From fad0c74a592221bab75632b86d3356119e0ec8ac Mon Sep 17 00:00:00 2001 From: Christoph Kerschbaumer Date: Sun, 21 Sep 2014 09:38:38 -0700 Subject: [PATCH] Bug 1038756: Callsites creating a channel in /dom/xbl/ (r=bz) --- dom/xbl/nsXBLService.cpp | 25 ++++++++++++++++++++++--- dom/xbl/nsXBLService.h | 3 ++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/dom/xbl/nsXBLService.cpp b/dom/xbl/nsXBLService.cpp index a3f69bf1d64b..22d2b07d370b 100644 --- a/dom/xbl/nsXBLService.cpp +++ b/dom/xbl/nsXBLService.cpp @@ -994,7 +994,8 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement, nsCOMPtr document; FetchBindingDocument(aBoundElement, aBoundDocument, documentURI, - aBindingURI, aForceSyncLoad, getter_AddRefs(document)); + aBindingURI, aOriginPrincipal, aForceSyncLoad, + getter_AddRefs(document)); if (document) { nsBindingManager *xblDocBindingManager = document->BindingManager(); @@ -1031,7 +1032,8 @@ nsXBLService::LoadBindingDocumentInfo(nsIContent* aBoundElement, nsresult nsXBLService::FetchBindingDocument(nsIContent* aBoundElement, nsIDocument* aBoundDocument, nsIURI* aDocumentURI, nsIURI* aBindingURI, - bool aForceSyncLoad, nsIDocument** aResult) + nsIPrincipal* aOriginPrincipal, bool aForceSyncLoad, + nsIDocument** aResult) { nsresult rv = NS_OK; // Initialize our out pointer to nullptr @@ -1058,8 +1060,25 @@ nsXBLService::FetchBindingDocument(nsIContent* aBoundElement, nsIDocument* aBoun NS_ENSURE_SUCCESS(rv, rv); // Open channel + // Note: There are some cases where aOriginPrincipal and aBoundDocument are purposely + // set to null (to bypass security checks) when calling LoadBindingDocumentInfo() which calls + // FetchBindingDocument(). LoadInfo will end up with no principal or node in those cases, + // so we use systemPrincipal. This achieves the same result of bypassing security checks, + // but it gives the wrong information to potential future consumers of loadInfo. + nsCOMPtr requestingPrincipal = aOriginPrincipal ? aOriginPrincipal + : nsContentUtils::GetSystemPrincipal(); nsCOMPtr channel; - rv = NS_NewChannel(getter_AddRefs(channel), aDocumentURI, nullptr, loadGroup); + // Note that we are calling NS_NewChannelInternal here with both a node and a principal. + // This is because the principal and node could be different. + rv = NS_NewChannelInternal(getter_AddRefs(channel), + aDocumentURI, + aBoundDocument, + requestingPrincipal, + nsILoadInfo::SEC_NORMAL, + nsIContentPolicy::TYPE_OTHER, + nullptr, // aChannelPolicy + loadGroup); + NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr sameOriginChecker = nsContentUtils::GetSameOriginChecker(); diff --git a/dom/xbl/nsXBLService.h b/dom/xbl/nsXBLService.h index bc94852bd7c1..9c84d1d8fde1 100644 --- a/dom/xbl/nsXBLService.h +++ b/dom/xbl/nsXBLService.h @@ -78,7 +78,8 @@ protected: // This method synchronously loads and parses an XBL file. nsresult FetchBindingDocument(nsIContent* aBoundElement, nsIDocument* aBoundDocument, nsIURI* aDocumentURI, nsIURI* aBindingURI, - bool aForceSyncLoad, nsIDocument** aResult); + nsIPrincipal* aOriginPrincipal, bool aForceSyncLoad, + nsIDocument** aResult); /** * This method calls the one below with an empty |aDontExtendURIs| array.