diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp index 5c32d49e917fa..bb5c2ed0f1d02 100644 --- a/dom/security/nsHTTPSOnlyUtils.cpp +++ b/dom/security/nsHTTPSOnlyUtils.cpp @@ -268,6 +268,18 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption( loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus); } +/* static */ +bool nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent( + nsILoadInfo* aLoadInfo) { + // Check if the request is exempt from upgrades + if ((aLoadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT)) { + return false; + } + // Check if HTTPS-Only Mode is enabled for this request + bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0; + return nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin); +} + /* ------ Logging ------ */ /* static */ diff --git a/dom/security/nsHTTPSOnlyUtils.h b/dom/security/nsHTTPSOnlyUtils.h index 864c17dd8a72a..477c35fbe7058 100644 --- a/dom/security/nsHTTPSOnlyUtils.h +++ b/dom/security/nsHTTPSOnlyUtils.h @@ -79,6 +79,14 @@ class nsHTTPSOnlyUtils { static void TestSitePermissionAndPotentiallyAddExemption( nsIChannel* aChannel); + /** + * Checks whether CORS or mixed content requests are safe because they'll get + * upgraded to HTTPS + * @param aLoadInfo nsILoadInfo of request + * @return true if it's safe to accept + */ + static bool IsSafeToAcceptCORSOrMixedContent(nsILoadInfo* aLoadInfo); + private: /** * Logs localized message to either content console or browser console diff --git a/dom/security/nsMixedContentBlocker.cpp b/dom/security/nsMixedContentBlocker.cpp index dad6b36e83535..03272205ecde2 100644 --- a/dom/security/nsMixedContentBlocker.cpp +++ b/dom/security/nsMixedContentBlocker.cpp @@ -645,9 +645,8 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect, return NS_OK; } - // If https-only mode is enabled we'll upgrade this later anyway - bool isPrivateWin = aLoadInfo->GetOriginAttributes().mPrivateBrowsingId > 0; - if (nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) { + // Check if https-only mode upgrades this later anyway + if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(aLoadInfo)) { *aDecision = ACCEPT; return NS_OK; } diff --git a/netwerk/protocol/http/nsCORSListenerProxy.cpp b/netwerk/protocol/http/nsCORSListenerProxy.cpp index 7af59acc2b5fd..0da61b71d1ee8 100644 --- a/netwerk/protocol/http/nsCORSListenerProxy.cpp +++ b/netwerk/protocol/http/nsCORSListenerProxy.cpp @@ -892,11 +892,9 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel, // then the xhr request will be upgraded to https before it fetches any data // from the netwerk, hence we shouldn't require CORS in that specific case. if (CheckInsecureUpgradePreventsCORS(mRequestingPrincipal, aChannel)) { - // Check if HTTPS-Only Mode is enabled + // Check if https-only mode upgrades this later anyway nsCOMPtr loadinfo = aChannel->LoadInfo(); - bool isPrivateWin = loadinfo->GetOriginAttributes().mPrivateBrowsingId > 0; - if (!(loadInfo->GetHttpsOnlyStatus() & nsILoadInfo::HTTPS_ONLY_EXEMPT) && - nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin)) { + if (nsHTTPSOnlyUtils::IsSafeToAcceptCORSOrMixedContent(loadinfo)) { return NS_OK; } // Check if 'upgrade-insecure-requests' is used