol/http/nsHttpPipeline.cpp +++ b/netwerk/protocol/http/nsHttpPipeline.cpp @@ -349,12 +349,12 @@ nsHttpPipeline::Classification() } void -nsHttpPipeline::SetSSLConnectFailed() +nsHttpPipeline::SetProxyConnectFailed() { nsAHttpTransaction *trans = Request(0); if (trans) - trans->SetSSLConnectFailed(); + trans->SetProxyConnectFailed(); } nsHttpRequestHead * @@ -652,7 +652,7 @@ nsHttpPipeline::WriteSegments(nsAHttpSegmentWriter *writer, trans = Response(0); // This code deals with the establishment of a CONNECT tunnel through // an HTTP proxy. It allows the connection to do the CONNECT/200 - // HTTP transaction to establish an SSL tunnel as a precursor to the + // HTTP transaction to establish a tunnel as a precursor to the // actual pipeline of regular HTTP transactions. if (!trans && mRequestQ.Length() && mConnection->IsProxyConnectInProgress()) { diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp index fc78a0b9dab..7b9f9e92b1b 100644 --- a/netwerk/protocol/http/nsHttpTransaction.cpp +++ b/netwerk/protocol/http/nsHttpTransaction.cpp @@ -102,7 +102,7 @@ nsHttpTransaction::nsHttpTransaction() , mReceivedData(false) , mStatusEventPending(false) , mHasRequestBody(false) - , mSSLConnectFailed(false) + , mProxyConnectFailed(false) , mHttpResponseMatched(false) , mPreserveStream(false) , mReportedStart(false) @@ -353,9 +353,9 @@ nsHttpTransaction::TakeResponseHead() } void -nsHttpTransaction::SetSSLConnectFailed() +nsHttpTransaction::SetProxyConnectFailed() { - mSSLConnectFailed = true; + mProxyConnectFailed = true; } nsHttpRequestHead * diff --git a/netwerk/protocol/http/nsHttpTransaction.h b/netwerk/protocol/http/nsHttpTransaction.h index 2bd9739637e..0f4f7f6bf10 100644 --- a/netwerk/protocol/http/nsHttpTransaction.h +++ b/netwerk/protocol/http/nsHttpTransaction.h @@ -94,7 +94,7 @@ public: // Called to find out if the transaction generated a complete response. bool ResponseIsComplete() { return mResponseIsComplete; } - bool SSLConnectFailed() { return mSSLConnectFailed; } + bool ProxyConnectFailed() { return mProxyConnectFailed; } // SetPriority() may only be used by the connection manager. void SetPriority(int32_t priority) { mPriority = priority; } @@ -193,7 +193,7 @@ private: bool mReceivedData; bool mStatusEventPending; bool mHasRequestBody; - bool mSSLConnectFailed; + bool mProxyConnectFailed; bool mHttpResponseMatched; bool mPreserveStream; diff --git a/netwerk/protocol/http/nsIHttpAuthManager.idl b/netwerk/protocol/http/nsIHttpAuthManager.idl index 4d9d000393b..a658f202753 100644 --- a/netwerk/protocol/http/nsIHttpAuthManager.idl +++ b/netwerk/protocol/http/nsIHttpAuthManager.idl @@ -27,7 +27,7 @@ interface nsIHttpAuthManager : nsISupports * * @param aScheme * the URL scheme (e.g., "http"). NOTE: for proxy authentication, - * this should be "http" (this includes authentication for SSL + * this should be "http" (this includes authentication for CONNECT * tunneling). * @param aHost * the host of the server issuing a challenge (ASCII only). @@ -61,7 +61,7 @@ interface nsIHttpAuthManager : nsISupports * * @param aScheme * the URL scheme (e.g., "http"). NOTE: for proxy authentication, - * this should be "http" (this includes authentication for SSL + * this should be "http" (this includes authentication for CONNECT * tunneling). * @param aHost * the host of the server issuing a challenge (ASCII only).