We should only need to start nsCompressedAudioVideoImageDetector when
nsUnknownDecoder is not going to be started. Generally, they are not
designed to be working together.
Differential Revision: https://phabricator.services.mozilla.com/D163063
With this patch we also try to align a bit more with the current in
development spec at: https://whatpr.org/fetch/1442.html#orb-algorithm
The tests:
* fetch/orb/tentative/known-mime-type.sub.any.js
* fetch/orb/tentative/unknown-mime-type.sub.any.js
specifically tests the case of UNKNOWN_CONTENT_TYPE, i.e. the case
where the `orb-algorithm` fails to extract a MIME type from the
response headers.
Differential Revision: https://phabricator.services.mozilla.com/D161142
Devtools can generate fetch request on behalf of the content document,
reporting these requests in PerformanceObserver would cause confusion,
so we should ignore them.
Differential Revision: https://phabricator.services.mozilla.com/D162582
Our current code uses PeekStream to get the data and pass them
over to the sniffer, however it doesn't count the case where the
contents are compressed, so the sniffer would fail to determine
the type of contents.
This patch we creates a child class of nsUnknowDecoder to utilize
its ability to hold off of calling the next OnStartRequest until
the contentType is determined, we also overrides DetermineContentType
method to make it focuses on decoding the compressed contents only.
Credit goes to farre since he pointed out this solution.
Differential Revision: https://phabricator.services.mozilla.com/D161167
There's no point of blocking requests that users want to download,
and these requests are only being handled the parent process.
Differential Revision: https://phabricator.services.mozilla.com/D160845
This patch starts to actually blocking opaque responses
for most type of the resources that are defined in the spec.
There are still pieces missing such as blocking JSON responses,
and this is why it's called partially implemented.
This patch was originally written by farre, and I made some
modifications based on it.
Depends on D155128
Differential Revision: https://phabricator.services.mozilla.com/D155129
Currently, if users enabled COEP:Credentialless by Origin-Trial,
it won't put the document into an isolated process, this patch
fixes.
Though the caveat is this only works for enabling Origin-Trial
in the response header, setting it via <meta> still won't work.
Differential Revision: https://phabricator.services.mozilla.com/D158684
UserAgent() needs a parameter because it previously was
calling the non-fine-grained RFP check. It can't call the
fine-grained check, so it needs to be told what to do.
AddStandardRequestHeaders calls UserAgent() and needs to
know what to pass it.
Differential Revision: https://phabricator.services.mozilla.com/D144582
Everywhere except one loadInfo is supplied to an HTTPChannel
right after it is Init()-ed. Inside of Init we would like to
use the loadInfo so we'll put it in there.
Differential Revision: https://phabricator.services.mozilla.com/D144580
Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Spec: https://html.spec.whatwg.org/multipage/#coep:coep-credentialless
Credentialless is a new cross-origin embedder policy which allows us
to not enforcing CORP when loading cross-origin resources while
providing SharedArrayBuffer.
There are two main things involved here:
1. Fetching cross-origin no-CORS resources omits credentials
- This is done by applying `LOAD_ANONYMOUS` flag to the request
2. Other requests sent with credentials require the server's explicit
permission through the CORS protocol or the CORS header
- This is done by expanding `ProcessCrossOriginResourcePolicyHeader`
function to apply the necessary checks.
Differential Revision: https://phabricator.services.mozilla.com/D147802
Given the Fetch spec, the TAO check algorithm has been updated to
be more restricted. This patch updates the algorithm to match the
spec.
Differential Revision: https://phabricator.services.mozilla.com/D146737
According to the latest Fetch spec, we should generate a opaque
PerformanceResourceTiming entry for cross origin redirects, rather than
not generating it at all.
Plus the timings for cross-origin redirects won't be leaked unless all
redirects pass the TAO check.
Differential Revision: https://phabricator.services.mozilla.com/D146580
This patch is more conservative for requests initiated by add-on and prefers
to send no Origin header instead of Origin: null.
Differential Revision: https://phabricator.services.mozilla.com/D147091
