author | Bobby Holley <bobbyholley@gmail.com> |
Wed, 29 Oct 2014 09:21:18 +0100 | |
changeset 212831 | a347286d9669f3489462b365d574f0e2f3575a3c |
parent 212830 | df5359e8c82c986d681429a1f7fc6be717253ddf |
child 212832 | fe5c1cb8075a9773b86ee001e41c0181519ea04a |
child 212916 | 669b21a7bfd018e2775d7fd6761d4a6aee1b9325 |
push id | 27730 |
push user | cbook@mozilla.com |
push date | Wed, 29 Oct 2014 12:26:03 +0000 |
treeherder | mozilla-central@fe5c1cb8075a [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | me |
bugs | 1088617 |
milestone | 36.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
caps/nsIScriptSecurityManager.idl | file | annotate | diff | comparison | revisions | |
caps/nsScriptSecurityManager.cpp | file | annotate | diff | comparison | revisions |
--- a/caps/nsIScriptSecurityManager.idl +++ b/caps/nsIScriptSecurityManager.idl @@ -14,17 +14,17 @@ interface nsILoadContext; %{ C++ #include "jspubtd.h" %} [ptr] native JSContextPtr(JSContext); [ptr] native JSObjectPtr(JSObject); -[scriptable, uuid(3b021962-975e-43b5-8a93-9fc2d20346e9)] +[scriptable, uuid(f649959d-dae3-4027-83fd-5b7f8c8a8815)] interface nsIScriptSecurityManager : nsISupports { /** * For each of these hooks returning NS_OK means 'let the action continue'. * Returning an error code means 'veto the action'. XPConnect will return * false to the js engine if the action is vetoed. The implementor of this * interface is responsible for setting a JS exception into the JSContext * if that is appropriate. @@ -174,23 +174,16 @@ interface nsIScriptSecurityManager : nsI /** * Legacy name for getNoAppCodebasePrincipal. * * @deprecated use getNoAppCodebasePrincipal instead. */ [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri); /** - * Returns OK if aJSContext and target have the same "origin" - * (scheme, host, and port). - */ - [noscript] void checkSameOrigin(in JSContextPtr aJSContext, - in nsIURI aTargetURI); - - /** * Returns OK if aSourceURI and target have the same "origin" * (scheme, host, and port). * ReportError flag suppresses error reports for functions that * don't need reporting. */ void checkSameOriginURI(in nsIURI aSourceURI, in nsIURI aTargetURI, in boolean reportError);
--- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -437,49 +437,16 @@ nsScriptSecurityManager::ContentSecurity bool nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *first, JSPrincipals *second) { return nsJSPrincipals::get(first)->Subsumes(nsJSPrincipals::get(second)); } NS_IMETHODIMP -nsScriptSecurityManager::CheckSameOrigin(JSContext* cx, - nsIURI* aTargetURI) -{ - MOZ_ASSERT_IF(cx, cx == nsContentUtils::GetCurrentJSContext()); - - // Get a principal from the context - nsIPrincipal* sourcePrincipal = nsContentUtils::SubjectPrincipal(); - if (sourcePrincipal == mSystemPrincipal) - { - // This is a system (chrome) script, so allow access - return NS_OK; - } - - // Get the original URI from the source principal. - // This has the effect of ignoring any change to document.domain - // which must be done to avoid DNS spoofing (bug 154930) - nsCOMPtr<nsIURI> sourceURI; - sourcePrincipal->GetDomain(getter_AddRefs(sourceURI)); - if (!sourceURI) { - sourcePrincipal->GetURI(getter_AddRefs(sourceURI)); - NS_ENSURE_TRUE(sourceURI, NS_ERROR_FAILURE); - } - - // Compare origins - if (!SecurityCompareURIs(sourceURI, aTargetURI)) - { - ReportError(cx, NS_LITERAL_STRING("CheckSameOriginError"), sourceURI, aTargetURI); - return NS_ERROR_DOM_BAD_URI; - } - return NS_OK; -} - -NS_IMETHODIMP nsScriptSecurityManager::CheckSameOriginURI(nsIURI* aSourceURI, nsIURI* aTargetURI, bool reportError) { if (!SecurityCompareURIs(aSourceURI, aTargetURI)) { if (reportError) { ReportError(nullptr, NS_LITERAL_STRING("CheckSameOriginError"),