Bug 1280692: Update sendBeacon to use 'no-cors' per default. r=sicking
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Tue, 26 Jul 2016 13:46:01 +0200
changeset 306685 a477bb461f3c77ef4ee090cbf1701b5e7434e1c4
parent 306684 4ee7de4773864485b468f6178b4634c7f06ce077
child 306686 52730f426ea0e0c13f0a6ab681e3311f7bb05435
push id79901
push usermozilla@christophkerschbaumer.com
push dateTue, 26 Jul 2016 12:12:46 +0000
treeherdermozilla-inbound@08079892bec5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssicking
bugs1280692
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1280692: Update sendBeacon to use 'no-cors' per default. r=sicking
dom/base/Navigator.cpp
--- a/dom/base/Navigator.cpp
+++ b/dom/base/Navigator.cpp
@@ -1327,22 +1327,27 @@ Navigator::SendBeacon(const nsAString& a
   if (NS_FAILED(rv) || isDataScheme) {
     aRv.Throw(NS_ERROR_CONTENT_BLOCKED);
     return false;
   }
 
   nsLoadFlags loadFlags = nsIRequest::LOAD_NORMAL |
     nsIChannel::LOAD_CLASSIFY_URI;
 
+  // No need to use CORS for sendBeacon unless it's a BLOB
+  nsSecurityFlags securityFlags = (!aData.IsNull() && aData.Value().IsBlob())
+   ? nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS
+   : nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS;
+  securityFlags |= nsILoadInfo::SEC_COOKIES_INCLUDE;
+
   nsCOMPtr<nsIChannel> channel;
   rv = NS_NewChannel(getter_AddRefs(channel),
                      uri,
                      doc,
-                     nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS |
-                       nsILoadInfo::SEC_COOKIES_INCLUDE,
+                     securityFlags,
                      nsIContentPolicy::TYPE_BEACON,
                      nullptr, // aLoadGroup
                      nullptr, // aCallbacks
                      loadFlags);
 
   if (NS_FAILED(rv)) {
     aRv.Throw(rv);
     return false;