From 503f03519fa3f525c6f1323ef7e96120828c4865 Mon Sep 17 00:00:00 2001
From: Alexandru Marc <amarc@mozilla.com>
Date: Wed, 18 Dec 2024 17:26:05 +0200
Subject: [PATCH] Backed out changeset 6fefdfdfe325 (bug 1665056) for causing
 mass failures CLOSED TREE

---
 caps/ContentPrincipal.cpp                |  4 ++--
 caps/nsScriptSecurityManager.cpp         | 15 ++++++++++-----
 caps/nsScriptSecurityManager.h           |  4 ++--
 modules/libpref/init/StaticPrefList.yaml |  4 ++--
 netwerk/base/mozurl/MozURL.cpp           |  3 +--
 5 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/caps/ContentPrincipal.cpp b/caps/ContentPrincipal.cpp
index aa3bfbb0d512..fe2889147cd8 100644
--- a/caps/ContentPrincipal.cpp
+++ b/caps/ContentPrincipal.cpp
@@ -103,7 +103,7 @@ nsresult ContentPrincipal::GenerateOriginNoSuffixFromURI(
              "The inner URI for about:blank must be moz-safe-about:blank");
 
   // Handle non-strict file:// uris.
-  if (!StaticPrefs::security_fileuri_strict_origin_policy_AtStartup() &&
+  if (!nsScriptSecurityManager::GetStrictFileOriginPolicy() &&
       NS_URIIsLocalFile(origin)) {
     // If strict file origin policy is not in effect, all local files are
     // considered to be same-origin, so return a known dummy origin here.
@@ -367,7 +367,7 @@ static nsresult GetSpecialBaseDomain(const nsCOMPtr<nsIURI>& aURI,
   if (NS_URIIsLocalFile(aURI)) {
     // If strict file origin policy is not in effect, all local files are
     // considered to be same-origin, so return a known dummy domain here.
-    if (!StaticPrefs::security_fileuri_strict_origin_policy_AtStartup()) {
+    if (!nsScriptSecurityManager::GetStrictFileOriginPolicy()) {
       *aHandled = true;
       aBaseDomain.AssignLiteral("UNIVERSAL_FILE_URI_ORIGIN");
       return NS_OK;
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
index 667eaf2076bc..9979b9dfbcf1 100644
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -84,6 +84,7 @@ using namespace mozilla;
 using namespace mozilla::dom;
 
 StaticRefPtr<nsIIOService> nsScriptSecurityManager::sIOService;
+std::atomic<bool> nsScriptSecurityManager::sStrictFileOriginPolicy = true;
 
 namespace {
 
@@ -217,9 +218,8 @@ inline void SetPendingException(JSContext* cx, const char16_t* aMsg) {
 /* static */
 bool nsScriptSecurityManager::SecurityCompareURIs(nsIURI* aSourceURI,
                                                   nsIURI* aTargetURI) {
-  return NS_SecurityCompareURIs(
-      aSourceURI, aTargetURI,
-      StaticPrefs::security_fileuri_strict_origin_policy_AtStartup());
+  return NS_SecurityCompareURIs(aSourceURI, aTargetURI,
+                                sStrictFileOriginPolicy);
 }
 
 // SecurityHashURI is consistent with SecurityCompareURIs because
@@ -1541,9 +1541,12 @@ nsScriptSecurityManager::CanGetService(JSContext* cx, const nsCID& aCID) {
 }
 
 const char sJSEnabledPrefName[] = "javascript.enabled";
+const char sFileOriginPolicyPrefName[] =
+    "security.fileuri.strict_origin_policy";
 
-static const char* kObservedPrefs[] = {sJSEnabledPrefName, "capability.policy.",
-                                       nullptr};
+static const char* kObservedPrefs[] = {sJSEnabledPrefName,
+                                       sFileOriginPolicyPrefName,
+                                       "capability.policy.", nullptr};
 
 /////////////////////////////////////////////
 // Constructor, Destructor, Initialization //
@@ -1678,6 +1681,8 @@ inline void nsScriptSecurityManager::ScriptSecurityPrefChanged(
   MOZ_ASSERT(mPrefInitialized);
   mIsJavaScriptEnabled =
       Preferences::GetBool(sJSEnabledPrefName, mIsJavaScriptEnabled);
+  sStrictFileOriginPolicy =
+      Preferences::GetBool(sFileOriginPolicyPrefName, false);
   mFileURIAllowlist.reset();
 }
 
diff --git a/caps/nsScriptSecurityManager.h b/caps/nsScriptSecurityManager.h
index cffa8fa17a68..65164aaf834a 100644
--- a/caps/nsScriptSecurityManager.h
+++ b/caps/nsScriptSecurityManager.h
@@ -10,8 +10,6 @@
 #include "nsIScriptSecurityManager.h"
 
 #include "mozilla/Maybe.h"
-#include "mozilla/StaticPrefs_security.h"
-
 #include "nsIPrincipal.h"
 #include "nsCOMPtr.h"
 #include "nsServiceManagerUtils.h"
@@ -80,6 +78,8 @@ class nsScriptSecurityManager final : public nsIScriptSecurityManager {
                               bool aFromPrivateWindow,
                               uint64_t aInnerWindowID = 0);
 
+  static bool GetStrictFileOriginPolicy() { return sStrictFileOriginPolicy; }
+
   void DeactivateDomainPolicy();
 
  private:
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
index eba71b93c1c5..e3dda2f869ec 100644
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@@ -15593,9 +15593,9 @@
 
 # Whether strict file origin policy is in effect. "False" is traditional.
 - name: security.fileuri.strict_origin_policy
-  type: bool
+  type: RelaxedAtomicBool
   value: true
-  mirror: once
+  mirror: always
 
 # The level to which we sandbox the content process. firefox.js sets the
 # default to different values on a per-OS basis, and has documentation
diff --git a/netwerk/base/mozurl/MozURL.cpp b/netwerk/base/mozurl/MozURL.cpp
index acaeffa6bee2..47a679164a0c 100644
--- a/netwerk/base/mozurl/MozURL.cpp
+++ b/netwerk/base/mozurl/MozURL.cpp
@@ -7,7 +7,6 @@
 extern "C" {
 
 bool Gecko_StrictFileOriginPolicy() {
-  return mozilla::StaticPrefs::
-      security_fileuri_strict_origin_policy_AtStartup();
+  return mozilla::StaticPrefs::security_fileuri_strict_origin_policy();
 }
 }