Bug 515460 - enforce CSP during Worker script redirects, r=jst, a=dholbert_sheriff
authorBrandon Sterne <bsterne@mozilla.com>
Fri, 23 Apr 2010 12:52:30 -0700
changeset 41210 f719a7e559f0377eaca7ed8f3358002e0faffb68
parent 41209 58a2e617bf997dcf8558cff9a32cea7f6846d88d
child 41211 b7927f887bccd79abdf96f572d2db2c2fe358026
push idunknown
push userunknown
push dateunknown
reviewersjst, dholbert_sheriff
bugs515460
milestone1.9.3a5pre
Bug 515460 - enforce CSP during Worker script redirects, r=jst, a=dholbert_sheriff
dom/src/threads/nsDOMWorkerScriptLoader.cpp
--- a/dom/src/threads/nsDOMWorkerScriptLoader.cpp
+++ b/dom/src/threads/nsDOMWorkerScriptLoader.cpp
@@ -55,16 +55,19 @@
 #include "nsContentUtils.h"
 #include "nsISupportsPrimitives.h"
 #include "nsNetError.h"
 #include "nsNetUtil.h"
 #include "nsScriptLoader.h"
 #include "nsThreadUtils.h"
 #include "pratom.h"
 #include "nsDocShellCID.h"
+#include "nsIChannelPolicy.h"
+#include "nsChannelPolicy.h"
+#include "nsIContentSecurityPolicy.h"
 
 // DOMWorker includes
 #include "nsDOMWorkerPool.h"
 #include "nsDOMWorkerSecurityManager.h"
 #include "nsDOMThreadService.h"
 #include "nsDOMWorkerTimeout.h"
 
 #define LOG(_args) PR_LOG(gDOMThreadsLog, PR_LOG_DEBUG, _args)
@@ -502,17 +505,34 @@ nsDOMWorkerScriptLoader::RunInternal()
     NS_ENSURE_SUCCESS(rv, rv);
 
     // We don't care about progress so just use the simple stream loader for
     // OnStreamComplete notification only.
     nsCOMPtr<nsIStreamLoader> loader;
     rv = NS_NewStreamLoader(getter_AddRefs(loader), this);
     NS_ENSURE_SUCCESS(rv, rv);
 
-    rv = NS_NewChannel(getter_AddRefs(loadInfo.channel), uri, ios, loadGroup);
+    // get Content Security Policy from parent document to pass into channel
+    nsCOMPtr<nsIChannelPolicy> channelPolicy;
+    nsCOMPtr<nsIContentSecurityPolicy> csp;
+    rv = parentDoc->NodePrincipal()->GetCsp(getter_AddRefs(csp));
+    NS_ENSURE_SUCCESS(rv, rv);
+    if (csp) {
+        channelPolicy = do_CreateInstance("@mozilla.org/nschannelpolicy;1");
+        channelPolicy->SetContentSecurityPolicy(csp);
+        channelPolicy->SetLoadType(nsIContentPolicy::TYPE_SCRIPT);
+    }
+
+    rv = NS_NewChannel(getter_AddRefs(loadInfo.channel),
+                       uri,
+                       ios,
+                       loadGroup,
+                       nsnull,                            // callbacks
+                       nsIRequest::LOAD_NORMAL,           // loadFlags
+                       channelPolicy);                    // CSP info
     NS_ENSURE_SUCCESS(rv, rv);
 
     rv = loadInfo.channel->AsyncOpen(loader, indexSupports);
     if (NS_FAILED(rv)) {
       // Null this out so we don't try to cancel it later.
       loadInfo.channel = nsnull;
       return rv;
     }