Bug 1496220 - 2. Default to null triggering principal for GeckoView.loadUri; r=esawin

For improved security, default to a null triggering principal for
GeckoView.loadUri calls, except when loading certain privileged schemes
such as "resource" and "file".

Differential Revision: https://phabricator.services.mozilla.com/D7785

--HG--
extra : moz-landing-system : lando

mobile/android/geckoview/src/androidTest/assets/www/newSession.html

@@ -2,6 +2,6 @@
     <head><title>Hello, world!</title></head>
     <body>
         <a id="targetBlankLink" target="_blank" href="newSession_child.html">target="_blank"</a>
-        <a id="noOpenerLink" target="_blank" rel="noopener" href="newSession_child.html">rel="noopener"</a>
+        <a id="noOpenerLink" target="_blank" rel="noopener" href="http://example.com">rel="noopener"</a>
     </body>
 </html>

mobile/android/modules/geckoview/GeckoViewNavigation.jsm

@@ -73,9 +73,25 @@ class GeckoViewNavigation extends GeckoViewModule {
           navFlags |= Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_POPUPS;
         }
 
-        this.browser.loadURI(uri, {
+        let parsedUri;
+        let triggeringPrincipal;
+        try {
+            parsedUri = Services.io.newURI(uri);
+            if (parsedUri.schemeIs("about") || parsedUri.schemeIs("data") ||
+                parsedUri.schemeIs("file") || parsedUri.schemeIs("resource")) {
+              // Only allow privileged loading for certain URIs.
+              triggeringPrincipal = Services.scriptSecurityManager.getSystemPrincipal();
+            }
+        } catch (ignored) {
+        }
+        if (!triggeringPrincipal) {
+          triggeringPrincipal = Services.scriptSecurityManager.createNullPrincipal({});
+        }
+
+        this.browser.loadURI(parsedUri ? parsedUri.spec : uri, {
           flags: navFlags,
           referrerURI: referrer,
+          triggeringPrincipal,
         });
         break;
       case "GeckoView:Reload":