bug 394390: Don't report bogus warnings to the error console when using cross-site xmlhttprequest. Patch by Surya Ismail <suryaismail@gmail.com>, r/sr=sicking

This commit is contained in:
jonas@sicking.cc 2007-10-26 18:46:09 -07:00
parent f741f925e7
commit 4c1a3910ac
12 changed files with 22 additions and 14 deletions

View File

@ -284,9 +284,12 @@ interface nsIScriptSecurityManager : nsIXPCSecurityManager
/**
* Returns OK if aSourceURI and target have the same "origin"
* (scheme, host, and port).
* ReportError flag suppresses error reports for functions that
* don't need reporting.
*/
void checkSameOriginURI(in nsIURI aSourceURI,
in nsIURI aTargetURI);
in nsIURI aTargetURI,
in boolean reportError);
/**
* Returns OK if aSourcePrincipal and aTargetPrincipal

View File

@ -676,12 +676,15 @@ nsScriptSecurityManager::CheckSameOrigin(JSContext* cx,
NS_IMETHODIMP
nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI,
nsIURI* aTargetURI)
nsIURI* aTargetURI,
PRBool reportError)
{
if (!SecurityCompareURIs(aSourceURI, aTargetURI))
{
ReportError(nsnull, NS_LITERAL_STRING("CheckSameOriginError"),
if (reportError) {
ReportError(nsnull, NS_LITERAL_STRING("CheckSameOriginError"),
aSourceURI, aTargetURI);
}
return NS_ERROR_DOM_BAD_URI;
}
return NS_OK;

View File

@ -3643,7 +3643,7 @@ nsContentUtils::CheckSecurityBeforeLoad(nsIURI* aURIToLoad,
nsCOMPtr<nsIURI> loadingURI;
rv = aLoadingPrincipal->GetURI(getter_AddRefs(loadingURI));
NS_ENSURE_SUCCESS(rv, rv);
return sSecurityManager->CheckSameOriginURI(loadingURI, aURIToLoad);
return sSecurityManager->CheckSameOriginURI(loadingURI, aURIToLoad, PR_TRUE);
}
/* static */

View File

@ -134,7 +134,7 @@ nsCrossSiteListenerProxy::OnStartRequest(nsIRequest* aRequest,
nsCOMPtr<nsIURI> finalURI;
channel->GetURI(getter_AddRefs(finalURI));
rv = nsContentUtils::GetSecurityManager()->
CheckSameOriginURI(mRequestingURI, finalURI);
CheckSameOriginURI(mRequestingURI, finalURI, PR_FALSE);
if (NS_SUCCEEDED(rv)) {
mAcceptState = eAccept;
return ForwardRequest(PR_FALSE);

View File

@ -194,7 +194,7 @@ nsSyncLoader::LoadDocument(nsIChannel* aChannel,
nsIScriptSecurityManager::STANDARD);
NS_ENSURE_SUCCESS(rv, rv);
rv = securityManager->CheckSameOriginURI(aLoaderURI, docURI);
rv = securityManager->CheckSameOriginURI(aLoaderURI, docURI, PR_TRUE);
NS_ENSURE_SUCCESS(rv, rv);
}
@ -378,7 +378,7 @@ nsSyncLoader::OnChannelRedirect(nsIChannel *aOldChannel,
nsIScriptSecurityManager *securityManager =
nsContentUtils::GetSecurityManager();
rv = securityManager->CheckSameOriginURI(oldURI, newURI);
rv = securityManager->CheckSameOriginURI(oldURI, newURI, PR_TRUE);
NS_ENSURE_SUCCESS(rv, rv);
mChannel = aNewChannel;

View File

@ -1150,7 +1150,8 @@ IsSameOrigin(nsIPrincipal* aPrincipal, nsIChannel* aChannel)
rv = aChannel->GetURI(getter_AddRefs(channelURI));
NS_ENSURE_SUCCESS(rv, rv);
rv = nsContentUtils::GetSecurityManager()->CheckSameOriginURI(codebase, channelURI);
rv = nsContentUtils::GetSecurityManager()->
CheckSameOriginURI(codebase, channelURI, PR_FALSE);
return NS_SUCCEEDED(rv);
}

View File

@ -1111,7 +1111,7 @@ nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
NS_ENSURE_SUCCESS(rv, rv);
return nsContentUtils::GetSecurityManager()->
CheckSameOriginURI(oldURI, newURI);
CheckSameOriginURI(oldURI, newURI, PR_TRUE);
}
NS_IMETHODIMP

View File

@ -756,7 +756,7 @@ nsXMLContentSink::ProcessStyleLink(nsIContent* aElement,
nsIScriptSecurityManager::ALLOW_CHROME);
NS_ENSURE_SUCCESS(rv, NS_OK);
rv = secMan->CheckSameOriginURI(mDocumentURI, url);
rv = secMan->CheckSameOriginURI(mDocumentURI, url, PR_TRUE);
NS_ENSURE_SUCCESS(rv, NS_OK);
// Do content policy check

View File

@ -393,7 +393,7 @@ txStylesheetSink::OnChannelRedirect(nsIChannel *aOldChannel,
rv = aNewChannel->GetURI(getter_AddRefs(newURI)); // The new URI
NS_ENSURE_SUCCESS(rv, rv);
return secMan->CheckSameOriginURI(oldURI, newURI);
return secMan->CheckSameOriginURI(oldURI, newURI, PR_TRUE);
}
NS_IMETHODIMP

View File

@ -2608,7 +2608,7 @@ nsXULDocument::LoadOverlayInternal(nsIURI* aURI, PRBool aIsDynamic,
PRBool overlayIsChrome = IsChromeURI(aURI);
if (!IsChromeURI(mDocumentURI) && !overlayIsChrome) {
// Make sure we're allowed to load this overlay.
rv = secMan->CheckSameOriginURI(mDocumentURI, aURI);
rv = secMan->CheckSameOriginURI(mDocumentURI, aURI, PR_TRUE);
if (NS_FAILED(rv)) {
*aFailureFromContent = PR_TRUE;
return rv;

View File

@ -427,7 +427,7 @@ NS_ScriptErrorReporter(JSContext *cx,
// URIs. See bug 387476.
sameOrigin =
NS_SUCCEEDED(sSecurityManager->
CheckSameOriginURI(errorURI, codebase));
CheckSameOriginURI(errorURI, codebase, PR_TRUE));
}
}

View File

@ -1161,7 +1161,8 @@ FullTrustSecMan::CheckSameOrigin(JSContext * aJSContext, nsIURI *aTargetURI)
/* void checkSameOriginURI (in nsIURI aSourceURI, in nsIURI aTargetURI); */
NS_IMETHODIMP
FullTrustSecMan::CheckSameOriginURI(nsIURI *aSourceURI, nsIURI *aTargetURI)
FullTrustSecMan::CheckSameOriginURI(nsIURI *aSourceURI, nsIURI *aTargetURI,
PRBool reportError)
{
return NS_OK;
}