Bug 1425975 P12 Don't mark an initial about:blank client as controlled if its sandboxed. r=asuth

docshell/base/nsDocShell.cpp

@@ -3413,7 +3413,7 @@ nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal* aPrincipal)
   // Don't pre-allocate the client when we are sandboxed.  The inherited
   // principal does not take sandboxing into account.
   // TODO: Refactor sandboxing principal code out so we can use it here.
-  if (!aPrincipal && (mSandboxFlags & SANDBOXED_ORIGIN)) {
+  if (!aPrincipal && mSandboxFlags) {
     return;
   }
 
@@ -3455,8 +3455,11 @@ nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal* aPrincipal)
     return;
   }
 
+  // We're done if there is no parent controller.  Also, don't inherit
+  // the controller if we're sandboxed.  This matches our behavior in
+  // ShouldPrepareForIntercept(),
   Maybe<ServiceWorkerDescriptor> controller(parentInner->GetController());
-  if (controller.isNothing()) {
+  if (controller.isNothing() || mSandboxFlags) {
     return;
   }