Bug 1881800 - chrome/system-privileged XHR should not use credentials, r=peterv,extension-reviewers,application-update-reviewers,decoder,mossop,robwu,releng-reviewers,bytesized,jcristau

Differential Revision: https://phabricator.services.mozilla.com/D203334

browser/components/pocket/content/pktApi.sys.mjs

@@ -308,7 +308,7 @@ export var pktApi = (function () {
     data.locale_lang = Services.locale.appLocaleAsBCP47;
     data.consumer_key = oAuthConsumerKey;
 
-    var request = new XMLHttpRequest();
+    var request = new XMLHttpRequest({ mozAnon: false });
 
     if (!useBFF) {
       request.open("POST", url, true);

dom/base/test/unit/test_xhr_standalone.js

@@ -6,6 +6,10 @@
 // in non-window non-Worker context
 
 function run_test() {
+  Services.prefs.setBoolPref(
+    "network.fetch.systemDefaultsToOmittingCredentials",
+    false
+  );
   var xhr = new XMLHttpRequest();
   xhr.open("GET", "data:,", false);
   var exceptionThrown = false;
@@ -13,6 +17,7 @@ function run_test() {
     xhr.responseType = "";
     xhr.withCredentials = false;
   } catch (e) {
+    console.error(e);
     exceptionThrown = true;
   }
   Assert.equal(false, exceptionThrown);

dom/tests/unit/test_xhr_init.js

@@ -7,6 +7,14 @@ function run_test() {
   Assert.ok(x.mozAnon);
   Assert.ok(x.mozSystem);
 
+  x = new XMLHttpRequest();
+  Assert.ok(x.mozAnon);
+  Assert.ok(x.mozSystem);
+
+  Services.prefs.setBoolPref(
+    "network.fetch.systemDefaultsToOmittingCredentials",
+    false
+  );
   x = new XMLHttpRequest();
   Assert.ok(!x.mozAnon);
   Assert.ok(x.mozSystem);

dom/webidl/XMLHttpRequest.webidl

@@ -32,9 +32,12 @@ dictionary MozXMLHttpRequestParameters
 {
   /**
    * If true, the request will be sent without cookie and authentication
-   * headers.
+   * headers. Defaults to true for system/privileged/chrome requests,
+   * and to false otherwise.
+   * Note that even if set to true, for system/privileged/chrome requests,
+   * manually-set 'Cookie' headers are not removed.
    */
-  boolean mozAnon = false;
+  boolean mozAnon;
 
   /**
    * If true, the same origin policy will not be enforced on the request.

dom/xhr/XMLHttpRequest.cpp

@@ -8,6 +8,7 @@
 #include "XMLHttpRequestMainThread.h"
 #include "XMLHttpRequestWorker.h"
 #include "mozilla/Logging.h"
+#include "mozilla/StaticPrefs_network.h"
 #include "mozilla/net/CookieJarSettings.h"
 
 mozilla::LazyLogModule gXMLHttpRequestLog("XMLHttpRequest");
@@ -21,15 +22,16 @@ already_AddRefed<XMLHttpRequest> XMLHttpRequest::Constructor(
   if (NS_IsMainThread()) {
     nsCOMPtr<nsIGlobalObject> global =
         do_QueryInterface(aGlobal.GetAsSupports());
-    nsCOMPtr<nsIScriptObjectPrincipal> principal =
+    nsCOMPtr<nsIScriptObjectPrincipal> scriptPrincipal =
         do_QueryInterface(aGlobal.GetAsSupports());
-    if (!global || !principal) {
+    if (!global || !scriptPrincipal) {
       aRv.Throw(NS_ERROR_FAILURE);
       return nullptr;
     }
 
     nsCOMPtr<nsICookieJarSettings> cookieJarSettings;
     nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(global);
+    nsCOMPtr<nsIPrincipal> principal = scriptPrincipal->GetPrincipal();
     if (window) {
       Document* document = window->GetExtantDoc();
       if (NS_WARN_IF(!document)) {
@@ -40,13 +42,21 @@ already_AddRefed<XMLHttpRequest> XMLHttpRequest::Constructor(
       cookieJarSettings = document->CookieJarSettings();
     } else {
       // We are here because this is a sandbox.
-      cookieJarSettings =
-          net::CookieJarSettings::Create(principal->GetPrincipal());
+      cookieJarSettings = net::CookieJarSettings::Create(principal);
     }
 
     RefPtr<XMLHttpRequestMainThread> req = new XMLHttpRequestMainThread(global);
-    req->Construct(principal->GetPrincipal(), cookieJarSettings, false);
-    req->InitParameters(aParams.mMozAnon, aParams.mMozSystem);
+    req->Construct(principal, cookieJarSettings, false);
+
+    bool isAnon = false;
+    if (aParams.mMozAnon.WasPassed()) {
+      isAnon = aParams.mMozAnon.Value();
+    } else {
+      isAnon =
+          StaticPrefs::network_fetch_systemDefaultsToOmittingCredentials() &&
+          (aParams.mMozSystem || principal->IsSystemPrincipal());
+    }
+    req->InitParameters(isAnon, aParams.mMozSystem);
     return req.forget();
   }
 

dom/xhr/XMLHttpRequestWorker.cpp

@@ -1388,10 +1388,12 @@ already_AddRefed<XMLHttpRequest> XMLHttpRequestWorker::Construct(
       new XMLHttpRequestWorker(workerPrivate, global);
 
   if (workerPrivate->XHRParamsAllowed()) {
-    if (aParams.mMozSystem)
+    if (aParams.mMozSystem) {
       xhr->mMozAnon = true;
-    else
-      xhr->mMozAnon = aParams.mMozAnon;
+    } else {
+      xhr->mMozAnon =
+          aParams.mMozAnon.WasPassed() ? aParams.mMozAnon.Value() : false;
+    }
     xhr->mMozSystem = aParams.mMozSystem;
   }
 

toolkit/components/extensions/parent/ext-identity.js

@@ -12,7 +12,7 @@ var { promiseDocumentLoaded } = ExtensionUtils;
 
 const checkRedirected = (url, redirectURI) => {
   return new Promise((resolve, reject) => {
-    let xhr = new XMLHttpRequest();
+    let xhr = new XMLHttpRequest({ mozAnon: false });
     xhr.open("GET", url);
     // We expect this if the user has not authenticated.
     xhr.onload = () => {

toolkit/components/pdfjs/content/PdfJsNetwork.sys.mjs

@@ -33,7 +33,7 @@ export class NetworkManager {
     this.getXhr =
       args.getXhr ||
       function NetworkManager_getXhr() {
-        return new XMLHttpRequest();
+        return new XMLHttpRequest({ mozAnon: false });
       };
 
     this.currXhrId = 0;

toolkit/components/pdfjs/content/PdfStreamConverter.sys.mjs

@@ -545,7 +545,7 @@ class RangedChromeActions extends ChromeActions {
       }
     };
     var getXhr = function getXhr() {
-      var xhr = new XMLHttpRequest();
+      var xhr = new XMLHttpRequest({ mozAnon: false });
       xhr.addEventListener("readystatechange", xhr_onreadystatechange);
       return xhr;
     };

toolkit/components/reader/ReaderMode.sys.mjs

@@ -273,7 +273,7 @@ export var ReaderMode = {
       "READER_MODE_DOWNLOAD_RESULT"
     );
     return new Promise((resolve, reject) => {
-      let xhr = new XMLHttpRequest();
+      let xhr = new XMLHttpRequest({ mozAnon: false });
       xhr.open("GET", url, true);
       xhr.onerror = evt => reject(evt.error);
       xhr.responseType = docContentType === "text/plain" ? "text" : "document";

toolkit/modules/AsanReporter.sys.mjs

@@ -135,7 +135,7 @@ function submitToServer(data) {
       tool: "asan-nightly-program",
     };
 
-    var xhr = new XMLHttpRequest();
+    var xhr = new XMLHttpRequest({ mozAnon: !auth_token });
     xhr.open("POST", api_url, true);
     xhr.setRequestHeader("Content-Type", "application/json");