mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-20 00:35:44 +00:00
Bug 1499000 - Make CORS use the right security flags to check whether an URL can be loaded. r=ckerschb
This fixes at least part of the problem. Without this patch, some of the flags may get lost, like the ALLOW_CHROME flag which controls whether stuff like resource:// URLs can be loaded or not. Differential Revision: https://phabricator.services.mozilla.com/D40633 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
30fc8c8c4d
commit
6da1e7506f
@ -615,19 +615,11 @@ static nsresult DoCheckLoadURIChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
uint32_t flags = nsIScriptSecurityManager::STANDARD;
|
||||
if (aLoadInfo->GetAllowChrome()) {
|
||||
flags |= nsIScriptSecurityManager::ALLOW_CHROME;
|
||||
}
|
||||
if (aLoadInfo->GetDisallowScript()) {
|
||||
flags |= nsIScriptSecurityManager::DISALLOW_SCRIPT;
|
||||
}
|
||||
|
||||
// Only call CheckLoadURIWithPrincipal() using the TriggeringPrincipal and not
|
||||
// the LoadingPrincipal when SEC_ALLOW_CROSS_ORIGIN_* security flags are set,
|
||||
// to allow, e.g. user stylesheets to load chrome:// URIs.
|
||||
return nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal(
|
||||
aLoadInfo->TriggeringPrincipal(), aURI, flags);
|
||||
aLoadInfo->TriggeringPrincipal(), aURI, aLoadInfo->CheckLoadURIFlags());
|
||||
}
|
||||
|
||||
static bool URIHasFlags(nsIURI* aURI, uint32_t aURIFlags) {
|
||||
|
@ -6,6 +6,7 @@
|
||||
|
||||
#include "nsISupports.idl"
|
||||
#include "nsIContentPolicy.idl"
|
||||
#include "nsIScriptSecurityManager.idl"
|
||||
|
||||
interface nsIChannel;
|
||||
interface nsIContentSecurityPolicy;
|
||||
@ -398,7 +399,7 @@ interface nsILoadInfo : nsISupports
|
||||
*/
|
||||
readonly attribute nsSecurityFlags securityFlags;
|
||||
|
||||
%{ C++
|
||||
%{C++
|
||||
inline nsSecurityFlags GetSecurityFlags()
|
||||
{
|
||||
nsSecurityFlags result;
|
||||
@ -494,6 +495,19 @@ interface nsILoadInfo : nsISupports
|
||||
*/
|
||||
[infallible] readonly attribute boolean disallowScript;
|
||||
|
||||
%{C++
|
||||
uint32_t CheckLoadURIFlags() {
|
||||
uint32_t flags = nsIScriptSecurityManager::STANDARD;
|
||||
if (GetAllowChrome()) {
|
||||
flags |= nsIScriptSecurityManager::ALLOW_CHROME;
|
||||
}
|
||||
if (GetDisallowScript()) {
|
||||
flags |= nsIScriptSecurityManager::DISALLOW_SCRIPT;
|
||||
}
|
||||
return flags;
|
||||
}
|
||||
%}
|
||||
|
||||
/**
|
||||
* Returns true if SEC_DONT_FOLLOW_REDIRECTS is set.
|
||||
*/
|
||||
|
@ -920,13 +920,14 @@ nsresult nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
|
||||
// consider calling SetBlockedRequest in nsCORSListenerProxy::UpdateChannel
|
||||
//
|
||||
// Check that the uri is ok to load
|
||||
uint32_t flags = loadInfo->CheckLoadURIFlags();
|
||||
rv = nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal(
|
||||
mRequestingPrincipal, uri, nsIScriptSecurityManager::STANDARD);
|
||||
mRequestingPrincipal, uri, flags);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
if (originalURI != uri) {
|
||||
rv = nsContentUtils::GetSecurityManager()->CheckLoadURIWithPrincipal(
|
||||
mRequestingPrincipal, originalURI, nsIScriptSecurityManager::STANDARD);
|
||||
mRequestingPrincipal, originalURI, flags);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user