corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1984940: Make sec-fetch user-triggered check default to secure a=RyanVM

Browse Source 
Original Revision: https://phabricator.services.mozilla.com/D265744

Differential Revision: https://phabricator.services.mozilla.com/D270137
This commit is contained in:
Simon Friedberger
2025-10-27 17:30:50 +00:00
committed by rvandermeulen@mozilla.com
parent c2b83fc60b
commit c4b28fcae3
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
dom/security/SecFetch.cpp
View File

@@ -236,6 +236,8 @@ bool IsSameSite(nsIChannel* aHTTPChannel) {
// Helper function to determine whether a request was triggered // Helper function to determine whether a request was triggered
// by the end user in the context of SecFetch. // by the end user in the context of SecFetch.
// The more secure/closed state to return for this function is "false".
// A user triggered action is less restricted because it is not cross-origin.
bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) { bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
/* /*
* The goal is to distinguish between "webby" navigations that are controlled * The goal is to distinguish between "webby" navigations that are controlled
@@ -247,8 +249,7 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType(); ExtContentPolicyType contentType = loadInfo->GetExternalContentPolicyType();
// A request issued by the browser is always user initiated. // A request issued by the browser is always user initiated.
if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal() && if (loadInfo->TriggeringPrincipal()->IsSystemPrincipal()) {
contentType == ExtContentPolicy::TYPE_OTHER) {
return true; return true;
} }
@@ -283,12 +284,12 @@ bool IsUserTriggeredForSecFetchSite(nsIHttpChannel* aHTTPChannel) {
if (referrerInfo) { if (referrerInfo) {
nsCOMPtr<nsIURI> originalReferrer; nsCOMPtr<nsIURI> originalReferrer;
referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer)); referrerInfo->GetOriginalReferrer(getter_AddRefs(originalReferrer));
if (originalReferrer) { if (!originalReferrer) {
return false; return true;
} }
} }
return true; return false;
} }
void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) { void mozilla::dom::SecFetch::AddSecFetchDest(nsIHttpChannel* aHTTPChannel) {