Bug 1178058. Don't convert an expanded principal into inheriting the current principal. Just pretend like the null principal did the load (like LOAD_FLAGS_DISALLOW_INHERIT_OWNER does). r=bholley
authorCody Crews <codycrews00@gmail.com>
Thu, 16 Jul 2015 17:53:19 -0400
changeset 253407 b9a02fdb75a5ead0db9a726edb9c4dc814f1be48
parent 253406 fb262fae5d1387503747e60759469acfe10915ec
child 253408 4db7a87976155dd2daccd1b287c09400b98ca856
push id29065
push userryanvm@gmail.com
push dateFri, 17 Jul 2015 14:26:32 +0000
treeherdermozilla-central@911935404233 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1178058
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1178058. Don't convert an expanded principal into inheriting the current principal. Just pretend like the null principal did the load (like LOAD_FLAGS_DISALLOW_INHERIT_OWNER does). r=bholley
docshell/base/nsDocShell.cpp
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1602,22 +1602,30 @@ nsDocShell::LoadURI(nsIURI* aURI,
   //     created later from the channel's internal data.
   //
   // NOTE: This all only works because the only thing the owner is used
   //       for in InternalLoad is data:, javascript:, and about:blank
   //       URIs.  For other URIs this would all be dead wrong!
 
   if (owner && mItemType != typeChrome) {
     nsCOMPtr<nsIPrincipal> ownerPrincipal = do_QueryInterface(owner);
-    if (nsContentUtils::IsSystemOrExpandedPrincipal(ownerPrincipal)) {
+    if (nsContentUtils::IsSystemPrincipal(ownerPrincipal)) {
       if (ownerIsExplicit) {
         return NS_ERROR_DOM_SECURITY_ERR;
       }
       owner = nullptr;
       inheritOwner = true;
+    } else if (nsContentUtils::IsExpandedPrincipal(ownerPrincipal)) {
+      if (ownerIsExplicit) {
+        return NS_ERROR_DOM_SECURITY_ERR;
+      }
+      // Don't inherit from the current page.  Just do the safe thing
+      // and pretend that we were loaded by a nullprincipal.
+      owner = nsNullPrincipal::Create();
+      inheritOwner = false;
     }
   }
   if (!owner && !inheritOwner && !ownerIsExplicit) {
     // See if there's system or chrome JS code running
     inheritOwner = nsContentUtils::IsCallerChrome();
   }
 
   if (aLoadFlags & LOAD_FLAGS_DISALLOW_INHERIT_OWNER) {