Bug 1406278: Part 7 - Use subject principal as triggering principal in <input> "src" attribute. r=bz

MozReview-Commit-ID: 8DZOwqBrA2i --HG-- extra : rebase_source : 9c2b4611f72f4aa18e67ef6f3b144c85a92b59e7
2024-11-26 14:22:01 +00:00 · 2017-10-05 16:19:19 -07:00 · 2017-10-05 16:19:19 -07:00 · e11ba47925
commit e11ba47925
parent 34083e453d
4 changed files with 37 additions and 19 deletions
--- a/dom/html/HTMLInputElement.cpp
+++ b/dom/html/HTMLInputElement.cpp
@ -1338,18 +1338,6 @@ HTMLInputElement::BeforeSetAttr(int32_t aNameSpaceID, nsAtom* aName,
        mType == NS_FORM_INPUT_RADIO &&
        (mForm || mDoneCreating)) {
      WillRemoveFromRadioGroup();
-    } else if (aNotify && aName == nsGkAtoms::src &&
-               mType == NS_FORM_INPUT_IMAGE) {
-      if (aValue) {
-        // Mark channel as urgent-start before load image if the image load is
-        // initaiated by a user interaction.
-        mUseUrgentStartForChannel = EventStateManager::IsHandlingUserInput();
-
-        LoadImage(aValue->String(), true, aNotify, eImageLoadType_Normal);
-      } else {
-        // Null value means the attr got unset; drop the image
-        CancelImageRequests(aNotify);
-      }
    } else if (aNotify && aName == nsGkAtoms::disabled) {
      mDisabledChanged = true;
    } else if (mType == NS_FORM_INPUT_RADIO && aName == nsGkAtoms::required) {
@ -1394,6 +1382,25 @@ HTMLInputElement::AfterSetAttr(int32_t aNameSpaceID, nsAtom* aName,
      UpdateValueMissingValidityStateForRadio(false);
    }

+    if (aName == nsGkAtoms::src) {
+      mSrcTriggeringPrincipal = nsContentUtils::GetAttrTriggeringPrincipal(
+          this, aValue ? aValue->GetStringValue() : EmptyString(),
+          aSubjectPrincipal);
+      if (aNotify && mType == NS_FORM_INPUT_IMAGE) {
+        if (aValue) {
+          // Mark channel as urgent-start before load image if the image load is
+          // initiated by a user interaction.
+          mUseUrgentStartForChannel = EventStateManager::IsHandlingUserInput();
+
+          LoadImage(aValue->GetStringValue(), true, aNotify, eImageLoadType_Normal,
+                    mSrcTriggeringPrincipal);
+        } else {
+          // Null value means the attr got unset; drop the image
+          CancelImageRequests(aNotify);
+        }
+      }
+    }
+
    // If @value is changed and BF_VALUE_CHANGED is false, @value is the value
    // of the element so, if the value of the element is different than @value,
    // we have to re-set it. This is only the case when GetValueMode() returns
@ -4797,7 +4804,8 @@ HTMLInputElement::MaybeLoadImage()
  nsAutoString uri;
  if (mType == NS_FORM_INPUT_IMAGE &&
      GetAttr(kNameSpaceID_None, nsGkAtoms::src, uri) &&
-      (NS_FAILED(LoadImage(uri, false, true, eImageLoadType_Normal)) ||
+      (NS_FAILED(LoadImage(uri, false, true, eImageLoadType_Normal,
+                           mSrcTriggeringPrincipal)) ||
       !LoadingEnabled())) {
    CancelImageRequests(true);
  }
@ -5043,7 +5051,8 @@ HTMLInputElement::HandleTypeChange(uint8_t aNewType, bool aNotify)
      // initaiated by a user interaction.
      mUseUrgentStartForChannel = EventStateManager::IsHandlingUserInput();

-      LoadImage(src, false, aNotify, eImageLoadType_Normal);
+      LoadImage(src, false, aNotify, eImageLoadType_Normal,
+                mSrcTriggeringPrincipal);
    }
  }

--- a/dom/html/HTMLInputElement.h
+++ b/dom/html/HTMLInputElement.h
@ -707,13 +707,13 @@ public:
    SetUnsignedIntAttr(nsGkAtoms::size, aValue, DEFAULT_COLS, aRv);
  }

-  void GetSrc(nsAString& aValue)
+  void GetSrc(nsAString& aValue, nsIPrincipal&)
  {
    GetURIAttr(nsGkAtoms::src, nullptr, aValue);
  }
-  void SetSrc(const nsAString& aValue, ErrorResult& aRv)
+  void SetSrc(const nsAString& aValue, nsIPrincipal& aTriggeringPrincipal, ErrorResult& aRv)
  {
-    SetHTMLAttr(nsGkAtoms::src, aValue, aRv);
+    SetHTMLAttr(nsGkAtoms::src, aValue, aTriggeringPrincipal, aRv);
  }

  void GetStep(nsAString& aValue)
@ -1617,6 +1617,11 @@ protected:
   */
  nsTextEditorState::SelectionProperties mSelectionProperties;

+  /**
+   * The triggering principal for the src attribute.
+   */
+  nsCOMPtr<nsIPrincipal> mSrcTriggeringPrincipal;
+
  /*
   * InputType object created based on input type.
   */
--- a/dom/webidl/HTMLInputElement.webidl
+++ b/dom/webidl/HTMLInputElement.webidl
@ -81,7 +81,7 @@ interface HTMLInputElement : HTMLElement {
           attribute boolean required;
  [CEReactions, Pure, SetterThrows]
           attribute unsigned long size;
-  [CEReactions, Pure, SetterThrows]
+  [CEReactions, Pure, NeedsSubjectPrincipal, SetterThrows]
           attribute DOMString src;
  [CEReactions, Pure, SetterThrows]
           attribute DOMString step;
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
@ -44,7 +44,7 @@ const BASE_URL = `http://localhost:${server.identity.primaryPort}`;
 * A set of tags which are automatically closed in HTML documents, and
 * do not require an explicit closing tag.
 */
-const AUTOCLOSE_TAGS = new Set(["img", "source"]);
+const AUTOCLOSE_TAGS = new Set(["img", "input", "source"]);

 /**
 * An object describing the elements to create for a specific test.
@ -455,6 +455,10 @@ add_task(async function test_contentscript_triggeringPrincipals() {
      src: "imgset.png",
      srcAttr: "srcset",
    },
+    {
+      element: ["input", {type: "image"}],
+      src: "input.png",
+    },
    {
      element: ["picture", {}, ["source", {}], ["img", {}]],
      src: "picture.png",