Bug 1300908 - Avoid using expanded principals as the loading principal of XHR; r=smaug

dom/xhr/XMLHttpRequestMainThread.cpp

@@ -2414,6 +2414,27 @@ XMLHttpRequestMainThread::CreateChannel()
     secFlags |= nsILoadInfo::SEC_COOKIES_OMIT;
   }
 
+  nsCOMPtr<nsIExpandedPrincipal> ep = do_QueryInterface(mPrincipal);
+  if (ep) {
+    // If we have an expanded principal, instead of using that, select the
+    // principal in the whitelist which can load our URL, and use that instead.
+    nsTArray<nsCOMPtr<nsIPrincipal>>* whitelist = nullptr;
+    ep->GetWhiteList(&whitelist);
+    if (!whitelist) {
+      return NS_ERROR_FAILURE;
+    }
+    MOZ_ASSERT(!(secFlags & nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS));
+    bool dataInherits = (secFlags &
+      (nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS |
+       nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS)) != 0;
+    for (const auto& principal : *whitelist) {
+      if (NS_SUCCEEDED(principal->CheckMayLoad(mRequestURL, false, dataInherits))) {
+        mPrincipal = principal;
+        break;
+      }
+    }
+  }
+
   // Use the responsibleDocument if we have it, except for dedicated workers
   // where it will be the parent document, which is not the one we want to use.
   nsresult rv;

js/xpconnect/tests/unit/test_allowedDomainsXHR.js

@@ -54,6 +54,11 @@ function run_test()
   var res = cu.evalInSandbox('var sync = createXHR("4444/simple"); sync.send(null); sync', sb);
   do_check_true(checkResults(res));
 
+  var principal = res.responseXML.nodePrincipal;
+  do_check_true(principal.isCodebasePrincipal);
+  var requestURL = "http://localhost:4444/simple";
+  do_check_eq(principal.URI.spec, requestURL);
+
   // negative test sync XHR sending (to ensure that the xhr do not have chrome caps, see bug 779821)
   try {
     cu.evalInSandbox('var createXHR = ' + createXHR.toString(), sb);