Bug 1337543 P1 ServiceWorker should not inherit CSP from registration principal. r=baku
☠☠ backed out by b7e862302157 ☠ ☠
authorBen Kelly <ben@wanderview.com>
Mon, 13 Feb 2017 12:15:58 -0500
changeset 342520 f4f59e7c1be7cf802659a490d201c3fe91c241d3
parent 342519 3f60b9d2c5bd1eb0188e21953bcc50857b984323
child 342521 2f2511d69d2e833082f934e0c015861a0ec1ce6d
push id86894
push userbkelly@mozilla.com
push dateMon, 13 Feb 2017 17:16:04 +0000
treeherdermozilla-inbound@7508565a3a0d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku
bugs1337543
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1337543 P1 ServiceWorker should not inherit CSP from registration principal. r=baku
dom/workers/ServiceWorkerPrivate.cpp
--- a/dom/workers/ServiceWorkerPrivate.cpp
+++ b/dom/workers/ServiceWorkerPrivate.cpp
@@ -1738,33 +1738,33 @@ ServiceWorkerPrivate::SpawnWorkerIfNeede
 
   info.mPrincipal = mInfo->GetPrincipal();
 
   nsContentUtils::StorageAccess access =
     nsContentUtils::StorageAllowedForPrincipal(info.mPrincipal);
   info.mStorageAllowed = access > nsContentUtils::StorageAccess::ePrivateBrowsing;
   info.mOriginAttributes = mInfo->GetOriginAttributes();
 
+  // The ServiceWorkerRegistration principal should never have any CSP
+  // set.  The CSP from the page that registered the SW should not be
+  // inherited.  Verify this is the case in non-release builds
+#if defined(DEBUG) || !defined(RELEASE_OR_BETA)
   nsCOMPtr<nsIContentSecurityPolicy> csp;
   rv = info.mPrincipal->GetCsp(getter_AddRefs(csp));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
-  info.mCSP = csp;
-  if (info.mCSP) {
-    rv = info.mCSP->GetAllowsEval(&info.mReportCSPViolations,
-                                  &info.mEvalAllowed);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return rv;
-    }
-  } else {
-    info.mEvalAllowed = true;
-    info.mReportCSPViolations = false;
-  }
+  MOZ_DIAGNOSTIC_ASSERT(!csp);
+#endif
+
+  // Default CSP permissions for now.  These will be overrided if necessary
+  // based on the script CSP headers during load in ScriptLoader.
+  info.mEvalAllowed = true;
+  info.mReportCSPViolations = false;
 
   WorkerPrivate::OverrideLoadInfoLoadGroup(info);
 
   AutoJSAPI jsapi;
   jsapi.Init();
   ErrorResult error;
   NS_ConvertUTF8toUTF16 scriptSpec(mInfo->ScriptSpec());