Bug 1254689 - Remove SEC_NORMAL where loadingPrincipal is SystemPrincipal or NullPrincipal. r=sicking
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Wed, 09 Mar 2016 13:55:59 -0800
changeset 287596 37b591f543635f193c7329451ad54f1b8c647414
parent 287595 94aaebb92d0ddfc987a47987467ed4ad59ac5fa2
child 287597 09b94960086eaae2e04d2bb0846b1b4ac85c3709
push id73245
push userryanvm@gmail.com
push dateThu, 10 Mar 2016 00:23:51 +0000
treeherdermozilla-inbound@37b591f54363 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssicking
bugs1254689
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1254689 - Remove SEC_NORMAL where loadingPrincipal is SystemPrincipal or NullPrincipal. r=sicking
dom/html/nsHTMLDocument.cpp
dom/jsurl/nsJSProtocolHandler.cpp
dom/xul/templates/nsXULTemplateQueryProcessorStorage.cpp
netwerk/base/nsIOService.cpp
netwerk/base/nsProtocolProxyService.cpp
netwerk/cookie/CookieServiceParent.cpp
netwerk/protocol/file/nsFileChannel.cpp
netwerk/protocol/viewsource/nsViewSourceChannel.cpp
netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
parser/xml/nsSAXXMLReader.cpp
rdf/base/nsRDFXMLParser.cpp
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -1218,19 +1218,21 @@ nsHTMLDocument::CreateDummyChannelForCoo
   // The cookie service reads the privacy status of the channel we pass to it in
   // order to determine which cookie database to query.  In some cases we don't
   // have a proper channel to hand it to the cookie service though.  This
   // function creates a dummy channel that is not used to load anything, for the
   // sole purpose of handing it to the cookie service.  DO NOT USE THIS CHANNEL
   // FOR ANY OTHER PURPOSE.
   MOZ_ASSERT(!mChannel);
 
+  // The following channel is never openend, so it does not matter what
+  // securityFlags we pass; let's follow the principle of least privilege.
   nsCOMPtr<nsIChannel> channel;
   NS_NewChannel(getter_AddRefs(channel), aCodebaseURI, this,
-                nsILoadInfo::SEC_NORMAL,
+                nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                 nsIContentPolicy::TYPE_INVALID);
   nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel =
     do_QueryInterface(channel);
   nsCOMPtr<nsIDocShell> docShell(mDocumentContainer);
   nsCOMPtr<nsILoadContext> loadContext = do_QueryInterface(docShell);
   if (!pbChannel || !loadContext) {
     return nullptr;
   }
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -417,21 +417,23 @@ nsresult nsJSChannel::Init(nsIURI *aURI)
     // and the underlying Input Stream will not be created...
     nsCOMPtr<nsIChannel> channel;
 
     nsCOMPtr<nsIPrincipal> nullPrincipal = nsNullPrincipal::Create();
     NS_ENSURE_TRUE(nullPrincipal, NS_ERROR_FAILURE);
 
     // If the resultant script evaluation actually does return a value, we
     // treat it as html.
+    // The following channel is never openend, so it does not matter what
+    // securityFlags we pass; let's follow the principle of least privilege.
     rv = NS_NewInputStreamChannel(getter_AddRefs(channel),
                                   aURI,
                                   mIOThunk,
                                   nullPrincipal,
-                                  nsILoadInfo::SEC_NORMAL,
+                                  nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                                   nsIContentPolicy::TYPE_OTHER,
                                   NS_LITERAL_CSTRING("text/html"));
     if (NS_FAILED(rv)) return rv;
 
     rv = mIOThunk->Init(aURI);
     if (NS_SUCCEEDED(rv)) {
         mStreamChannel = channel;
         mPropertyBag = do_QueryInterface(channel);
--- a/dom/xul/templates/nsXULTemplateQueryProcessorStorage.cpp
+++ b/dom/xul/templates/nsXULTemplateQueryProcessorStorage.cpp
@@ -205,20 +205,22 @@ nsXULTemplateQueryProcessorStorage::GetD
 
         rv = databaseFile->AppendNative(path);
         NS_ENSURE_SUCCESS(rv, rv);
     }
     else {
         nsCOMPtr<nsIChannel> channel;
         nsCOMPtr<nsINode> node = do_QueryInterface(aRootNode);
 
+        // The following channel is never openend, so it does not matter what
+        // securityFlags we pass; let's follow the principle of least privilege.
         rv = NS_NewChannel(getter_AddRefs(channel),
                            uri,
                            node,
-                           nsILoadInfo::SEC_NORMAL,
+                           nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                            nsIContentPolicy::TYPE_OTHER);
         NS_ENSURE_SUCCESS(rv, rv);
 
         nsCOMPtr<nsIFileChannel> fileChannel = do_QueryInterface(channel, &rv);
         if (NS_FAILED(rv)) { // if it fails, not a file url
             nsXULContentUtils::LogTemplateError(ERROR_TEMPLATE_STORAGE_BAD_URI);
             return rv;
         }
--- a/netwerk/base/nsIOService.cpp
+++ b/netwerk/base/nsIOService.cpp
@@ -1865,17 +1865,17 @@ nsIOService::SpeculativeConnectInternal(
     // pool if there is an available connection created by the
     // channel we create underneath - hence it's safe to use
     // the systemPrincipal as the loadingPrincipal for this channel.
     nsCOMPtr<nsIChannel> channel;
     rv = NewChannelFromURI2(aURI,
                             nullptr, // aLoadingNode,
                             systemPrincipal,
                             nullptr, //aTriggeringPrincipal,
-                            nsILoadInfo::SEC_NORMAL,
+                            nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                             nsIContentPolicy::TYPE_OTHER,
                             getter_AddRefs(channel));
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (aAnonymous) {
         nsLoadFlags loadFlags = 0;
         channel->GetLoadFlags(&loadFlags);
         loadFlags |= nsIRequest::LOAD_ANONYMOUS;
--- a/netwerk/base/nsProtocolProxyService.cpp
+++ b/netwerk/base/nsProtocolProxyService.cpp
@@ -1342,17 +1342,17 @@ nsProtocolProxyService::AsyncResolve(nsI
         NS_ENSURE_SUCCESS(rv, rv);
 
         // creating a temporary channel from the URI which is not
         // used to perform any network loads, hence its safe to
         // use systemPrincipal as the loadingPrincipal.
         rv = NS_NewChannel(getter_AddRefs(channel),
                            uri,
                            systemPrincipal,
-                           nsILoadInfo::SEC_NORMAL,
+                           nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                            nsIContentPolicy::TYPE_OTHER);
         NS_ENSURE_SUCCESS(rv, rv);
     }
 
     return AsyncResolveInternal(channel, flags, callback, result, false);
 }
 
 NS_IMETHODIMP
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@@ -44,19 +44,22 @@ CreateDummyChannel(nsIURI* aHostURI, Nec
   }
 
   nsCOMPtr<nsIURI> dummyURI;
   nsresult rv = NS_NewURI(getter_AddRefs(dummyURI), "about:blank");
   if (NS_FAILED(rv)) {
       return;
   }
 
+  // The following channel is never openend, so it does not matter what
+  // securityFlags we pass; let's follow the principle of least privilege.
   nsCOMPtr<nsIChannel> dummyChannel;
   NS_NewChannel(getter_AddRefs(dummyChannel), dummyURI, principal,
-                nsILoadInfo::SEC_NORMAL, nsIContentPolicy::TYPE_INVALID);
+                nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
+                nsIContentPolicy::TYPE_INVALID);
   nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(dummyChannel);
   if (!pbChannel) {
     return;
   }
 
   pbChannel->SetPrivate(aIsPrivate);
   dummyChannel.forget(aChannel);
   return;
--- a/netwerk/protocol/file/nsFileChannel.cpp
+++ b/netwerk/protocol/file/nsFileChannel.cpp
@@ -351,17 +351,17 @@ nsFileChannel::OpenContentStream(bool as
     
   nsCOMPtr<nsIURI> newURI;
   rv = fileHandler->ReadURLFile(file, getter_AddRefs(newURI));
   if (NS_SUCCEEDED(rv)) {
     nsCOMPtr<nsIChannel> newChannel;
     rv = NS_NewChannel(getter_AddRefs(newChannel),
                        newURI,
                        nsContentUtils::GetSystemPrincipal(),
-                       nsILoadInfo::SEC_NORMAL,
+                       nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                        nsIContentPolicy::TYPE_OTHER);
 
     if (NS_FAILED(rv))
       return rv;
 
     *result = nullptr;
     newChannel.forget(channel);
     return NS_OK;
--- a/netwerk/protocol/viewsource/nsViewSourceChannel.cpp
+++ b/netwerk/protocol/viewsource/nsViewSourceChannel.cpp
@@ -60,27 +60,28 @@ nsViewSourceChannel::Init(nsIURI* uri)
     if (scheme.LowerCaseEqualsLiteral("javascript")) {
       NS_WARNING("blocking view-source:javascript:");
       return NS_ERROR_INVALID_ARG;
     }
 
     // This function is called from within nsViewSourceHandler::NewChannel2
     // and sets the right loadInfo right after returning from this function.
     // Until then we follow the principal of least privilege and use
-    // nullPrincipal as the loadingPrincipal.
+    // nullPrincipal as the loadingPrincipal and the least permissive
+    // securityflag.
     nsCOMPtr<nsIPrincipal> nullPrincipal = nsNullPrincipal::Create();
     NS_ENSURE_TRUE(nullPrincipal, NS_ERROR_FAILURE);
 
     rv = pService->NewChannel2(path,
                                nullptr, // aOriginCharset
                                nullptr, // aCharSet
                                nullptr, // aLoadingNode
                                nullPrincipal,
                                nullptr, // aTriggeringPrincipal
-                               nsILoadInfo::SEC_NORMAL,
+                               nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                                nsIContentPolicy::TYPE_OTHER,
                                getter_AddRefs(mChannel));
     NS_ENSURE_SUCCESS(rv, rv);
 
     mIsSrcdocChannel = false;
 
     mChannel->SetOriginalURI(mOriginalURI);
     mHttpChannel = do_QueryInterface(mChannel);
--- a/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
+++ b/netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp
@@ -103,17 +103,17 @@ WyciwygChannelChild::Init(nsIURI* uri)
     policyType = mLoadInfo->InternalContentPolicyType();
   }
   else {
     // use default values if no loadInfo is provided
     mozilla::ipc::PrincipalToPrincipalInfo(nsContentUtils::GetSystemPrincipal(),
                                            &requestingPrincipalInfo);
     mozilla::ipc::PrincipalToPrincipalInfo(nsContentUtils::GetSystemPrincipal(),
                                            &triggeringPrincipalInfo);
-    securityFlags = nsILoadInfo::SEC_NORMAL;
+    securityFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL;
     policyType = nsIContentPolicy::TYPE_OTHER;
   }
 
   SendInit(serializedUri,
            requestingPrincipalInfo,
            triggeringPrincipalInfo,
            securityFlags,
            policyType);
--- a/parser/xml/nsSAXXMLReader.cpp
+++ b/parser/xml/nsSAXXMLReader.cpp
@@ -494,22 +494,24 @@ nsSAXXMLReader::ParseFromStream(nsIInput
   }
  
   rv = EnsureBaseURI();
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsCOMPtr<nsIPrincipal> nullPrincipal = nsNullPrincipal::Create();
   NS_ENSURE_TRUE(nullPrincipal, NS_ERROR_FAILURE);
 
+  // The following channel is never openend, so it does not matter what
+  // securityFlags we pass; let's follow the principle of least privilege.
   nsCOMPtr<nsIChannel> parserChannel;
   rv = NS_NewInputStreamChannel(getter_AddRefs(parserChannel),
                                 mBaseURI,
                                 aStream,
                                 nullPrincipal,
-                                nsILoadInfo::SEC_NORMAL,
+                                nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                                 nsIContentPolicy::TYPE_OTHER,
                                 nsDependentCString(aContentType));
   if (!parserChannel || NS_FAILED(rv))
     return NS_ERROR_FAILURE;
 
   if (aCharset)
     parserChannel->SetContentCharset(nsDependentCString(aCharset));
 
--- a/rdf/base/nsRDFXMLParser.cpp
+++ b/rdf/base/nsRDFXMLParser.cpp
@@ -113,22 +113,24 @@ nsRDFXMLParser::ParseString(nsIRDFDataSo
 
     nsCOMPtr<nsIInputStream> stream;
     rv = NS_NewCStringInputStream(getter_AddRefs(stream), aString);
     if (NS_FAILED(rv)) return rv;
 
     nsCOMPtr<nsIPrincipal> nullPrincipal = nsNullPrincipal::Create();
     NS_ENSURE_TRUE(nullPrincipal, NS_ERROR_FAILURE);
 
+    // The following channel is never openend, so it does not matter what
+    // securityFlags we pass; let's follow the principle of least privilege.
     nsCOMPtr<nsIChannel> channel;
     rv = NS_NewInputStreamChannel(getter_AddRefs(channel),
                                   aBaseURI,
                                   stream,
                                   nullPrincipal,
-                                  nsILoadInfo::SEC_NORMAL,
+                                  nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED,
                                   nsIContentPolicy::TYPE_OTHER,
                                   NS_LITERAL_CSTRING("text/xml"));
     if (NS_FAILED(rv)) return rv;
 
     listener->OnStartRequest(channel, nullptr);
     listener->OnDataAvailable(channel, nullptr, stream, 0, aString.Length());
     listener->OnStopRequest(channel, nullptr, NS_OK);