Merging upstream version 125.0.2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 30 insertions, 18 deletions

diff --git a/dom/security/nsContentSecurityUtils.cpp b/dom/security/nsContentSecurityUtils.cpp
index 01e9c6d5db..d2c1b257bc 100644
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@@ -1670,25 +1670,37 @@ long nsContentSecurityUtils::ClassifyDownload(
   nsCOMPtr<nsIURI> contentLocation;
   aChannel->GetURI(getter_AddRefs(contentLocation));
 
-  if (StaticPrefs::dom_block_download_insecure()) {
-    // If we are not dealing with a potentially trustworthy origin, or a URI
-    // that is safe to be loaded like e.g. data:, then we block the load.
-    bool isInsecureDownload =
-        !nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(
-            contentLocation) &&
-        !nsMixedContentBlocker::URISafeToBeLoadedInSecureContext(
-            contentLocation);
-
-    Telemetry::Accumulate(mozilla::Telemetry::INSECURE_DOWNLOADS,
-                          isInsecureDownload);
-
-    if (isInsecureDownload) {
-      nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
-      if (httpChannel) {
-        LogMessageToConsole(httpChannel, "BlockedInsecureDownload");
-      }
-      return nsITransfer::DOWNLOAD_POTENTIALLY_UNSAFE;
+  nsCOMPtr<nsIPrincipal> loadingPrincipal = loadInfo->GetLoadingPrincipal();
+  if (!loadingPrincipal) {
+    loadingPrincipal = loadInfo->TriggeringPrincipal();
+  }
+  // Creating a fake Loadinfo that is just used for the MCB check.
+  nsCOMPtr<nsILoadInfo> secCheckLoadInfo = new mozilla::net::LoadInfo(
+      loadingPrincipal, loadInfo->TriggeringPrincipal(), nullptr,
+      nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
+      nsIContentPolicy::TYPE_FETCH);
+  // Disable HTTPS-Only checks for that loadinfo. This is required because
+  // otherwise nsMixedContentBlocker::ShouldLoad would assume that the request
+  // is safe, because HTTPS-Only is handling it.
+  secCheckLoadInfo->SetHttpsOnlyStatus(nsILoadInfo::HTTPS_ONLY_EXEMPT);
+
+  int16_t decission = nsIContentPolicy::ACCEPT;
+  nsMixedContentBlocker::ShouldLoad(false,  //  aHadInsecureImageRedirect
+                                    contentLocation,   //  aContentLocation,
+                                    secCheckLoadInfo,  //  aLoadinfo
+                                    false,             //  aReportError
+                                    &decission         // aDecision
+  );
+  Telemetry::Accumulate(mozilla::Telemetry::MIXED_CONTENT_DOWNLOADS,
+                        decission != nsIContentPolicy::ACCEPT);
+
+  if (StaticPrefs::dom_block_download_insecure() &&
+      decission != nsIContentPolicy::ACCEPT) {
+    nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
+    if (httpChannel) {
+      LogMessageToConsole(httpChannel, "MixedContentBlockedDownload");
     }
+    return nsITransfer::DOWNLOAD_POTENTIALLY_UNSAFE;
   }
 
   if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {