Bug 426308 - "Cross site XHR backout broke redirect handling for privileged code" [p=manish@flock.com (Manish Singh) r+sr=sicking a=blocking1.9+]
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -2244,34 +2244,37 @@ nsXMLHttpRequest::ChangeState(PRUint32 a
NS_IMETHODIMP
nsXMLHttpRequest::OnChannelRedirect(nsIChannel *aOldChannel,
nsIChannel *aNewChannel,
PRUint32 aFlags)
{
NS_PRECONDITION(aNewChannel, "Redirect without a channel?");
nsresult rv;
+
+ if (!(mState & XML_HTTP_REQUEST_XSITEENABLED)) {
+ nsCOMPtr<nsIURI> oldURI;
+ rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsCOMPtr<nsIURI> newURI;
+ rv = aNewChannel->GetURI(getter_AddRefs(newURI));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = nsContentUtils::GetSecurityManager()->
+ CheckSameOriginURI(oldURI, newURI, PR_TRUE);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
if (mChannelEventSink) {
rv =
mChannelEventSink->OnChannelRedirect(aOldChannel, aNewChannel, aFlags);
NS_ENSURE_SUCCESS(rv, rv);
}
- nsCOMPtr<nsIURI> oldURI;
- rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
- NS_ENSURE_SUCCESS(rv, rv);
-
- nsCOMPtr<nsIURI> newURI;
- rv = aNewChannel->GetURI(getter_AddRefs(newURI));
- NS_ENSURE_SUCCESS(rv, rv);
-
- rv = nsContentUtils::GetSecurityManager()->
- CheckSameOriginURI(oldURI, newURI, PR_TRUE);
- NS_ENSURE_SUCCESS(rv, rv);
-
mChannel = aNewChannel;
return NS_OK;
}
/////////////////////////////////////////////////////
// nsIProgressEventSink methods:
//
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@@ -156,16 +156,18 @@ include $(topsrcdir)/config/rules.mk
test_bug418214.html \
test_bug419527.xhtml \
test_bug420609.xhtml \
test_bug420700.html \
test_bug421602.html \
test_bug422537.html \
test_bug424212.html \
test_bug425013.html \
+ bug426308-redirect.sjs \
+ test_bug426308.html \
test_XHR.html \
file_XHR_pass1.xml \
file_XHR_pass2.txt \
file_XHR_pass3.txt \
file_XHR_pass3.txt^headers^ \
file_XHR_fail1.txt \
file_XHR_fail1.txt^headers^ \
$(NULL)
new file mode 100644
--- /dev/null
+++ b/content/base/test/bug426308-redirect.sjs
@@ -0,0 +1,4 @@
+function handleRequest(request, response) {
+ response.setStatusLine(null, 302, "Found");
+ response.setHeader("Location", request.queryString, false);
+}
new file mode 100644
--- /dev/null
+++ b/content/base/test/test_bug426308.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=426308
+-->
+<head>
+ <title>Test for Bug 426308</title>
+ <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=426308">Mozilla Bug 426308</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 426308 **/
+
+const SJS_URL = "http://example.org:80/tests/content/base/test/bug426308-redirect.sjs";
+
+netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
+
+var req = new XMLHttpRequest();
+req.open("GET", SJS_URL + "?" + window.location.href, false);
+req.send(null);
+
+is(req.status, 200, "Redirect did not happen");
+
+</script>
+</pre>
+</body>
+</html>