Bug 732209 way delayed followup. Make the comments a bit clearer. DONTBUILD
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 08 Oct 2015 15:49:16 -0400
changeset 266986 39ccbc9935c23400d960223012dbcf846008a810
parent 266985 d68116719755ae6f51be5198ae2a91916741f7cd
child 266987 b8b6944505bcdf215561bf9296a08ff5da4a29df
push id29504
push usercbook@mozilla.com
push dateFri, 09 Oct 2015 09:43:23 +0000
treeherdermozilla-central@d01dd42e654b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs732209
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 732209 way delayed followup. Make the comments a bit clearer. DONTBUILD
layout/style/CSSStyleSheet.cpp
--- a/layout/style/CSSStyleSheet.cpp
+++ b/layout/style/CSSStyleSheet.cpp
@@ -1786,21 +1786,27 @@ CSSStyleSheet::SubjectSubsumesInnerPrinc
     return NS_OK;
   }
 
   // Allow access only if CORS mode is not NONE
   if (GetCORSMode() == CORS_NONE) {
     return NS_ERROR_DOM_SECURITY_ERR;
   }
 
-  // Now make sure we set the principal of our inner to the
-  // subjectPrincipal.  That means we need a unique inner, of
-  // course.  But we don't want to do that if we're not complete
-  // yet.  Luckily, all the callers of this method throw anyway if
-  // not complete, so we can just do that here too.
+  // Now make sure we set the principal of our inner to the subjectPrincipal.
+  // We do this because we're in a situation where the caller would not normally
+  // be able to access the sheet, but the sheet has opted in to being read.
+  // Unfortunately, that means it's also opted in to being _edited_, and if the
+  // caller now makes edits to the sheet we want the resulting resource loads,
+  // if any, to look as if they are coming from the caller's principal, not the
+  // original sheet principal.
+  //
+  // That means we need a unique inner, of course.  But we don't want to do that
+  // if we're not complete yet.  Luckily, all the callers of this method throw
+  // anyway if not complete, so we can just do that here too.
   if (!mInner->mComplete) {
     return NS_ERROR_DOM_INVALID_ACCESS_ERR;
   }
 
   WillDirty();
 
   mInner->mPrincipal = subjectPrincipal;