Bug 1868387 - Part 1: Make a pref, that enables origin security check for SetDocumentURI() method, r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D195554
2023-12-13 15:14:35 +00:00
parent 9e312ddb6c
commit 81f5d90484
3 changed files with 67 additions and 57 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8752,34 +8752,36 @@ nsresult nsDocShell::HandleSameDocumentNavigation(
            ("Upgraded URI to %s", newURI->GetSpecOrDefault().get()));
  }

-  // check if aLoadState->URI(), principalURI, mCurrentURI are same origin
-  // skip handling otherwise
-  nsCOMPtr<nsIPrincipal> origPrincipal = doc->NodePrincipal();
-  nsCOMPtr<nsIURI> principalURI = origPrincipal->GetURI();
-  if (origPrincipal->GetIsNullPrincipal()) {
-    nsCOMPtr<nsIPrincipal> precursor = origPrincipal->GetPrecursorPrincipal();
-    if (precursor) {
-      principalURI = precursor->GetURI();
+  if (StaticPrefs::dom_security_setdocumenturi()) {
+    // check if aLoadState->URI(), principalURI, mCurrentURI are same origin
+    // skip handling otherwise
+    nsCOMPtr<nsIPrincipal> origPrincipal = doc->NodePrincipal();
+    nsCOMPtr<nsIURI> principalURI = origPrincipal->GetURI();
+    if (origPrincipal->GetIsNullPrincipal()) {
+      nsCOMPtr<nsIPrincipal> precursor = origPrincipal->GetPrecursorPrincipal();
+      if (precursor) {
+        principalURI = precursor->GetURI();
+      }
    }
-  }

-  auto isLoadableViaInternet = [](nsIURI* uri) {
-    return (uri && (net::SchemeIsHTTP(uri) || net::SchemeIsHTTPS(uri)));
-  };
+    auto isLoadableViaInternet = [](nsIURI* uri) {
+      return (uri && (net::SchemeIsHTTP(uri) || net::SchemeIsHTTPS(uri)));
+    };

-  if (isLoadableViaInternet(principalURI) &&
-      isLoadableViaInternet(mCurrentURI) && isLoadableViaInternet(newURI)) {
-    nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-    if (!NS_SUCCEEDED(
-            ssm->CheckSameOriginURI(newURI, principalURI, false, false)) ||
-        !NS_SUCCEEDED(
-            ssm->CheckSameOriginURI(mCurrentURI, principalURI, false, false))) {
-      MOZ_LOG(gSHLog, LogLevel::Debug,
-              ("nsDocShell[%p]: possible violation of the same origin policy "
-               "during same document navigation",
-               this));
-      aSameDocument = false;
-      return NS_OK;
+    if (isLoadableViaInternet(principalURI) &&
+        isLoadableViaInternet(mCurrentURI) && isLoadableViaInternet(newURI)) {
+      nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+      if (!NS_SUCCEEDED(
+              ssm->CheckSameOriginURI(newURI, principalURI, false, false)) ||
+          !NS_SUCCEEDED(ssm->CheckSameOriginURI(mCurrentURI, principalURI,
+                                                false, false))) {
+        MOZ_LOG(gSHLog, LogLevel::Debug,
+                ("nsDocShell[%p]: possible violation of the same origin policy "
+                 "during same document navigation",
+                 this));
+        aSameDocument = false;
+        return NS_OK;
+      }
    }
  }