Bug 1337543 P1 ServiceWorker should not inherit CSP from registration principal. r=baku
authorBen Kelly <ben@wanderview.com>
Tue, 14 Feb 2017 10:06:38 -0500
changeset 342775 786d2c5cba9c17f47b3c306233914fe4b905e0f4
parent 342774 f2d6e4198d851a595746ca1deb222b8f441edcf6
child 342776 c33d6a0b13dc68131e85772e874f24b0b1cd6266
push id86951
push userbkelly@mozilla.com
push dateTue, 14 Feb 2017 15:06:44 +0000
treeherdermozilla-inbound@87ff9a778b80 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku
bugs1337543
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1337543 P1 ServiceWorker should not inherit CSP from registration principal. r=baku
dom/workers/ServiceWorkerPrivate.cpp
--- a/dom/workers/ServiceWorkerPrivate.cpp
+++ b/dom/workers/ServiceWorkerPrivate.cpp
@@ -1738,33 +1738,33 @@ ServiceWorkerPrivate::SpawnWorkerIfNeede
 
   info.mPrincipal = mInfo->GetPrincipal();
 
   nsContentUtils::StorageAccess access =
     nsContentUtils::StorageAllowedForPrincipal(info.mPrincipal);
   info.mStorageAllowed = access > nsContentUtils::StorageAccess::ePrivateBrowsing;
   info.mOriginAttributes = mInfo->GetOriginAttributes();
 
+  // The ServiceWorkerRegistration principal should never have any CSP
+  // set.  The CSP from the page that registered the SW should not be
+  // inherited.  Verify this is the case in non-release builds
+#if defined(DEBUG) || !defined(RELEASE_OR_BETA)
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   rv = info.mPrincipal->GetCsp(getter_AddRefs(csp));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  info.mCSP = csp;
-  if (info.mCSP) {
-    rv = info.mCSP->GetAllowsEval(&info.mReportCSPViolations,
-                                  &info.mEvalAllowed);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  } else {
-    info.mEvalAllowed = true;
-    info.mReportCSPViolations = false;
-  }
+  MOZ_DIAGNOSTIC_ASSERT(!csp);
+#endif
+
+  // Default CSP permissions for now.  These will be overrided if necessary
+  // based on the script CSP headers during load in ScriptLoader.
+  info.mEvalAllowed = true;
+  info.mReportCSPViolations = false;
 
   WorkerPrivate::OverrideLoadInfoLoadGroup(info);
 
   AutoJSAPI jsapi;
   jsapi.Init();
   ErrorResult error;
   NS_ConvertUTF8toUTF16 scriptSpec(mInfo->ScriptSpec());