Bug 1319904 - Ignore origin attributes in webchannel origin check. r=markh, a=ritu FIREFOX_51_0b6_BUILD1 FIREFOX_51_0b6_RELEASE
authorRyan Kelly <rfkelly@mozilla.com>
Fri, 25 Nov 2016 15:52:02 +1100
changeset 452508 2dec3c6c7c90e2e27093b8a3512c1b32a8263a8f
parent 452507 61d41bb86782075ad64836cc1efc414e5dd5a7eb
child 452509 53644cbfaf329366b6a91a776ecac02b5ee97c88
push id39418
push userbmo:twointofive@gmail.com
push dateWed, 21 Dec 2016 20:59:30 +0000
reviewersmarkh, ritu
bugs1319904
milestone51.0
Bug 1319904 - Ignore origin attributes in webchannel origin check. r=markh, a=ritu Including the attributes in the origin check causes webchannels to fail in e.g. private browsing windows and container tabs. We only want to compare against the base origin URL. MozReview-Commit-ID: AMCjf4vJF9E
browser/base/content/test/general/browser_web_channel.js
toolkit/modules/WebChannel.jsm
--- a/browser/base/content/test/general/browser_web_channel.js
+++ b/browser/base/content/test/general/browser_web_channel.js
@@ -32,16 +32,36 @@ var gTests = [
           resolve();
         });
 
         tab = gBrowser.addTab(HTTP_PATH + HTTP_ENDPOINT + "?generic");
       });
     }
   },
   {
+    desc: "WebChannel generic message in a private window.",
+    run: function* () {
+      let promiseTestDone = new Promise(function(resolve, reject) {
+        let channel = new WebChannel("generic", Services.io.newURI(HTTP_PATH, null, null));
+        channel.listen(function(id, message, target) {
+          is(id, "generic");
+          is(message.something.nested, "hello");
+          channel.stopListening();
+          resolve();
+        });
+      });
+
+      const url = HTTP_PATH + HTTP_ENDPOINT + "?generic";
+      let privateWindow = yield BrowserTestUtils.openNewBrowserWindow({private: true});
+      yield BrowserTestUtils.openNewForegroundTab(privateWindow.gBrowser, url);
+      yield promiseTestDone;
+      yield BrowserTestUtils.closeWindow(privateWindow);
+    }
+  },
+  {
     desc: "WebChannel two way communication",
     run: function* () {
       return new Promise(function(resolve, reject) {
         let tab;
         let channel = new WebChannel("twoway", Services.io.newURI(HTTP_PATH, null, null));
 
         channel.listen(function (id, message, sender) {
           is(id, "twoway", "bad id");
--- a/toolkit/modules/WebChannel.jsm
+++ b/toolkit/modules/WebChannel.jsm
@@ -166,29 +166,29 @@ this.WebChannel = function(id, originOrP
   this.id = id;
   // originOrPermission can be either an nsIURI or a string representing a
   // permission name.
   if (typeof originOrPermission == "string") {
     this._originCheckCallback = requestPrincipal => {
       // The permission manager operates on domain names rather than true
       // origins (bug 1066517).  To mitigate that, we explicitly check that
       // the scheme is https://.
-      let uri = Services.io.newURI(requestPrincipal.origin, null, null);
+      let uri = Services.io.newURI(requestPrincipal.originNoSuffix, null, null);
       if (uri.scheme != "https") {
         return false;
       }
       // OK - we have https - now we can check the permission.
       let perm = Services.perms.testExactPermissionFromPrincipal(requestPrincipal,
                                                                  originOrPermission);
       return perm == Ci.nsIPermissionManager.ALLOW_ACTION;
     }
   } else {
     // a simple URI, so just check for an exact match.
     this._originCheckCallback = requestPrincipal => {
-      return originOrPermission.prePath === requestPrincipal.origin;
+      return originOrPermission.prePath === requestPrincipal.originNoSuffix;
     }
   }
   this._originOrPermission = originOrPermission;
 };
 
 this.WebChannel.prototype = {
 
   /**