Bug 515460 - enforce CSP during Worker script redirects, r=jst, a=dholbert_sheriff
--- a/dom/src/threads/nsDOMWorkerScriptLoader.cpp
+++ b/dom/src/threads/nsDOMWorkerScriptLoader.cpp
@@ -55,16 +55,19 @@
#include "nsContentUtils.h"
#include "nsISupportsPrimitives.h"
#include "nsNetError.h"
#include "nsNetUtil.h"
#include "nsScriptLoader.h"
#include "nsThreadUtils.h"
#include "pratom.h"
#include "nsDocShellCID.h"
+#include "nsIChannelPolicy.h"
+#include "nsChannelPolicy.h"
+#include "nsIContentSecurityPolicy.h"
// DOMWorker includes
#include "nsDOMWorkerPool.h"
#include "nsDOMWorkerSecurityManager.h"
#include "nsDOMThreadService.h"
#include "nsDOMWorkerTimeout.h"
#define LOG(_args) PR_LOG(gDOMThreadsLog, PR_LOG_DEBUG, _args)
@@ -502,17 +505,34 @@ nsDOMWorkerScriptLoader::RunInternal()
NS_ENSURE_SUCCESS(rv, rv);
// We don't care about progress so just use the simple stream loader for
// OnStreamComplete notification only.
nsCOMPtr<nsIStreamLoader> loader;
rv = NS_NewStreamLoader(getter_AddRefs(loader), this);
NS_ENSURE_SUCCESS(rv, rv);
- rv = NS_NewChannel(getter_AddRefs(loadInfo.channel), uri, ios, loadGroup);
+ // get Content Security Policy from parent document to pass into channel
+ nsCOMPtr<nsIChannelPolicy> channelPolicy;
+ nsCOMPtr<nsIContentSecurityPolicy> csp;
+ rv = parentDoc->NodePrincipal()->GetCsp(getter_AddRefs(csp));
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (csp) {
+ channelPolicy = do_CreateInstance("@mozilla.org/nschannelpolicy;1");
+ channelPolicy->SetContentSecurityPolicy(csp);
+ channelPolicy->SetLoadType(nsIContentPolicy::TYPE_SCRIPT);
+ }
+
+ rv = NS_NewChannel(getter_AddRefs(loadInfo.channel),
+ uri,
+ ios,
+ loadGroup,
+ nsnull, // callbacks
+ nsIRequest::LOAD_NORMAL, // loadFlags
+ channelPolicy); // CSP info
NS_ENSURE_SUCCESS(rv, rv);
rv = loadInfo.channel->AsyncOpen(loader, indexSupports);
if (NS_FAILED(rv)) {
// Null this out so we don't try to cancel it later.
loadInfo.channel = nsnull;
return rv;
}