Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-25 22:01:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1257650 - Skip Security checks if triggeringPrincipal is SystemPrincipal only for subresource loads. r=sicking

Browse Source 
--HG--
extra : rebase_source : fb8d0827788e70ca87e8cd680e2cdd56941e3c2a
This commit is contained in:
Christoph Kerschbaumer 2016-03-18 16:14:03 -07:00
parent d5b4810bd4
commit 36d3e09fd4
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
dom/security/nsContentSecurityManager.cpp
View File

@ -105,6 +105,14 @@ DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo,
nsCOMPtr<nsIStreamListener>& aInAndOutListener)
{
MOZ_RELEASE_ASSERT(aInAndOutListener, "can not perform CORS checks without a listener");
// No need to set up CORS if TriggeringPrincipal is the SystemPrincipal.
// For example, allow user stylesheets to load XBL from external files
// without requiring CORS.
if (nsContentUtils::IsSystemPrincipal(aLoadInfo->TriggeringPrincipal())) {
return NS_OK;
}
nsIPrincipal* loadingPrincipal = aLoadInfo->LoadingPrincipal();
RefPtr<nsCORSListenerProxy> corsListener =
new nsCORSListenerProxy(aInAndOutListener,
@ -476,10 +484,11 @@ nsContentSecurityManager::CheckChannel(nsIChannel* aChannel)
return NS_OK;
}
// Allow the load if TriggeringPrincipal is the SystemPrincipal which
// is e.g. necessary to allow user user stylesheets to load XBL from
// external files.
if (nsContentUtils::IsSystemPrincipal(loadInfo->TriggeringPrincipal())) {
// Allow subresource loads if TriggeringPrincipal is the SystemPrincipal.
// For example, allow user stylesheets to load XBL from external files.
if (nsContentUtils::IsSystemPrincipal(loadInfo->TriggeringPrincipal()) &&
loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT &&
loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_SUBDOCUMENT) {
return NS_OK;
}