Bug 1641597 - Add document.allowDeprecatedTls for error pages r=geckoview-reviewers,NeilDeakin,smaug,esawin

Differential Revision: https://phabricator.services.mozilla.com/D78365
2020-07-08 15:37:18 +00:00 · 2020-07-08 15:37:18 +00:00 · 43c90527a5
commit 43c90527a5
parent 8ccf28a8ba
8 changed files with 74 additions and 0 deletions
--- a/dom/base/Document.cpp
+++ b/dom/base/Document.cpp
@ -1831,6 +1831,28 @@ void Document::GetFailedCertSecurityInfo(FailedCertSecurityInfo& aInfo,
  }
 }

+bool Document::AllowDeprecatedTls() {
+  return Preferences::GetBool("security.tls.version.enable-deprecated", false);
+}
+
+void Document::SetAllowDeprecatedTls(bool value) {
+  if (!IsErrorPage()) {
+    return;
+  }
+
+  auto docShell = GetDocShell();
+  if (!docShell) {
+    return;
+  }
+
+  auto child = BrowserChild::GetFrom(docShell);
+  if (!child) {
+    return;
+  }
+
+  child->SendSetAllowDeprecatedTls(value);
+}
+
 bool Document::IsAboutPage() const {
  nsCOMPtr<nsIPrincipal> principal = NodePrincipal();
  return principal->SchemeIs("about");
--- a/dom/base/Document.h
+++ b/dom/base/Document.h
@ -2228,6 +2228,12 @@ class Document : public nsINode,
  void GetFailedCertSecurityInfo(mozilla::dom::FailedCertSecurityInfo& aInfo,
                                 ErrorResult& aRv);

+  /**
+   * Controls whether or not we allow TLS 1.0/1.1. Only exposed to error pages.
+   */
+  bool AllowDeprecatedTls();
+  void SetAllowDeprecatedTls(bool aResult);
+
  /**
   * Set the channel that failed to load and resulted in an error page.
   * This is only relevant to error pages.
--- a/dom/ipc/BrowserParent.cpp
+++ b/dom/ipc/BrowserParent.cpp
@ -2761,6 +2761,11 @@ mozilla::ipc::IPCResult BrowserParent::RecvNotifyContentBlockingEvent(
  return IPC_OK();
 }

+mozilla::ipc::IPCResult BrowserParent::RecvSetAllowDeprecatedTls(bool value) {
+  Preferences::SetBool("security.tls.version.enable-deprecated", value);
+  return IPC_OK();
+}
+
 already_AddRefed<nsIBrowser> BrowserParent::GetBrowser() {
  nsCOMPtr<nsIBrowser> browser;
  RefPtr<Element> currentElement = mFrameElement;
--- a/dom/ipc/BrowserParent.h
+++ b/dom/ipc/BrowserParent.h
@ -314,6 +314,8 @@ class BrowserParent final : public PBrowserParent,
      const Maybe<mozilla::ContentBlockingNotifier::
                      StorageAccessPermissionGrantedReason>& aReason);

+  mozilla::ipc::IPCResult RecvSetAllowDeprecatedTls(bool value);
+
  mozilla::ipc::IPCResult RecvNavigationFinished();

  already_AddRefed<nsIBrowser> GetBrowser();
--- a/dom/ipc/PBrowser.ipdl
+++ b/dom/ipc/PBrowser.ipdl
@ -672,6 +672,8 @@ parent:
                             ScrollAxis aHorizontal, ScrollFlags aScrollFlags,
                             int32_t aAppUnitsPerDevPixel);

+    async SetAllowDeprecatedTls(bool value);
+
 child:
    /**
     * Notify the remote browser that it has been Show()n on this side. This
--- a/dom/webidl/Document.webidl
+++ b/dom/webidl/Document.webidl
@ -328,6 +328,9 @@ partial interface Document {

  [Func="Document::CallerIsTrustedAboutNetError", Throws]
  NetErrorInfo getNetErrorInfo();
+
+  [Func="Document::CallerIsTrustedAboutNetError"]
+  attribute boolean allowDeprecatedTls;
 };

 // https://w3c.github.io/page-visibility/#extensions-to-the-document-interface
--- a/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/NavigationDelegateTest.kt
+++ b/mobile/android/geckoview/src/androidTest/java/org/mozilla/geckoview/test/NavigationDelegateTest.kt
@ -200,6 +200,39 @@ class NavigationDelegateTest : BaseSessionTest() {
        mainSession.waitForPageStop()
    }

+    @Test fun loadDeprecatedTls() {
+        // Load an initial generic error page in order to ensure 'allowDeprecatedTls' is false
+        testLoadExpectError(UNKNOWN_HOST_URI,
+                WebRequestError.ERROR_CATEGORY_URI,
+                WebRequestError.ERROR_UNKNOWN_HOST)
+        mainSession.evaluateJS("document.allowDeprecatedTls = false")
+
+        val uri = if (sessionRule.env.isAutomation) {
+            "https://tls1.example.com/"
+        } else {
+            "https://tls-v1-0.badssl.com:1010/"
+        }
+        testLoadExpectError(uri,
+                WebRequestError.ERROR_CATEGORY_SECURITY,
+                WebRequestError.ERROR_SECURITY_SSL)
+
+        mainSession.delegateDuringNextWait(object : Callbacks.ProgressDelegate, Callbacks.NavigationDelegate {
+            @AssertCalled(count = 0)
+            override fun onLoadError(session: GeckoSession, uri: String?, error: WebRequestError): GeckoResult<String>? {
+                return null
+            }
+
+            @AssertCalled(count = 1)
+            override fun onPageStop(session: GeckoSession, success: Boolean) {
+                assertThat("Load should be successful", success, equalTo(true))
+            }
+        })
+
+        mainSession.evaluateJS("document.allowDeprecatedTls = true")
+        mainSession.reload()
+        mainSession.waitForPageStop()
+    }
+
    @Ignore // Disabled for bug 1619344.
    @Test fun loadUnknownProtocol() {
        testLoadEarlyError(UNKNOWN_PROTOCOL_URI,
--- a/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java
@ -3809,6 +3809,7 @@ public class GeckoSession implements Parcelable {
         *         - document.addCertException(isTemporary), returns Promise
         *         - document.getFailedCertSecurityInfo(), returns FailedCertSecurityInfo
         *         - document.getNetErrorInfo(), returns NetErrorInfo
+         *         - document.allowDeprecatedTls, a property indicating whether or not TLS 1.0/1.1 is allowed
         * @see <a href="https://searchfox.org/mozilla-central/source/dom/webidl/FailedCertSecurityInfo.webidl">FailedCertSecurityInfo IDL</a>
         * @see <a href="https://searchfox.org/mozilla-central/source/dom/webidl/NetErrorInfo.webidl">NetErrorInfo IDL</a>
         */