Bug 1105556 - nsPerformance::CheckAllowedOrigin should return early for TYPE_DOCUMENT loads. TYPE_DOCUMENT loads don't go through a TimingAllowedCheck(). r=bz, vgosu
authorTanvi Vyas <tanvi@mozilla.com>
Wed, 13 Apr 2016 16:30:31 -0700
changeset 316903 8573a03297ea03d9b16923e565a6ce750ada02dc
parent 316902 9ae70caf56c04ce2ee4d6d2494b819045781562d
child 316904 3590109e2001bff004a047dd3f7f4c36a691b74d
push id9480
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 17:12:58 +0000
treeherdermozilla-aurora@0d6a91c76a9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, vgosu
bugs1105556
milestone48.0a1
Bug 1105556 - nsPerformance::CheckAllowedOrigin should return early for TYPE_DOCUMENT loads. TYPE_DOCUMENT loads don't go through a TimingAllowedCheck(). r=bz, vgosu
dom/base/nsPerformance.cpp
netwerk/protocol/http/HttpBaseChannel.cpp
--- a/dom/base/nsPerformance.cpp
+++ b/dom/base/nsPerformance.cpp
@@ -63,19 +63,21 @@ nsPerformanceTiming::nsPerformanceTiming
     mReportCrossOriginRedirect(true)
 {
   MOZ_ASSERT(aPerformance, "Parent performance object should be provided");
 
   if (!nsContentUtils::IsPerformanceTimingEnabled()) {
     mZeroTime = 0;
   }
 
-  // The aHttpChannel argument is null if this nsPerformanceTiming object
-  // is being used for the navigation timing (document) and has a non-null
-  // value for the resource timing (any resources within the page).
+  // The aHttpChannel argument is null if this nsPerformanceTiming object is
+  // being used for navigation timing (which is only relevant for documents).
+  // It has a non-null value if this nsPerformanceTiming object is being used
+  // for resource timing, which can include document loads, both toplevel and
+  // in subframes, and resources linked from a document.
   if (aHttpChannel) {
     mTimingAllowed = CheckAllowedOrigin(aHttpChannel, aChannel);
     bool redirectsPassCheck = false;
     aChannel->GetAllRedirectsPassTimingAllowCheck(&redirectsPassCheck);
     mReportCrossOriginRedirect = mTimingAllowed && redirectsPassCheck;
   }
 
   InitializeTimingInfo(aChannel);
@@ -139,16 +141,24 @@ nsPerformanceTiming::CheckAllowedOrigin(
   }
 
   // Check that the current document passes the ckeck.
   nsCOMPtr<nsILoadInfo> loadInfo;
   aResourceChannel->GetLoadInfo(getter_AddRefs(loadInfo));
   if (!loadInfo) {
     return false;
   }
+
+  // TYPE_DOCUMENT loads have no loadingPrincipal.  And that's OK, because we
+  // never actually need to have a performance timing entry for TYPE_DOCUMENT
+  // loads.
+  if (loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DOCUMENT) {
+    return false;
+  }
+
   nsCOMPtr<nsIPrincipal> principal = loadInfo->LoadingPrincipal();
 
   // Check if the resource is either same origin as the page that started
   // the load, or if the response contains the proper Timing-Allow-Origin
   // header with the domain of the page that started the load.
   return aChannel->TimingAllowCheck(principal);
 }
 
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -2918,17 +2918,19 @@ HttpBaseChannel::SetupReplacementChannel
     // Check whether or not this was a cross-domain redirect.
     newTimedChannel->SetAllRedirectsSameOrigin(
         mAllRedirectsSameOrigin && SameOriginWithOriginalUri(newURI));
 
     // Execute the timing allow check to determine whether
     // to report the redirect timing info
     nsCOMPtr<nsILoadInfo> loadInfo;
     GetLoadInfo(getter_AddRefs(loadInfo));
-    if (loadInfo) {
+    // TYPE_DOCUMENT loads don't have a loadingPrincipal, so we can't set
+    // AllRedirectsPassTimingAllowCheck on them.
+    if (loadInfo && loadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_DOCUMENT) {
       nsCOMPtr<nsIPrincipal> principal = loadInfo->LoadingPrincipal();
       newTimedChannel->SetAllRedirectsPassTimingAllowCheck(
         mAllRedirectsPassTimingAllowCheck &&
         oldTimedChannel->TimingAllowCheck(principal));
     }
   }
 
   // This channel has been redirected. Don't report timing info.