Bug 701787 - Part 1: disallow responseType and withCredentials for sync XHR. r=smaug

2025-03-05 00:02:37 +00:00 · 2011-12-08 15:54:05 +02:00 · 2011-12-08 15:54:05 +02:00 · 757d984bc3
commit 757d984bc3
parent 1b8b383ddc
3 changed files with 52 additions and 24 deletions
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@ -701,6 +701,25 @@ nsXMLHttpRequest::GetChannel(nsIChannel **aChannel)
  return NS_OK;
 }

+static void LogMessage(const char* aWarning, nsPIDOMWindow* aWindow)
+{
+  nsCOMPtr<nsIDocument> doc;
+  if (aWindow) {
+    doc = do_QueryInterface(aWindow->GetExtantDocument());
+  }
+  nsContentUtils::ReportToConsole(nsContentUtils::eDOM_PROPERTIES,
+                                  aWarning,
+                                  nsnull,
+                                  0,
+                                  nsnull, // Response URL not kept around
+                                  EmptyString(),
+                                  0,
+                                  0,
+                                  nsIScriptError::warningFlag,
+                                  "DOM",
+                                  doc);
+}
+
 /* readonly attribute nsIDOMDocument responseXML; */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseXML(nsIDOMDocument **aResponseXML)
@ -717,31 +736,11 @@ nsXMLHttpRequest::GetResponseXML(nsIDOMDocument **aResponseXML)
  }
  if (mWarnAboutMultipartHtml) {
    mWarnAboutMultipartHtml = false;
-    nsContentUtils::ReportToConsole(nsContentUtils::eDOM_PROPERTIES,
-                                    "HTMLMultipartXHRWarning",
-                                    nsnull,
-                                    0,
-                                    nsnull, // Response URL not kept around
-                                    EmptyString(),
-                                    0,
-                                    0,
-                                    nsIScriptError::warningFlag,
-                                    "DOM",
-                                    mOwner->WindowID());
+    LogMessage("HTMLMultipartXHRWarning", mOwner);
  }
  if (mWarnAboutSyncHtml) {
    mWarnAboutSyncHtml = false;
-    nsContentUtils::ReportToConsole(nsContentUtils::eDOM_PROPERTIES,
-                                    "HTMLSyncXHRWarning",
-                                    nsnull,
-                                    0,
-                                    nsnull, // Response URL not kept around
-                                    EmptyString(),
-                                    0,
-                                    0,
-                                    nsIScriptError::warningFlag,
-                                    "DOM",
-                                    mOwner->WindowID());
+    LogMessage("HTMLSyncXHRWarning", mOwner);
  }
  return NS_OK;
 }
@ -998,6 +997,13 @@ NS_IMETHODIMP nsXMLHttpRequest::SetResponseType(const nsAString& aResponseType)
                  XML_HTTP_REQUEST_HEADERS_RECEIVED)))
    return NS_ERROR_DOM_INVALID_STATE_ERR;

+  // sync request is not allowed setting responseType in window context
+  if (mOwner &&
+      !(mState & (XML_HTTP_REQUEST_UNSENT | XML_HTTP_REQUEST_ASYNC))) {
+    LogMessage("ResponseTypeSyncXHRWarning", mOwner);
+    return NS_ERROR_DOM_INVALID_ACCESS_ERR;
+  }
+
  // Set the responseType attribute's value to the given value.
  if (aResponseType.IsEmpty()) {
    mResponseType = XML_HTTP_RESPONSE_TYPE_DEFAULT;
@ -1519,6 +1525,20 @@ nsXMLHttpRequest::Open(const nsACString& method, const nsACString& url,
    return NS_ERROR_INVALID_ARG;
  }

+  // sync request is not allowed using withCredential or responseType
+  // in window context
+  if (!async && mOwner &&
+      (mState & XML_HTTP_REQUEST_AC_WITH_CREDENTIALS ||
+       mResponseType != XML_HTTP_RESPONSE_TYPE_DEFAULT)) {
+    if (mState & XML_HTTP_REQUEST_AC_WITH_CREDENTIALS) {
+      LogMessage("WithCredentialsSyncXHRWarning", mOwner);
+    }
+    if (mResponseType != XML_HTTP_RESPONSE_TYPE_DEFAULT) {
+      LogMessage("ResponseTypeSyncXHRWarning", mOwner);
+    }
+    return NS_ERROR_DOM_INVALID_ACCESS_ERR;
+  }
+
  nsresult rv;
  nsCOMPtr<nsIURI> uri;
  bool authp = false;
@ -2920,7 +2940,14 @@ nsXMLHttpRequest::SetWithCredentials(bool aWithCredentials)
  if (XML_HTTP_REQUEST_SENT & mState) {
    return NS_ERROR_FAILURE;
  }
-  
+
+  // sync request is not allowed setting withCredentials in window context
+  if (mOwner &&
+      !(mState & (XML_HTTP_REQUEST_UNSENT | XML_HTTP_REQUEST_ASYNC))) {
+    LogMessage("WithCredentialsSyncXHRWarning", mOwner);
+    return NS_ERROR_DOM_INVALID_ACCESS_ERR;
+  }
+
  if (aWithCredentials) {
    mState |= XML_HTTP_REQUEST_AC_WITH_CREDENTIALS;
  }
--- a/dom/locales/en-US/chrome/dom/dom.properties
+++ b/dom/locales/en-US/chrome/dom/dom.properties
@ -130,3 +130,5 @@ AddedWindowedPluginWhileFullScreen=Exited full-screen because windowed plugin wa
 HTMLMultipartXHRWarning=HTML parsing in XMLHttpRequest is not supported for multipart responses.
 HTMLSyncXHRWarning=HTML parsing in XMLHttpRequest is not supported in the synchronous mode.
 InvalidRedirectChannelWarning=Unable to redirect to %S because the channel doesn't implement nsIWritablePropertyBag2.
+ResponseTypeSyncXHRWarning=Use of XMLHttpRequest's responseType attribute is no longer supported in the synchronous mode in window context.
+WithCredentialsSyncXHRWarning=Use of XMLHttpRequest's withCredentials attribute is no longer supported in the synchronous mode in window context.
--- a/toolkit/mozapps/extensions/content/extensions.js
+++ b/toolkit/mozapps/extensions/content/extensions.js
@ -2869,7 +2869,6 @@ var gDetailView = {

    var xhr = new XMLHttpRequest();
    xhr.open("GET", this._addon.optionsURL, false);
-    xhr.responseType = "document";
    xhr.send();

    var xml = xhr.responseXML;