From d7c27ac739d3e5f90d7225e4c2d181c2a7cbf003 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Sat, 14 Mar 2020 21:49:07 -0700
Subject: [PATCH] speculative fix for citibank/upgrade-insecure-requests

---
 netwerk/protocol/http/nsHttpChannel.cpp | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index cd747110b..9f0abb37b 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -368,6 +368,21 @@ nsHttpChannel::Connect()
 
     LOG(("nsHttpChannel::Connect [this=%p]\n", this));
 
+    // Note that we are only setting the "Upgrade-Insecure-Requests" request
+    // header for *all* navigational requests instead of all requests as
+    // defined in the spec, see:
+    // https://www.w3.org/TR/upgrade-insecure-requests/#preference
+    nsContentPolicyType type = mLoadInfo ?
+                               mLoadInfo->GetExternalContentPolicyType() :
+                               nsIContentPolicy::TYPE_OTHER;
+
+    if (type == nsIContentPolicy::TYPE_DOCUMENT ||
+        type == nsIContentPolicy::TYPE_SUBDOCUMENT) {
+        rv = SetRequestHeader(NS_LITERAL_CSTRING("Upgrade-Insecure-Requests"),
+                              NS_LITERAL_CSTRING("1"), false);
+        NS_ENSURE_SUCCESS(rv, rv);
+    }
+
     // Even if we're in private browsing mode, we still enforce existing STS
     // data (it is read-only).
     // if the connection is not using SSL and either the exact host matches or
@@ -413,7 +428,7 @@ nsHttpChannel::Connect()
                                     nsIScriptError::warningFlag, "CSP",
                                     innerWindowId);
 
-                Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 4);
+                //Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 4);
                 return AsyncCall(&nsHttpChannel::HandleAsyncRedirectChannelToHttps);
             }
         }
@@ -435,16 +450,16 @@ nsHttpChannel::Connect()
         if (isStsHost) {
             LOG(("nsHttpChannel::Connect() STS permissions found\n"));
             if (mAllowSTS) {
-                Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 3);
+                //Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 3);
                 return AsyncCall(&nsHttpChannel::HandleAsyncRedirectChannelToHttps);
             } else {
-                Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 2);
+                //Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 2);
             }
         } else {
-            Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 1);
+            //Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 1);
         }
     } else {
-        Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 0);
+        //Telemetry::Accumulate(Telemetry::HTTP_SCHEME_UPGRADE, 0);
     }
 
     // ensure that we are using a valid hostname