Bug 1233895 - Make Feeds.jsm properly handle principal origin attributes when loading subresources. r=sicking
authorDave Huseby <dhuseby@mozilla.com>
Mon, 21 Mar 2016 16:41:00 -0400
changeset 289611 9e8a703809578d524c4f102b710bc72624bc0929
parent 289610 9034f1d7db43f3c4bd8540763752a2e1861b1424
child 289612 3587b25bae302c1eed72968dbd7cef883e715948
push id30107
push usercbook@mozilla.com
push dateTue, 22 Mar 2016 10:00:23 +0000
treeherdermozilla-central@3587b25bae30 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssicking
bugs1233895
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1233895 - Make Feeds.jsm properly handle principal origin attributes when loading subresources. r=sicking
browser/modules/Feeds.jsm
--- a/browser/modules/Feeds.jsm
+++ b/browser/modules/Feeds.jsm
@@ -78,19 +78,21 @@ this.Feeds = {
     var type = aLink.type.toLowerCase().replace(/^\s+|\s*(?:;.*)?$/g, "");
     if (!aIsFeed) {
       aIsFeed = (type == "application/rss+xml" ||
                  type == "application/atom+xml");
     }
 
     if (aIsFeed) {
       // re-create the principal as it may be a CPOW.
+      // once this can't be a CPOW anymore, we should just use aPrincipal instead
+      // of creating a new one.
       let principalURI = BrowserUtils.makeURIFromCPOW(aPrincipal.URI);
       let principalToCheck =
-        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, {});
+        Services.scriptSecurityManager.createCodebasePrincipal(principalURI, aPrincipal.originAttributes);
       try {
         BrowserUtils.urlSecurityCheck(aLink.href, principalToCheck,
                                       Ci.nsIScriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL);
         return type || "application/rss+xml";
       }
       catch(ex) {
       }
     }