Bug 1468912 - Don't use system principal for calendar server connections; r+a=philipp
authorMakeMyDay <makemyday@gmx-topmail.de>
Sun, 20 Jan 2019 16:44:07 +0100
changeset 33957 108b09602836
parent 33956 f978492d2a2e
child 33958 c2bb7687c4ba
push id388
push userclokep@gmail.com
push dateMon, 28 Jan 2019 20:54:56 +0000
bugs1468912
Bug 1468912 - Don't use system principal for calendar server connections; r+a=philipp
calendar/base/modules/utils/calProviderUtils.jsm
--- a/calendar/base/modules/utils/calProviderUtils.jsm
+++ b/calendar/base/modules/utils/calProviderUtils.jsm
@@ -32,19 +32,23 @@ var calprovider = {
      *                                                            string will be converted to an
      *                                                            input stream.
      * @param {String} aContentType                             Value for Content-Type header, if any
      * @param {nsIInterfaceRequestor} aNotificationCallbacks    Calendar using channel
      * @param {?nsIChannel} aExisting                           An existing channel to modify (optional)
      * @return {nsIChannel}                                     The prepared channel
      */
     prepHttpChannel: function(aUri, aUploadData, aContentType, aNotificationCallbacks, aExisting=null) {
+        // We cannot use a system principal here since the connection setup will fail if
+        // same-site cookie protection is enabled in TB and server-side.
+        let principal = aExisting ? null
+                                  : Services.scriptSecurityManager.createCodebasePrincipal(aUri, {});
         let channel = aExisting || Services.io.newChannelFromURI2(aUri,
                                                                   null,
-                                                                  Services.scriptSecurityManager.getSystemPrincipal(),
+                                                                  principal,
                                                                   null,
                                                                   Components.interfaces.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
                                                                   Components.interfaces.nsIContentPolicy.TYPE_OTHER);
         let httpchannel = channel.QueryInterface(Components.interfaces.nsIHttpChannel);
 
         httpchannel.setRequestHeader("Accept", "text/xml", false);
         httpchannel.setRequestHeader("Accept-Charset", "utf-8,*;q=0.1", false);
         httpchannel.loadFlags |= Components.interfaces.nsIRequest.LOAD_BYPASS_CACHE;