Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-18 15:55:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1453814: Treat any cross-origin redirects as foreign for same-site cookies. r=valentin

Browse Source
This commit is contained in:
Christoph Kerschbaumer 2018-04-13 15:42:00 +02:00
parent bb85296b3e
commit fc0f74afcb
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
netwerk/base/nsNetUtil.cpp
View File

@ -2162,6 +2162,30 @@ bool NS_IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI)
bool isForeign = false;
thirdPartyUtil->IsThirdPartyChannel(aChannel, uri, &isForeign);
// if we are dealing with a cross origin request, we can return here
// because we already know the request is 'foreign'.
if (isForeign) {
return true;
}
// for the purpose of same-site cookies we have to treat any cross-origin
// redirects as foreign. E.g. cross-site to same-site redirect is a problem
// with regards to CSRF.
nsCOMPtr<nsIPrincipal> redirectPrincipal;
nsCOMPtr<nsIURI> redirectURI;
for (nsIRedirectHistoryEntry* entry : loadInfo->RedirectChain()) {
entry->GetPrincipal(getter_AddRefs(redirectPrincipal));
if (redirectPrincipal) {
redirectPrincipal->GetURI(getter_AddRefs(redirectURI));
thirdPartyUtil->IsThirdPartyChannel(aChannel, redirectURI, &isForeign);
// if at any point we encounter a cross-origin redirect we can return.
if (isForeign) {
return true;
}
}
}
return isForeign;
}