Bug 553448 - nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction should return JS_TRUE when no subjectPrincipal exists. r=mrbkap sr=dveditz

--HG--
extra : rebase_source : c47d6d55063c115921ee89114c4439444883c37d

caps/src/nsScriptSecurityManager.cpp

@@ -532,8 +532,13 @@ nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
     if (NS_FAILED(rv))
         return JS_FALSE; // Not just absence of principal, but failure.
 
-    if (!subjectPrincipal)
-        return JS_FALSE;
+    if (!subjectPrincipal) {
+        // See bug 553448 for discussion of this case.
+        NS_ASSERTION(!JS_GetSecurityCallbacks(cx)->findObjectPrincipals,
+                     "CSP: Should have been able to find subject principal. "
+                     "Reluctantly granting access.");
+        return JS_TRUE;
+    }
 
     nsCOMPtr<nsIContentSecurityPolicy> csp;
     rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));

js/src/jsobj.cpp

@@ -1130,10 +1130,8 @@ js_CheckContentSecurityPolicy(JSContext *cx)
 
     // if there are callbacks, make sure that the CSP callback is installed and
     // that it permits eval().
-    if (callbacks) {
-        return callbacks->contentSecurityPolicyAllows &&
-               callbacks->contentSecurityPolicyAllows(cx);
-    }
+    if (callbacks && callbacks->contentSecurityPolicyAllows)
+        return callbacks->contentSecurityPolicyAllows(cx);
 
     return JS_TRUE;
 }