Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-01-23 13:04:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix for bug 290100 (XMLHttpRequest affected by document.domain setting). r=caillon, sr=brendan.

Browse Source
This commit is contained in:
peterv%propagandism.org 2005-08-25 11:51:42 +00:00
parent 650769327b
commit 72fafa8d29
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
caps/src/nsScriptSecurityManager.cpp
View File

@ -830,14 +830,22 @@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal(nsIPrincipal* aSubject
nsCOMPtr<nsIURI> subjectURI;
nsCOMPtr<nsIURI> objectURI;
aSubject->GetDomain(getter_AddRefs(subjectURI));
if (!subjectURI) {
aSubject->GetURI(getter_AddRefs(subjectURI));
if (aIsCheckConnect)
{
// Don't use domain for CheckConnect calls, since that's called for
// data-only load checks like XMLHTTPRequest (bug 290100).
aSubject->GetURI(getter_AddRefs(subjectURI));
aObject->GetURI(getter_AddRefs(objectURI));
}
else
{
aSubject->GetDomain(getter_AddRefs(subjectURI));
if (!subjectURI)
aSubject->GetURI(getter_AddRefs(subjectURI));
aObject->GetDomain(getter_AddRefs(objectURI));
if (!objectURI) {
aObject->GetURI(getter_AddRefs(objectURI));
aObject->GetDomain(getter_AddRefs(objectURI));
if (!objectURI)
aObject->GetURI(getter_AddRefs(objectURI));
}
PRBool isSameOrigin = PR_FALSE;
@ -851,9 +859,8 @@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal(nsIPrincipal* aSubject
// DNS spoofing based on document.domain (154930)
// But this restriction does not apply to CheckConnect calls, since
// that's called for data-only load checks like XMLHTTPRequest, where
// the target document has not yet loaded and can't have set its domain
// (bug 163950)
// that's called for data-only load checks like XMLHTTPRequest where
// we ignore domain (bug 290100).
if (aIsCheckConnect)
return NS_OK;
@ -892,9 +899,7 @@ nsScriptSecurityManager::CheckSameOriginDOMProp(nsIPrincipal* aSubject,
aIsCheckConnect);
if (NS_SUCCEEDED(rv))
{
return NS_OK;
}
/*
* If we failed the origin tests it still might be the case that we