Bug 1398713 pass triggeringPrincipal when using browser.loadURI, r=Gijs,kmag

browser/base/content/browser-sidebar.js

@@ -360,6 +360,15 @@ var SidebarUI = {
     return this.show(commandID, triggerNode);
   },
 
+  _loadSidebarExtension(sidebarBroadcaster) {
+    let extensionId = sidebarBroadcaster.getAttribute("extensionId");
+    if (extensionId) {
+      let extensionUrl = sidebarBroadcaster.getAttribute("panel");
+      let browserStyle = sidebarBroadcaster.getAttribute("browserStyle");
+      SidebarUI.browser.contentWindow.loadPanel(extensionId, extensionUrl, browserStyle);
+    }
+  },
+
   /**
    * Show the sidebar, using the parameters from the specified broadcaster.
    * @see SidebarUI note.
@@ -371,7 +380,9 @@ var SidebarUI = {
    *                                showing of the sidebar.
    */
   show(commandID, triggerNode) {
-    return this._show(commandID).then(() => {
+    return this._show(commandID).then((sidebarBroadcaster) => {
+      this._loadSidebarExtension(sidebarBroadcaster);
+
       if (triggerNode) {
         updateToggleControlLabel(triggerNode);
       }
@@ -388,9 +399,11 @@ var SidebarUI = {
    *
    * @param {string} commandID ID of the xul:broadcaster element to use.
    */
-   showInitially(commandID) {
-     return this._show(commandID);
-   },
+  showInitially(commandID) {
+    return this._show(commandID).then((sidebarBroadcaster) => {
+      this._loadSidebarExtension(sidebarBroadcaster);
+    });
+  },
 
   /**
    * Implementation for show. Also used internally for sidebars that are shown
@@ -446,14 +459,14 @@ var SidebarUI = {
           // We're handling the 'load' event before it bubbles up to the usual
           // (non-capturing) event handlers. Let it bubble up before resolving.
           setTimeout(() => {
-            resolve();
+            resolve(sidebarBroadcaster);
 
             // Now that the currentId is updated, fire a show event.
             this._fireShowEvent();
           }, 0);
         }, {capture: true, once: true});
       } else {
-        resolve();
+        resolve(sidebarBroadcaster);
 
         // Now that the currentId is updated, fire a show event.
         this._fireShowEvent();

browser/base/content/webext-panels.js

@@ -10,6 +10,7 @@
 ChromeUtils.defineModuleGetter(this, "ExtensionParent",
                                "resource://gre/modules/ExtensionParent.jsm");
 
+ChromeUtils.import("resource://gre/modules/Services.jsm");
 ChromeUtils.import("resource://gre/modules/ExtensionUtils.jsm");
 
 var {
@@ -88,18 +89,16 @@ var gBrowser = {
   },
 };
 
-function loadWebPanel() {
-  let sidebarURI = new URL(location);
+async function loadPanel(extensionId, extensionUrl, browserStyle) {
+  let policy = WebExtensionPolicy.getByID(extensionId);
   let sidebar = {
-    uri: sidebarURI.searchParams.get("panel"),
-    remote: sidebarURI.searchParams.get("remote"),
-    browserStyle: sidebarURI.searchParams.get("browser-style"),
+    uri: extensionUrl,
+    remote: policy.extension.remote,
+    browserStyle,
   };
   getBrowser(sidebar).then(browser => {
-    browser.loadURI(sidebar.uri);
+    let uri = Services.io.newURI(policy.getURL());
+    let triggeringPrincipal = Services.scriptSecurityManager.createCodebasePrincipal(uri, {});
+    browser.loadURIWithFlags(extensionUrl, {triggeringPrincipal});
   });
 }
-
-function load() {
-  this.loadWebPanel();
-}

browser/base/content/webext-panels.xul

@@ -18,8 +18,7 @@
 
 <page id="webextpanels-window"
         xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-        onload="load()">
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
   <script type="application/javascript" src="chrome://global/content/contentAreaUtils.js"/>
   <script type="application/javascript" src="chrome://browser/content/browser.js"/>
   <script type="application/javascript" src="chrome://browser/content/browser-places.js"/>

browser/components/extensions/ExtensionPopups.jsm

@@ -316,7 +316,7 @@ class BasePopup {
         stylesheets: this.STYLESHEETS,
       });
 
-      browser.loadURI(popupURL);
+      browser.loadURIWithFlags(popupURL, {triggeringPrincipal: this.extension.principal});
     });
   }
 

browser/components/extensions/ext-devtools-panels.js

@@ -264,7 +264,9 @@ class ParentDevToolsPanel {
       },
     });
 
-    browser.loadURI(url);
+    browser.loadURIWithFlags(url, {
+      triggeringPrincipal: extension.principal,
+    });
   }
 
   destroyBrowserElement() {

browser/components/extensions/ext-devtools.js

@@ -176,7 +176,9 @@ class DevToolsPage extends HiddenExtensionPage {
       },
     });
 
-    this.browser.loadURI(this.url);
+    this.browser.loadURIWithFlags(this.url, {
+      triggeringPrincipal: this.extension.principal,
+    });
 
     await this.waitForTopLevelContext;
   }

browser/components/extensions/ext-sidebarAction.js

@@ -136,20 +136,6 @@ this.sidebarAction = class extends ExtensionAPI {
     }
   }
 
-  sidebarUrl(panel) {
-    let url = `${sidebarURL}?panel=${encodeURIComponent(panel)}`;
-
-    if (this.extension.remote) {
-      url += "&remote=1";
-    }
-
-    if (this.browserStyle) {
-      url += "&browser-style=1";
-    }
-
-    return url;
-  }
-
   createMenuItem(window, details) {
     let {document, SidebarUI} = window;
 
@@ -161,7 +147,12 @@ this.sidebarAction = class extends ExtensionAPI {
     broadcaster.setAttribute("type", "checkbox");
     broadcaster.setAttribute("group", "sidebar");
     broadcaster.setAttribute("label", details.title);
-    broadcaster.setAttribute("sidebarurl", this.sidebarUrl(details.panel));
+    broadcaster.setAttribute("sidebarurl", sidebarURL);
+    broadcaster.setAttribute("panel", details.panel);
+    if (this.browserStyle) {
+      broadcaster.setAttribute("browserStyle", "true");
+    }
+    broadcaster.setAttribute("extensionId", this.extension.id);
     let id = `ext-key-id-${this.id}`;
     broadcaster.setAttribute("key", id);
 
@@ -227,10 +218,9 @@ this.sidebarAction = class extends ExtensionAPI {
     broadcaster.setAttribute("tooltiptext", title);
     broadcaster.setAttribute("label", title);
 
-    let url = this.sidebarUrl(tabData.panel);
-    let urlChanged = url !== broadcaster.getAttribute("sidebarurl");
+    let urlChanged = tabData.panel !== broadcaster.getAttribute("panel");
     if (urlChanged) {
-      broadcaster.setAttribute("sidebarurl", url);
+      broadcaster.setAttribute("panel", tabData.panel);
     }
 
     this.setMenuIcon(menu, tabData);

browser/components/extensions/ext-tabs.js

@@ -507,10 +507,13 @@ this.tabs = class extends ExtensionAPI {
               return Promise.reject({message: `Illegal URL: ${url}`});
             }
 
-            let flags = updateProperties.loadReplace
-              ? Ci.nsIWebNavigation.LOAD_FLAGS_REPLACE_HISTORY
-              : Ci.nsIWebNavigation.LOAD_FLAGS_NONE;
-            nativeTab.linkedBrowser.loadURIWithFlags(url, {flags});
+            let options = {
+              flags: updateProperties.loadReplace
+                      ? Ci.nsIWebNavigation.LOAD_FLAGS_REPLACE_HISTORY
+                      : Ci.nsIWebNavigation.LOAD_FLAGS_NONE,
+              triggeringPrincipal: context.principal,
+            };
+            nativeTab.linkedBrowser.loadURIWithFlags(url, options);
           }
 
           if (updateProperties.active !== null) {

toolkit/components/extensions/ext-backgroundPage.js

@@ -31,7 +31,7 @@ class BackgroundPage extends HiddenExtensionPage {
 
     extensions.emit("extension-browser-inserted", this.browser);
 
-    this.browser.loadURI(this.url);
+    this.browser.loadURIWithFlags(this.url, {triggeringPrincipal: this.extension.principal});
 
     let context = await promiseExtensionViewLoaded(this.browser);
     TelemetryStopwatch.finish("WEBEXT_BACKGROUND_PAGE_LOAD_MS", this);