chore: update browser_patches to 9638cca873674fdb6c97a524be0d3ae4874f805a (#36618)

browser_patches/firefox/UPSTREAM_CONFIG.sh

@@ -1,3 +1,3 @@
-REMOTE_URL="https://github.com/mozilla/gecko-dev"
+REMOTE_URL="https://github.com/mozilla-firefox/firefox"
 BASE_BRANCH="release"
-BASE_REVISION="9cbfae27052e4aaeb064d2d08e7e869f31ee4288"
+BASE_REVISION="00656c9425c51ee035578ca6ebebe13c755b0375"

browser_patches/firefox/juggler/NetworkObserver.js

@@ -533,6 +533,8 @@ class NetworkRequest {
     };
 
     const { status, statusText, headers } = responseHead(this.httpChannel, opt_statusCode, opt_statusText);
+    if (redirectStatus.includes(status) && this._overriddenHeadersForRedirect)
+      this._overriddenHeadersForRedirect = filterHeadersForRedirect(this._overriddenHeadersForRedirect, this.httpChannel.requestMethod, status);
     let remoteIPAddress = undefined;
     let remotePort = undefined;
     try {
@@ -808,6 +810,18 @@ function overrideRequestHeaders(httpChannel, headers) {
   appendExtraHTTPHeaders(httpChannel, headers);
 }
 
+const redirectStatus = [301, 302, 303, 307, 308];
+
+function filterHeadersForRedirect(headers, requestMethod, status) {
+    // HTTP-redirect fetch step 13 (https://fetch.spec.whatwg.org/#http-redirect-fetch)
+  if ((status === 301 || status === 302) && requestMethod === 'POST' ||
+      status === 303 && !['GET', 'HEAD'].includes(requestMethod)) {
+    const requestBodyHeaders = ['content-encoding', 'content-language', 'content-length', 'content-location', 'content-type'];
+    return headers.filter(header => !requestBodyHeaders.includes(header.name.toLowerCase()));
+  }
+  return headers;
+}
+
 function causeTypeToString(causeType) {
   for (let key in Ci.nsIContentPolicy) {
     if (Ci.nsIContentPolicy[key] === causeType)

browser_patches/firefox/patches/bootstrap.diff

@@ -2543,6 +2543,130 @@ index 704404c9f094640ad63b685d64bd5a396e733e4b..92bdc21b4d6a015cc2f2bb22781ec675
    /**
     *  InterceptionTimeStamps is used to record the time stamps of the
     *  interception.
+diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
+index e4479400a4c574f652befbee7d83bd664aa2b840..2761dce9477f7f1622a82fe1da6472597ae82534 100644
+--- a/netwerk/protocol/http/nsHttpChannel.cpp
++++ b/netwerk/protocol/http/nsHttpChannel.cpp
+@@ -688,11 +688,9 @@ nsresult nsHttpChannel::OnBeforeConnect() {
+   // SecurityInfo.sys.mjs
+   mLoadInfo->SetHstsStatus(isSecureURI);
+ 
+-  RefPtr<mozilla::dom::BrowsingContext> bc;
+-  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
+   // If bypassing the cache and we're forced offline
+   // we can just return the error here.
+-  if (bc && bc->Top()->GetForceOffline() &&
++  if (IsForcedOffline() &&
+       BYPASS_LOCAL_CACHE(mLoadFlags, LoadPreferCacheLoadOverBypass())) {
+     return NS_ERROR_OFFLINE;
+   }
+@@ -805,9 +803,7 @@ nsresult nsHttpChannel::MaybeUseHTTPSRRForUpgrade(bool aShouldUpgrade,
+     return aStatus;
+   }
+ 
+-  RefPtr<mozilla::dom::BrowsingContext> bc;
+-  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
+-  bool forceOffline = bc && bc->Top()->GetForceOffline();
++  bool forceOffline = IsForcedOffline();
+ 
+   if (mURI->SchemeIs("https") || aShouldUpgrade || !LoadUseHTTPSSVC() ||
+       forceOffline) {
+@@ -1266,15 +1262,14 @@ nsresult nsHttpChannel::ContinueConnect() {
+                      "CORS preflight must have been finished by the time we "
+                      "do the rest of ContinueConnect");
+ 
+-  RefPtr<mozilla::dom::BrowsingContext> bc;
+-  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
++  bool isForcedOffline = IsForcedOffline();
+ 
+   // we may or may not have a cache entry at this point
+   if (mCacheEntry) {
+     // read straight from the cache if possible...
+     if (CachedContentIsValid()) {
+       // If we're forced offline, and set to bypass the cache, return offline.
+-      if (bc && bc->Top()->GetForceOffline() &&
++      if (isForcedOffline &&
+           BYPASS_LOCAL_CACHE(mLoadFlags, LoadPreferCacheLoadOverBypass())) {
+         return NS_ERROR_OFFLINE;
+       }
+@@ -1316,7 +1311,7 @@ nsresult nsHttpChannel::ContinueConnect() {
+   }
+ 
+   // We're about to hit the network. Don't if we're forced offline.
+-  if (bc && bc->Top()->GetForceOffline()) {
++  if (isForcedOffline) {
+     return NS_ERROR_OFFLINE;
+   }
+ 
+@@ -1421,12 +1416,9 @@ void nsHttpChannel::SpeculativeConnect() {
+   // don't speculate if we are offline, when doing http upgrade (i.e.
+   // websockets bootstrap), or if we can't do keep-alive (because then we
+   // couldn't reuse the speculative connection anyhow).
+-  RefPtr<mozilla::dom::BrowsingContext> bc;
+-  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
+-
+   if (gIOService->IsOffline() || mUpgradeProtocolCallback ||
+       !(mCaps & NS_HTTP_ALLOW_KEEPALIVE) ||
+-      (bc && bc->Top()->GetForceOffline())) {
++      IsForcedOffline()) {
+     return;
+   }
+ 
+@@ -4214,9 +4206,6 @@ nsresult nsHttpChannel::OpenCacheEntryInternal(bool isHttps) {
+   uint32_t cacheEntryOpenFlags;
+   bool offline = gIOService->IsOffline();
+ 
+-  RefPtr<mozilla::dom::BrowsingContext> bc;
+-  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
+-
+   bool maybeRCWN = false;
+ 
+   nsAutoCString cacheControlRequestHeader;
+@@ -4227,7 +4216,7 @@ nsresult nsHttpChannel::OpenCacheEntryInternal(bool isHttps) {
+     return NS_OK;
+   }
+ 
+-  bool forceOffline = bc && bc->Top()->GetForceOffline();
++  bool forceOffline = IsForcedOffline();
+   if (offline || (mLoadFlags & INHIBIT_CACHING) || forceOffline) {
+     if (BYPASS_LOCAL_CACHE(mLoadFlags, LoadPreferCacheLoadOverBypass()) &&
+         !offline && !forceOffline) {
+@@ -7300,6 +7289,20 @@ void nsHttpChannel::MaybeStartDNSPrefetch() {
+   }
+ }
+ 
++bool nsHttpChannel::IsForcedOffline() {
++  RefPtr<mozilla::dom::BrowsingContext> bc;
++  mLoadInfo->GetBrowsingContext(getter_AddRefs(bc));
++  if (bc && bc->Top()->GetForceOffline())
++    return true;
++
++  RefPtr<mozilla::dom::BrowsingContext> wbc;
++  mLoadInfo->GetWorkerAssociatedBrowsingContext(getter_AddRefs(wbc));
++  if (wbc && wbc->Top()->GetForceOffline())
++    return true;
++
++  return false;
++}
++
+ NS_IMETHODIMP
+ nsHttpChannel::GetEncodedBodySize(uint64_t* aEncodedBodySize) {
+   if (mCacheEntry && !LoadCacheEntryIsWriteOnly()) {
+diff --git a/netwerk/protocol/http/nsHttpChannel.h b/netwerk/protocol/http/nsHttpChannel.h
+index cb8b8b7406411edceb30aa53c9b9007a38058f84..ebdc5384ca20feda399b70532a3036174f1a7431 100644
+--- a/netwerk/protocol/http/nsHttpChannel.h
++++ b/netwerk/protocol/http/nsHttpChannel.h
+@@ -307,6 +307,10 @@ class nsHttpChannel final : public HttpBaseChannel,
+   void MaybeResolveProxyAndBeginConnect();
+   void MaybeStartDNSPrefetch();
+ 
++  // ---- Playwright begin
++  bool IsForcedOffline();
++  // ---- Playwright end
++
+   // Based on the proxy configuration determine the strategy for resolving the
+   // end server host name.
+   ProxyDNSStrategy GetProxyDNSStrategy();
 diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
 index d3b44cc62d3df49bbf842356cbdb153c82c3163c..23cf9bc83fb1faaf1c7406331b78e522b307cbf0 100644
 --- a/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -2669,22 +2793,40 @@ index 75555352b8a15a50e4a21e34fc8ede4e9246c7cc..72855a404effa42b6c55cd0c2fcb8bdd
      // ignored for Linux.
      const unsigned long CHROME_SUPPRESS_ANIMATION     = 1 << 24;
 diff --git a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.sys.mjs b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.sys.mjs
-index 76fb919603e8d2b7864d351eb47be2a38e40e31e..cdfef96e20bea13799751154f4076bbcc2f827d4 100644
+index 76fb919603e8d2b7864d351eb47be2a38e40e31e..9f1e880fe9027d1a2540ffeaa11fc0c4e1a36133 100644
 --- a/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.sys.mjs
 +++ b/toolkit/components/enterprisepolicies/EnterprisePoliciesParent.sys.mjs
-@@ -108,6 +108,12 @@ EnterprisePoliciesManager.prototype = {
+@@ -108,7 +108,9 @@ EnterprisePoliciesManager.prototype = {
        Services.prefs.clearUserPref(PREF_POLICIES_APPLIED);
      }
  
-+    // Playwright: Disable enterprise policies
-+    if (true) {
-+      this.status = Ci.nsIEnterprisePolicies.INACTIVE;
-+      return;
-+    }
-+
-     let provider = this._chooseProvider();
+-    let provider = this._chooseProvider();
++    // --- Playwright begin ---
++    let provider = new PlaywrightPoliciesProvider();
++    // --- Playwright end ---
  
      if (provider.failed) {
+       this.status = Ci.nsIEnterprisePolicies.FAILED;
+@@ -631,6 +633,19 @@ class JSONPoliciesProvider {
+   }
+ }
+ 
++class PlaywrightPoliciesProvider extends JSONPoliciesProvider {
++  _getConfigurationFile() {
++    let prefPath = Services.prefs.getStringPref(PREF_ALTERNATE_PATH, "");
++    if (!prefPath)
++      return null;
++
++    dump(`Playwright: loading enterprise policies from ${prefPath}\n`);
++    let configFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
++    configFile.initWithPath(prefPath);
++    return configFile;
++  }
++}
++
+ class WindowsGPOPoliciesProvider {
+   constructor() {
+     this._policies = null;
 diff --git a/toolkit/components/resistfingerprinting/nsUserCharacteristics.cpp b/toolkit/components/resistfingerprinting/nsUserCharacteristics.cpp
 index 253171bed4dea54fc28bb4ddc9920823dbd9351c..6dc0e620b399ed9ee6b53f97bc080ec17ee4e1b5 100644
 --- a/toolkit/components/resistfingerprinting/nsUserCharacteristics.cpp

browser_patches/firefox/preferences/playwright.cfg

@@ -8,6 +8,9 @@ pref("dom.input_events.security.minTimeElapsedInMS", 0);
 
 pref("dom.iframe_lazy_loading.enabled", false);
 
+// Allows a custom "policies.json" file.
+pref("browser.policies.alternatePath", getenv("PLAYWRIGHT_FIREFOX_POLICIES_JSON") || "");
+
 // This setting is experimental and is only enabled on early betas.
 // Disable it unconditionally since it breaks proxy tests.
 pref("dom.security.https_first", false);

browser_patches/webkit/UPSTREAM_CONFIG.sh

@@ -1,3 +1,3 @@
 REMOTE_URL="https://github.com/WebKit/WebKit.git"
 BASE_BRANCH="main"
-BASE_REVISION="4dd862e5ce1c10d77f72be94260164c5f13aafbd"
+BASE_REVISION="153da00a252619799ba4b32cd0ac6c5b8faf6a35"

browser_patches/webkit/embedder/Playwright/win/Common.cpp

@@ -44,6 +44,8 @@ HINSTANCE hInst;
 POINT s_windowPosition = { 100, 100 };
 SIZE s_windowSize = { 500, 200 };
 
+bool s_headless;
+
 namespace WebCore {
 float deviceScaleFactorForWindow(HWND);
 }

browser_patches/webkit/embedder/Playwright/win/Common.h

@@ -64,6 +64,7 @@ std::wstring replaceString(std::wstring src, const std::wstring& oldValue, const
 extern HINSTANCE hInst;
 extern POINT s_windowPosition;
 extern SIZE s_windowSize;
+extern bool s_headless;
 
 std::wstring createString(WKStringRef wkString);
 std::wstring createString(WKURLRef wkURL);

browser_patches/webkit/embedder/Playwright/win/MainWindow.cpp

@@ -48,12 +48,10 @@ static INT_PTR CALLBACK About(HWND, UINT, WPARAM, LPARAM);
 std::wstring MainWindow::s_windowClass;
 size_t MainWindow::s_numInstances;
 
-bool MainWindow::s_headless = false;
 bool MainWindow::s_controlledRemotely = false;
 bool MainWindow::s_disableAcceleratedCompositing = false;
 
-void MainWindow::configure(bool headless, bool controlledRemotely, bool disableAcceleratedCompositing) {
-    s_headless = headless;
+void MainWindow::configure(bool controlledRemotely, bool disableAcceleratedCompositing) {
     s_controlledRemotely = controlledRemotely;
     s_disableAcceleratedCompositing = disableAcceleratedCompositing;
 }

browser_patches/webkit/embedder/Playwright/win/MainWindow.h

@@ -35,7 +35,7 @@
 
 class MainWindow : public BrowserWindowClient {
 public:
-    static void configure(bool headless, bool controlledRemotely, bool disableAcceleratedCompositing);
+    static void configure(bool controlledRemotely, bool disableAcceleratedCompositing);
 
     MainWindow();
 
@@ -55,7 +55,6 @@ private:
     static void registerClass(HINSTANCE hInstance);
     static std::wstring s_windowClass;
     static size_t s_numInstances;
-    static bool s_headless;
     static bool s_controlledRemotely;
     static bool s_disableAcceleratedCompositing;
 

browser_patches/webkit/embedder/Playwright/win/WebKitBrowserWindow.cpp

@@ -41,16 +41,18 @@
 #include <WebKit/WKWebsiteDataStoreRefCurl.h>
 #include <vector>
 
-std::wstring createPEMString(WKCertificateInfoRef certificateInfo)
+std::wstring createPEMString(WKProtectionSpaceRef protectionSpace)
 {
-    auto chainSize = WKCertificateInfoGetCertificateChainSize(certificateInfo);
+    auto chain = adoptWK(WKProtectionSpaceCopyCertificateChain(protectionSpace));
 
     std::wstring pems;
 
-    for (auto i = 0; i < chainSize; i++) {
-        auto certificate = adoptWK(WKCertificateInfoCopyCertificateAtIndex(certificateInfo, i));
-        auto size = WKDataGetSize(certificate.get());
-        auto data = WKDataGetBytes(certificate.get());
+    for (size_t i = 0; i < WKArrayGetSize(chain.get()); i++) {
+        auto item = WKArrayGetItemAtIndex(chain.get(), i);
+        assert(WKGetTypeID(item) == WKDataGetTypeID());
+        auto certificate = static_cast<WKDataRef>(item);
+        auto size = WKDataGetSize(certificate);
+        auto data = WKDataGetBytes(certificate);
 
         for (size_t i = 0; i < size; i++)
             pems.push_back(data[i]);
@@ -241,7 +243,7 @@ void WebKitBrowserWindow::didReceiveAuthenticationChallenge(WKPageRef page, WKAu
             WKAuthenticationDecisionListenerUseCredential(decisionListener, wkCredential.get());
             return;
         }
-    } else {
+    } else if (!s_headless) {
         WKRetainPtr<WKStringRef> realm(WKProtectionSpaceCopyRealm(protectionSpace));
 
         if (auto credential = askCredential(thisWindow.hwnd(), createString(realm.get()))) {
@@ -259,10 +261,9 @@ void WebKitBrowserWindow::didReceiveAuthenticationChallenge(WKPageRef page, WKAu
 bool WebKitBrowserWindow::canTrustServerCertificate(WKProtectionSpaceRef protectionSpace)
 {
     auto host = createString(adoptWK(WKProtectionSpaceCopyHost(protectionSpace)).get());
-    auto certificateInfo = adoptWK(WKProtectionSpaceCopyCertificateInfo(protectionSpace));
-    auto verificationError = WKCertificateInfoGetVerificationError(certificateInfo.get());
-    auto description = createString(adoptWK(WKCertificateInfoCopyVerificationErrorDescription(certificateInfo.get())).get());
-    auto pem = createPEMString(certificateInfo.get());
+    auto verificationError = WKProtectionSpaceGetCertificateVerificationError(protectionSpace);
+    auto description = createString(adoptWK(WKProtectionSpaceCopyCertificateVerificationErrorDescription(protectionSpace)).get());
+    auto pem = createPEMString(protectionSpace);
 
     auto it = m_acceptedServerTrustCerts.find(host);
     if (it != m_acceptedServerTrustCerts.end() && it->second == pem)
@@ -273,6 +274,9 @@ bool WebKitBrowserWindow::canTrustServerCertificate(WKProtectionSpaceRef protect
     textString.append(L"[DESCRIPTION] " + description + L"\r\n");
     textString.append(pem);
 
+    if (s_headless)
+        return false;
+
     if (askServerTrustEvaluation(hwnd(), textString)) {
         m_acceptedServerTrustCerts.emplace(host, pem);
         return true;

browser_patches/webkit/embedder/Playwright/win/WinMain.cpp

@@ -102,7 +102,8 @@ int WINAPI wWinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance,
     if (SetProcessDpiAwarenessContextPtr())
         SetProcessDpiAwarenessContextPtr()(DPI_AWARENESS_CONTEXT_UNAWARE);
 
-    MainWindow::configure(g_options.headless, g_options.inspectorPipe, g_options.disableAcceleratedCompositing);
+    s_headless = g_options.headless;
+    MainWindow::configure(g_options.inspectorPipe, g_options.disableAcceleratedCompositing);
 
     if (!g_options.noStartupWindow) {
         auto configuration = adoptWK(WKWebsiteDataStoreConfigurationCreate());