1892011 - RFC1918 exceptions for HTTP download blocking missing

Status: RESOLVED DUPLICATE of bug 1877195

(Core :: DOM: Security, defect, P1)

Description

[Simon Friedberger (:simonf)]

HTTPS-only mode checks for local IP address ranges: https://searchfox.org/mozilla-central/source/dom/security/nsHTTPSOnlyUtils.cpp#847
HTTP download warnings don't seem to have such a check: https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityUtils.cpp#1665

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1877195

:ckerschb, since you are the author of the regressor, bug 1877195, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

FWIW, I am not sure this is really a regression because the previous code went through the Mixed Content Blocker and now we are calling functions explicitly. Anyway, I think we should add an exception and fix this.

Comment 3

[Donal Meehan [:dmeehan]]

Setting Fx126 as disabled, the regressor was backed out of beta

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Bug 1877195 was backed out from Release for Desktop 125.0.2 / Android 125.2.0 going out early next week. Additionally, a remote pref-flip hotfix (visible in about:studies as "HTTP download configuration") has been deployed to users of Desktop 125.0.1 to disable the new functionality to mitigate this issue until the dot release goes out.

Comment 5

[Donal Meehan [:dmeehan]]

Setting Fx127 as disabled, the regressor was backed out of central

Comment 6

[Christoph Kerschbaumer [:ckerschb]]

Please note that we backed out Bug 1877195. Whenever we are going to-reland Bug 1877195 we'll make sure this incorporate the RFC1918 exceptions mentioned in this bug before-relanding.