Bug 1269491 - Fix LoginManagerContent.jsm to get codebase principals from the nsIScriptSecurityManager. r=MattN
authorJonathan Watt <jwatt@jwatt.org>
Mon, 02 May 2016 23:14:25 +0100
changeset 295760 05545a4f02d5fc2581494da6de7147b7a54c999b
parent 295759 529ff32ced4861e0eb575725bb7dccdf9516fae6
child 295761 5f92a21902622c9afedaa23f7939e6d710410d38
push id76067
push userjwatt@jwatt.org
push dateMon, 02 May 2016 22:14:54 +0000
treeherdermozilla-inbound@05545a4f02d5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersMattN
bugs1269491
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1269491 - Fix LoginManagerContent.jsm to get codebase principals from the nsIScriptSecurityManager. r=MattN MozReview-Commit-ID: HVXS7tfr8fv
toolkit/components/passwordmgr/LoginManagerContent.jsm
--- a/toolkit/components/passwordmgr/LoginManagerContent.jsm
+++ b/toolkit/components/passwordmgr/LoginManagerContent.jsm
@@ -21,16 +21,19 @@ XPCOMUtils.defineLazyModuleGetter(this, 
                                   "resource://gre/modules/LoginRecipes.jsm");
 
 XPCOMUtils.defineLazyModuleGetter(this, "LoginHelper",
                                   "resource://gre/modules/LoginHelper.jsm");
 
 XPCOMUtils.defineLazyServiceGetter(this, "gContentSecurityManager",
                                    "@mozilla.org/contentsecuritymanager;1",
                                    "nsIContentSecurityManager");
+XPCOMUtils.defineLazyServiceGetter(this, "gScriptSecurityManager",
+                                   "@mozilla.org/scriptsecuritymanager;1",
+                                   "nsIScriptSecurityManager");
 XPCOMUtils.defineLazyServiceGetter(this, "gNetUtil",
                                    "@mozilla.org/network/util;1",
                                    "nsINetUtil");
 
 XPCOMUtils.defineLazyGetter(this, "log", () => {
   let logger = LoginHelper.createLogger("LoginManagerContent");
   return logger.log.bind(logger);
 });
@@ -1130,17 +1133,18 @@ var LoginManagerContent = {
 
     // Fall back to the document URI for sandboxed documents that do not have
     // the allow-same-origin flag, as they have a null principal instead of a
     // codebase principal. Here there are still some cases that are considered
     // insecure while they are secure, for example sandboxed documents created
     // using a "javascript:" or "data:" URI from an HTTPS page. See bug 1162772
     // for defining "window.isSecureContext", that may help in these cases.
     if (!principal.isCodebasePrincipal) {
-      principal = getCodebasePrincipal(document.documentURIObject);
+      principal =
+        gScriptSecurityManager.getCodebasePrincipal(document.documentURIObject);
     }
 
     // These checks include "file", "resource", HTTPS, and HTTP to "localhost".
     return gContentSecurityManager.isOriginPotentiallyTrustworthy(principal);
   },
 };
 
 var LoginUtils = {