1329401 - Rollup updates for FeedConverter.js sync with Firefox as at 20161231

Status: RESOLVED FIXED

(SeaMonkey :: Feed Discovery and Preview, defect)

Description

[Philip Chee]

Port the following bugs from Firefox:
[sg bugs]
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs
https://hg.mozilla.org/mozilla-central/rev/2974a3e83592
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD
https://hg.mozilla.org/mozilla-central/rev/f48fbe411650

[normal bugs]
Bug 1233899 - fix the feeds converter to use default user context origin attributes
https://hg.mozilla.org/mozilla-central/rev/8e052220dd9e
Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
https://hg.mozilla.org/mozilla-central/rev/5a29e8bc51ca

[minor tweaks]
Bug 1314918 - Fix most of the remaining no-unused-vars issues.
Bug 1199239, remove cpow usage from bookmark this page.

Comment 1

[Philip Chee]

Attachment: Patch v1.0 Fixes.

>          chromeChannel.owner = Services.scriptSecurityManager
> -                                      .getNoAppCodebasePrincipal(chromeURI);
> +                                      .createCodebasePrincipal(chromeURI,
> +                                                               loadInfo.originAttributes);
Bug 1165272 - Part 2: Replace getNoAppCodebasePrincipal with createCodebasePrincipal.
Bug 1233899 - Fix the feeds converter to use default user context origin attributes

>  GenericProtocolHandler.prototype = {
>    get protocolFlags() {
> -    return this._http.protocolFlags;
> +    var httpPref = "browser.feeds.feeds_like_http"
> +    if (Services.prefs.getPrefType(httpPref) == Services.prefs.PREF_BOOL &&
> +        Services.prefs.getBoolPref(httpPref)) {
> +      return this._http.protocolFlags;
> +    }
> +
> +    return this._http.URI_DANGEROUS_TO_LOAD |
> +           this._http.ALLOWS_PROXY |
> +           this._http.ALLOWS_PROXY_HTTP;
Bug 1277698 - Consider making feed: DANGEROUS_TO_LOAD

> -    var netutil = Components.classes["@mozilla.org/network/util;1"]
> -                            .getService(Components.interfaces.nsINetUtil);
> -    if (netutil.URIChainHasFlags(inner,
> -        Components.interfaces.nsIProtocolHandler.URI_INHERITS_SECURITY_CONTEXT))
> +
> +    if (! /^https?/.test(inner.scheme))
>        throw Components.results.NS_ERROR_MALFORMED_URI;
....
> -    var uri = netutil.newSimpleNestedURI(inner);
> +    var uri = Services.io.QueryInterface(Components.interfaces.nsINetUtil)
> +                         .newSimpleNestedURI(inner);
Bug 1277685 - Nested feed: URIs should only allow http/https as inner URIs

> -      var noSniff = httpChannel.getResponseHeader("X-Moz-Is-Feed");
> +      // Note: this throws if the header is not set.
> +      httpChannel.getResponseHeader("X-Moz-Is-Feed");
Bug 1314918 - Fix most of the remaining no-unused-vars issues.

>      case "bookmarks":
>        var topWindow = Services.wm.getMostRecentWindow("navigator:browser");
>        topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> -      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle);
> +      topWindow.PlacesCommandHook.addLiveBookmark(spec, title, subtitle)
> +                                 .catch(Components.utils.reportError);
Bug 1199239, remove cpow usage from bookmark this page.

Comment 2

[Philip Chee]

Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

My build environment is broken so I can't test.
FRG: could you take this patch for a spin round the block? Thanks.

Comment 3

[Frank-Rainer Grahl (:frg)]

Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

Works. I put it on top of bug 1329186. Tested with two feeds and source code changes look sane. The patch is bitrotted. Needs one change.

Comment 4

[Philip Chee]

Thanks!
> The patch is bitrotted. Needs one change.
If r+ I will push an unbitrotted patch ;)

Comment 5

[Ian Neal]

Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

r/a=me for unbitrotted patch

Comment 6

[Philip Chee]

http://hg.mozilla.org/comm-central/rev/d1e921152a8fd1c4d87580a5f6e7682f96058d6f

Comment 7

[Philip Chee]

Comment on attachment 8824655 [details] [diff] [review]
Patch v1.0 Fixes.

[Approval Request Comment]
Regression caused by (bug #): N/A

User impact if declined: Missing security fixes Bug 1277685 and Bug 1277698 which landed on Firefox 50. The other patches landed on Firefox 50 or earlier except Bug 1314918 which is just fixing nits.

Testing completed (on m-c, etc.): comm-central and Firefox 50

Risk to taking this patch (and alternatives if risky): Low risk. Has been baked in mozilla-central since Firefox 50.

String changes made by this patch: none

Comment 8

[Philip Chee]

Pushed to comm-aurora: (SeaMonkey 2.49)
http://hg.mozilla.org/releases/comm-beta/rev/7e4b5f38cfe14f65c92af09b71c2e4ee2082f8e2
Pushed to comm-beta: (SeaMonkey 2.48)
http://hg.mozilla.org/releases/comm-release/rev/1a420d3ee2c640a9688e75ddafd858c6551611e0