Auto merge of #26546 - splav:tls-protected-checks, r=jdm

check http_state in determine_request_referrer

<!-- Please describe your changes on the following line: -->
Check https status inside determine_request_referrer.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #14506 (GitHub issue number if applicable)

<!-- Either: -->
- [ ] There are tests for these changes OR
- [ ] These changes do not require tests because ___

<!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.-->

<!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->

components/script/dom/dedicatedworkerglobalscope.rs

@@ -306,6 +306,7 @@ impl DedicatedWorkerGlobalScope {
         let current_global = GlobalScope::current().expect("No current global object");
         let origin = current_global.origin().immutable().clone();
         let parent = current_global.runtime_handle();
+        let current_global_https_state = current_global.get_https_state();
 
         thread::Builder::new()
             .name(name)
@@ -375,6 +376,8 @@ impl DedicatedWorkerGlobalScope {
                 let scope = global.upcast::<WorkerGlobalScope>();
                 let global_scope = global.upcast::<GlobalScope>();
 
+                global_scope.set_https_state(current_global_https_state);
+
                 let (metadata, bytes) = match load_whole_resource(
                     request,
                     &global_scope.resource_threads().sender(),
@@ -395,6 +398,7 @@ impl DedicatedWorkerGlobalScope {
                     Ok((metadata, bytes)) => (metadata, bytes),
                 };
                 scope.set_url(metadata.final_url);
+                global_scope.set_https_state(metadata.https_state);
                 let source = String::from_utf8_lossy(&bytes);
 
                 unsafe {

components/script/dom/document.rs

@@ -1887,6 +1887,7 @@ impl Document {
         fetch_target: IpcSender<FetchResponseMsg>,
     ) {
         request.csp_list = self.get_csp_list().map(|x| x.clone());
+        request.https_state = self.https_state.get();
         let mut loader = self.loader.borrow_mut();
         loader.fetch_async(load, request, fetch_target);
     }

components/script/dom/globalscope.rs

@@ -87,6 +87,7 @@ use net_traits::filemanager_thread::{
     FileManagerResult, FileManagerThreadMsg, ReadFileProgress, RelativePos,
 };
 use net_traits::image_cache::ImageCache;
+use net_traits::response::HttpsState;
 use net_traits::{CoreResourceMsg, CoreResourceThread, IpcSend, ResourceThreads};
 use parking_lot::Mutex;
 use profile_traits::{ipc as profile_ipc, mem as profile_mem, time as profile_time};
@@ -238,6 +239,9 @@ pub struct GlobalScope {
     // https://w3c.github.io/performance-timeline/#supportedentrytypes-attribute
     #[ignore_malloc_size_of = "mozjs"]
     frozen_supported_performance_entry_types: DomRefCell<Option<Heap<JSVal>>>,
+
+    /// currect https state (from previous request)
+    https_state: Cell<HttpsState>,
 }
 
 /// A wrapper for glue-code between the ipc router and the event-loop.
@@ -588,6 +592,7 @@ impl GlobalScope {
             user_agent,
             gpu_id_hub,
             frozen_supported_performance_entry_types: DomRefCell::new(Default::default()),
+            https_state: Cell::new(HttpsState::None),
         }
     }
 
@@ -2503,6 +2508,14 @@ impl GlobalScope {
         self.user_agent.clone()
     }
 
+    pub fn get_https_state(&self) -> HttpsState {
+        self.https_state.get()
+    }
+
+    pub fn set_https_state(&self, https_state: HttpsState) {
+        self.https_state.set(https_state);
+    }
+
     /// https://www.w3.org/TR/CSP/#get-csp-of-object
     pub fn get_csp_list(&self) -> Option<CspList> {
         if let Some(window) = self.downcast::<Window>() {

components/script/dom/request.rs

@@ -507,8 +507,9 @@ impl Request {
 
 fn net_request_from_global(global: &GlobalScope, url: ServoUrl) -> NetTraitsRequest {
     let origin = Origin::Origin(global.get_url().origin());
+    let https_state = global.get_https_state();
     let pipeline_id = global.pipeline_id();
-    NetTraitsRequest::new(url, Some(origin), Some(pipeline_id))
+    NetTraitsRequest::new(url, Some(origin), Some(pipeline_id), https_state)
 }
 
 // https://fetch.spec.whatwg.org/#concept-method-normalize

components/script/dom/urlhelper.rs

@@ -72,23 +72,4 @@ impl UrlHelper {
     pub fn SetUsername(url: &mut ServoUrl, value: USVString) {
         let _ = quirks::set_username(url.as_mut_url(), &value.0);
     }
-    // https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
-    pub fn is_origin_trustworthy(url: &ServoUrl) -> bool {
-        // Step 1
-        if !url.origin().is_tuple() {
-            return false;
-        }
-
-        // Step 3
-        if url.scheme() == "https" || url.scheme() == "wss" {
-            true
-        // Step 4
-        } else if url.host().is_some() {
-            let host = url.host_str().unwrap();
-            host == "127.0.0.0/8" || host == "::1/128"
-        // Step 6
-        } else {
-            url.scheme() == "file"
-        }
-    }
 }

components/script/fetch.rs

@@ -128,6 +128,7 @@ fn request_init_from_request(request: NetTraitsRequest) -> RequestBuilder {
         parser_metadata: request.parser_metadata,
         initiator: request.initiator,
         csp_list: None,
+        https_state: request.https_state,
     }
 }
 
@@ -315,6 +316,7 @@ pub fn load_whole_resource(
     core_resource_thread: &CoreResourceThread,
     global: &GlobalScope,
 ) -> Result<(Metadata, Vec<u8>), NetworkError> {
+    let request = request.https_state(global.get_https_state());
     let (action_sender, action_receiver) = ipc::channel().unwrap();
     let url = request.url.clone();
     core_resource_thread

components/script/serviceworkerjob.rs

@@ -16,7 +16,6 @@ use crate::dom::bindings::root::Dom;
 use crate::dom::client::Client;
 use crate::dom::promise::Promise;
 use crate::dom::serviceworkerregistration::ServiceWorkerRegistration;
-use crate::dom::urlhelper::UrlHelper;
 use crate::script_thread::ScriptThread;
 use crate::task_source::dom_manipulation::DOMManipulationTaskSource;
 use crate::task_source::TaskSource;
@@ -162,7 +161,7 @@ impl JobQueue {
         let global = &*job.client.global();
         let pipeline_id = global.pipeline_id();
         // Step 1-3
-        if !UrlHelper::is_origin_trustworthy(&job.script_url) {
+        if !job.script_url.is_origin_trustworthy() {
             // Step 1.1
             reject_job_promise(
                 job,