Bug 1105556 -
* loadingNode passed to loadInfo null for TYPE_DOCUMENT and outer window's frameelementinternal for subdocuments. * loadingPrincipal is taken directly from loadingNode; if loadingNode doesn't exist, it's null. * requestingContext passed to nsIContentPolicy unchanged * requestingPrincipal passed to nsIContentPolicy unchanged * triggeringPrincipal passed to loadInfo unchanged r=sicking, bz
This commit is contained in:
Tanvi Vyas
@@ -10566,6 +10566,11 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||
}
|
||||
|
||||
if (IsFrame()) {
|
||||
|
||||
MOZ_ASSERT(aContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_IFRAME ||
|
||||
aContentPolicyType == nsIContentPolicy::TYPE_INTERNAL_FRAME,
|
||||
"DoURILoad thinks this is a frame and InternalLoad does not");
|
||||
|
||||
// Only allow view-source scheme in top-level docshells. view-source is
|
||||
// the only scheme to which this applies at the moment due to potential
|
||||
// timing attacks to read data from cross-origin iframes. If this widens
|
||||
@@ -10584,8 +10589,12 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||
nestedURI->GetInnerURI(getter_AddRefs(tempURI));
|
||||
nestedURI = do_QueryInterface(tempURI);
|
||||
}
|
||||
} else {
|
||||
MOZ_ASSERT(aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT,
|
||||
"DoURILoad thinks this is a document and InternalLoad does not");
|
||||
}
|
||||
|
||||
|
||||
// For mozWidget, display a load error if we navigate to a page which is not
|
||||
// claimed in |widgetPages|.
|
||||
// When we go to display a load error for an invalid mozWidget page, we will
|
||||
@@ -10620,37 +10629,31 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||
bool isSrcdoc = !aSrcdoc.IsVoid();
|
||||
|
||||
// There are two cases we care about:
|
||||
// * Top-level load (GetFrameElementInternal returns null). In this case,
|
||||
// requestingNode is null, but requestingWindow is our mScriptGlobal.
|
||||
// TODO we want to pass null for loadingPrincipal in this case.
|
||||
// * Subframe load: requestingWindow is null, but requestingNode is the frame
|
||||
// * Top-level load: In this case, loadingNode is null, but loadingWindow
|
||||
// is our mScriptGlobal. We pass null for loadingPrincipal in this case.
|
||||
// * Subframe load: loadingWindow is null, but loadingNode is the frame
|
||||
// element for the load. loadingPrincipal is the NodePrincipal of the frame
|
||||
// element.
|
||||
nsCOMPtr<nsINode> requestingNode;
|
||||
nsCOMPtr<nsPIDOMWindowOuter> requestingWindow;
|
||||
|
||||
nsCOMPtr<nsINode> loadingNode;
|
||||
nsCOMPtr<nsPIDOMWindowOuter> loadingWindow;
|
||||
nsCOMPtr<nsIPrincipal> loadingPrincipal;
|
||||
requestingNode = mScriptGlobal->AsOuter()->GetFrameElementInternal();
|
||||
if (requestingNode) {
|
||||
// If we have a requesting node, then use that as our loadingPrincipal.
|
||||
loadingPrincipal = requestingNode->NodePrincipal();
|
||||
} else {
|
||||
if (aContentPolicyType != nsIContentPolicy::TYPE_DOCUMENT) {
|
||||
// If this isn't a top-level load and mScriptGlobal's frame element is
|
||||
// null, then the element got removed from the DOM while we were trying to
|
||||
// load this resource. This docshell is scheduled for destruction already,
|
||||
// so bail out here.
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
requestingWindow = mScriptGlobal->AsOuter();
|
||||
if (mItemType != typeChrome) {
|
||||
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
|
||||
ssm->GetDocShellCodebasePrincipal(aURI, this, getter_AddRefs(loadingPrincipal));
|
||||
if (aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) {
|
||||
loadingNode = nullptr;
|
||||
loadingPrincipal = nullptr;
|
||||
loadingWindow = mScriptGlobal->AsOuter();
|
||||
} else {
|
||||
loadingWindow = nullptr;
|
||||
loadingNode = mScriptGlobal->AsOuter()->GetFrameElementInternal();
|
||||
if (loadingNode) {
|
||||
// If we have a loading node, then use that as our loadingPrincipal.
|
||||
loadingPrincipal = loadingNode->NodePrincipal();
|
||||
} else {
|
||||
// This is a top-level chrome load, use a system principal for the
|
||||
// loadingPrincipal.
|
||||
loadingPrincipal = nsContentUtils::GetSystemPrincipal();
|
||||
// If this isn't a top-level load and mScriptGlobal's frame element is
|
||||
// null, then the element got removed from the DOM while we were trying
|
||||
// to load this resource. This docshell is scheduled for destruction
|
||||
// already, so bail out here.
|
||||
return NS_OK;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10658,6 +10661,10 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||
// only inherit if we have a triggeringPrincipal
|
||||
bool inherit = false;
|
||||
|
||||
// Get triggeringPrincipal. This code should be updated by bug 1181370.
|
||||
// Until then, we cannot rely on the triggeringPrincipal for TYPE_DOCUMENT
|
||||
// or TYPE_SUBDOCUMENT loads. Notice the triggeringPrincipal falls back to
|
||||
// systemPrincipal below.
|
||||
nsCOMPtr<nsIPrincipal> triggeringPrincipal = do_QueryInterface(aOwner);
|
||||
if (triggeringPrincipal) {
|
||||
inherit = nsContentUtils::ChannelShouldInheritPrincipal(
|
||||
@@ -10682,10 +10689,10 @@ nsDocShell::DoURILoad(nsIURI* aURI,
|
||||
}
|
||||
|
||||
nsCOMPtr<nsILoadInfo> loadInfo =
|
||||
requestingWindow ?
|
||||
new LoadInfo(requestingWindow, loadingPrincipal, triggeringPrincipal,
|
||||
(aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) ?
|
||||
new LoadInfo(loadingWindow, triggeringPrincipal,
|
||||
securityFlags) :
|
||||
new LoadInfo(loadingPrincipal, triggeringPrincipal, requestingNode,
|
||||
new LoadInfo(loadingPrincipal, triggeringPrincipal, loadingNode,
|
||||
securityFlags, aContentPolicyType);
|
||||
if (!isSrcdoc) {
|
||||
rv = NS_NewChannelInternal(getter_AddRefs(channel),
|
||||
|
||||
Reference in New Issue
Block a user