commit 23b228e545bc3a1cebab376dc78ae82f3e552f67
parent fa287dbc793c4a05bf97c39b10cb2a770eadbbf9
Author: Atila Butkovits <abutkovits@mozilla.com>
Date: Fri, 17 Oct 2025 18:26:11 +0300
Revert "Bug 1993938 - disable lna tracker checks. r=valentin,necko-reviewers" for causing failures at localDeviceAccessPermission.
This reverts commit b8c422558707755eeecae5fd224072f3eed5b5ae.
Revert "Bug 1993938 - Add preference to skip LNA checks for local network to localhost requests. r=necko-reviewers,valentin"
This reverts commit 5b6865f990f36405f2fdfc0fbdb0052c8d128ff4.
Revert "Bug 1993938 - Add network.lna.websocket.enabled preference for WebSocket LNA control. r=necko-reviewers,kershaw,valentin"
This reverts commit f951c238c0e5bc2c94f0fa4ed5808b960533b132.
Diffstat:
6 files changed, 1 insertion(+), 215 deletions(-)
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -14465,7 +14465,7 @@
# will automatically be blocked.
- name: network.lna.block_trackers
type: RelaxedAtomicBool
- value: false
+ value: @IS_EARLY_BETA_OR_EARLIER@
mirror: always
# When this pref is true, top-level document navigation to local network addresses
@@ -14482,21 +14482,6 @@
value: ""
mirror: never
-# When this pref is false, skip all LNA checks for WebSocket connections.
-# When true, WebSocket connections follow normal LNA rules.
-# Currently this is disabled for parity with chrome
-- name: network.lna.websocket.enabled
- type: RelaxedAtomicBool
- value: false
- mirror: always
-
-# When this pref is true, skip LNA checks for requests from private network
-# to localhost (private -> local IP address space transitions).
-- name: network.lna.local-network-to-localhost.skip-checks
- type: RelaxedAtomicBool
- value: true
- mirror: always
-
# The proxy type. See nsIProtocolProxyService.idl
# PROXYCONFIG_DIRECT = 0
# PROXYCONFIG_MANUAL = 1
diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
@@ -260,9 +260,6 @@ static const char* gCallbackPrefsForSocketProcess[] = {
"network.lna.enabled",
"network.lna.blocking",
"network.lna.address_space.private.override",
- "network.lna.address_space.public.override",
- "network.lna.websocket.enabled",
- "network.lna.local-network-to-localhost.skip-checks",
nullptr,
};
diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp
@@ -3749,12 +3749,6 @@ bool nsHttpTransaction::AllowedToConnectToIpAddressSpace(
return true;
}
- // Skip LNA checks entirely for WebSocket connections if websocket LNA is
- // disabled
- if (!StaticPrefs::network_lna_websocket_enabled() && IsWebsocketUpgrade()) {
- return true; // Allow all WebSocket connections
- }
-
// store targetIpAddress space which is required later by nsHttpChannel for
// permission prompts
{
@@ -3775,13 +3769,6 @@ bool nsHttpTransaction::AllowedToConnectToIpAddressSpace(
// for private network access
// XXX add link to LNA spec once it is published
- // Skip LNA checks for private network to localhost if preference is enabled
- if (StaticPrefs::network_lna_local_network_to_localhost_skip_checks() &&
- mParentIPAddressSpace == nsILoadInfo::IPAddressSpace::Private &&
- aTargetIpAddressSpace == nsILoadInfo::IPAddressSpace::Local) {
- return true; // Allow private->localhost access
- }
-
if (mozilla::net::IsLocalOrPrivateNetworkAccess(mParentIPAddressSpace,
aTargetIpAddressSpace)) {
if (aTargetIpAddressSpace == nsILoadInfo::IPAddressSpace::Local &&
diff --git a/netwerk/test/browser/browser_test_local_network_access.js b/netwerk/test/browser/browser_test_local_network_access.js
@@ -27,8 +27,6 @@ add_setup(async function () {
["network.lna.block_trackers", true],
["network.lna.blocking", true],
["network.http.rcwn.enabled", false],
- ["network.lna.websocket.enabled", true],
- ["network.lna.local-network-to-localhost.skip-checks", false],
],
});
Services.obs.notifyObservers(null, "testonly-reload-permissions-from-disk");
@@ -262,7 +260,6 @@ add_task(async function test_lna_prompt_behavior() {
await runPromptedLnaTest(test, "private", "local-network");
}
- Services.prefs.clearUserPref("network.lna.address_space.public.override");
Services.prefs.clearUserPref("network.lna.address_space.private.override");
});
@@ -464,76 +461,3 @@ add_task(async function test_lna_top_level_navigation_disabled() {
await SpecialPowers.popPrefEnv();
});
-
-add_task(async function test_lna_websocket_preference() {
- info("Testing network.lna.websocket.enabled preference");
-
- // Set up LNA to trigger for localhost connections
- await SpecialPowers.pushPrefEnv({
- set: [
- ["network.lna.address_space.public.override", "127.0.0.1:4443"],
- ["network.lna.blocking", true],
- ["network.lna.websocket.enabled", false], // Disable WebSocket LNA checks
- ],
- });
-
- try {
- // Test WebSocket with LNA disabled - should bypass LNA and get connection refused
- const websocketTest = {
- type: "websocket",
- allowStatus: Cr.NS_ERROR_WEBSOCKET_CONNECTION_REFUSED,
- denyStatus: Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- };
-
- const rand = Math.random();
- const promise = observeAndCheck(
- websocketTest.type,
- rand,
- websocketTest.allowStatus, // Should get connection refused, not LNA denied
- "WebSocket test with LNA disabled should bypass LNA checks"
- );
-
- const tab = await BrowserTestUtils.openNewForegroundTab(
- gBrowser,
- `${baseURL}page_with_non_trackers.html?test=${websocketTest.type}&rand=${rand}`
- );
-
- await promise;
- gBrowser.removeTab(tab);
-
- info(
- "WebSocket LNA disabled test completed - connection was allowed to proceed"
- );
-
- // Now test with WebSocket LNA enabled - should trigger LNA denial
- await SpecialPowers.pushPrefEnv({
- set: [
- ["network.lna.websocket.enabled", true], // Enable WebSocket LNA checks
- ["network.localhost.prompt.testing", true],
- ["network.localhost.prompt.testing.allow", false],
- ],
- });
-
- const rand2 = Math.random();
- const promise2 = observeAndCheck(
- websocketTest.type,
- rand2,
- websocketTest.denyStatus, // Should get LNA denied
- "WebSocket test with LNA enabled should trigger LNA checks"
- );
-
- const tab2 = await BrowserTestUtils.openNewForegroundTab(
- gBrowser,
- `${baseURL}page_with_non_trackers.html?test=${websocketTest.type}&rand=${rand2}`
- );
-
- await promise2;
- gBrowser.removeTab(tab2);
-
- info("WebSocket LNA enabled test completed - LNA checks were applied");
- } catch (error) {
- ok(false, `WebSocket LNA preference test failed: ${error.message}`);
- }
-
- await SpecialPowers.popPrefEnv();
-});
diff --git a/netwerk/test/browser/browser_test_local_network_trackers.js b/netwerk/test/browser/browser_test_local_network_trackers.js
@@ -52,7 +52,6 @@ add_setup(async function () {
["network.lna.block_trackers", true],
["network.lna.address_space.public.override", "127.0.0.1:4443"],
["network.lna.blocking", true],
- ["network.lna.websocket.enabled", true],
// always select allow actions for user prompts
["network.localhost.prompt.testing", true],
["network.localnetwork.prompt.testing", true],
diff --git a/netwerk/test/unit/test_local_network_access.js b/netwerk/test/unit/test_local_network_access.js
@@ -89,13 +89,6 @@ add_setup(async () => {
Services.prefs.setBoolPref("network.localhost.prompt.testing", true);
Services.prefs.setBoolPref("network.localnetwork.prompt.testing", true);
- Services.prefs.setBoolPref(
- "network.lna.local-network-to-localhost.skip-checks",
- false
- );
-
- Services.prefs.setBoolPref("network.lna.websocket.enabled", true);
-
// H1 Server
httpServer = new HttpServer();
httpServer.registerPathHandler("/test_lna", pathHandler);
@@ -121,10 +114,6 @@ add_setup(async () => {
Services.prefs.clearUserPref("network.lna.blocking.prompt.testing");
Services.prefs.clearUserPref("network.localhost.prompt.testing.allow");
Services.prefs.clearUserPref("network.localnetwork.prompt.testing.allow");
- Services.prefs.clearUserPref(
- "network.lna.local-network-to-localhost.skip-checks"
- );
- Services.prefs.clearUserPref("network.lna.websocket.enabled");
Services.prefs.clearUserPref(
"network.lna.address_space.private.override"
@@ -345,7 +334,6 @@ add_task(async function lna_blocking_tests_local_network() {
Assert.equal(chan.protocolVersion, url === H1_URL ? "http/1.1" : "h2");
}
}
- Services.prefs.clearUserPref("network.lna.address_space.private.override");
});
// Test the network.lna.skip-domains preference
@@ -586,97 +574,3 @@ add_task(async function lna_domain_skip_tests() {
override.clearOverrides();
Services.dns.clearCache(true);
});
-// Test the new network.lna.local-network-to-localhost.skip-checks preference
-add_task(async function lna_local_network_to_localhost_skip_checks() {
- // Test cases: [skipPref, parentSpace, urlSuffix, expectedStatus, baseURL]
- const skipTestCases = [
- // Skip pref disabled (false) - existing behavior should be preserved
- [
- false,
- Ci.nsILoadInfo.Private,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H1_URL,
- ],
- [
- false,
- Ci.nsILoadInfo.Private,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H2_URL,
- ],
- [
- false,
- Ci.nsILoadInfo.Public,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H1_URL,
- ],
- [
- false,
- Ci.nsILoadInfo.Public,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H2_URL,
- ],
-
- // Skip pref enabled (true) - new behavior: Private->Local allowed, Public->Local still blocked
- [true, Ci.nsILoadInfo.Private, "/test_lna", Cr.NS_OK, H1_URL], // Private->Local now allowed
- [true, Ci.nsILoadInfo.Private, "/test_lna", Cr.NS_OK, H2_URL], // Private->Local now allowed
- [
- true,
- Ci.nsILoadInfo.Public,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H1_URL,
- ], // Public->Local still blocked
- [
- true,
- Ci.nsILoadInfo.Public,
- "/test_lna",
- Cr.NS_ERROR_LOCAL_NETWORK_ACCESS_DENIED,
- H2_URL,
- ], // Public->Local still blocked
- ];
-
- for (let [
- skipPref,
- parentSpace,
- suffix,
- expectedStatus,
- url,
- ] of skipTestCases) {
- info(
- `Testing skip pref: ${skipPref}, ${parentSpace} -> Local, expect: ${expectedStatus}`
- );
-
- // Set the new skip preference
- Services.prefs.setBoolPref(
- "network.lna.local-network-to-localhost.skip-checks",
- skipPref
- );
-
- // Disable prompt simulation for clean testing (prompt should not affect skip logic)
- Services.prefs.setBoolPref("network.localhost.prompt.testing.allow", false);
-
- let chan = makeChannel(url + suffix);
- chan.loadInfo.parentIpAddressSpace = parentSpace;
- // Target is always Local (localhost) since we're testing localhost servers
-
- let expectFailure = expectedStatus !== Cr.NS_OK ? CL_EXPECT_FAILURE : 0;
-
- await new Promise(resolve => {
- chan.asyncOpen(new ChannelListener(resolve, null, expectFailure));
- });
-
- Assert.equal(chan.status, expectedStatus);
- if (expectedStatus === Cr.NS_OK) {
- Assert.equal(chan.protocolVersion, url === H1_URL ? "http/1.1" : "h2");
- }
- }
-
- // Cleanup
- Services.prefs.clearUserPref(
- "network.lna.local-network-to-localhost.skip-checks"
- );
-});
