Bug 426308 - "Cross site XHR backout broke redirect handling for privileged code" [p=manish@flock.com (Manish Singh) r+sr=sicking a=blocking1.9+]
authorreed@reedloden.com
Fri, 04 Apr 2008 02:01:22 -0700
changeset 13898 c5626db8a61eddb151479ad054d6bb84b0560cd0
parent 13897 c652aaaa02159bfbe72500f51b751a89a9e4acb7
child 13899 299fba140253148d0b59a26a3ab31b2e59144db4
push idunknown
push userunknown
push dateunknown
reviewersblocking1.9
bugs426308
milestone1.9pre
Bug 426308 - "Cross site XHR backout broke redirect handling for privileged code" [p=manish@flock.com (Manish Singh) r+sr=sicking a=blocking1.9+]
content/base/src/nsXMLHttpRequest.cpp
content/base/test/Makefile.in
content/base/test/bug426308-redirect.sjs
content/base/test/test_bug426308.html
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -2244,34 +2244,37 @@ nsXMLHttpRequest::ChangeState(PRUint32 a
 NS_IMETHODIMP
 nsXMLHttpRequest::OnChannelRedirect(nsIChannel *aOldChannel,
                                     nsIChannel *aNewChannel,
                                     PRUint32    aFlags)
 {
   NS_PRECONDITION(aNewChannel, "Redirect without a channel?");
 
   nsresult rv;
+
+  if (!(mState & XML_HTTP_REQUEST_XSITEENABLED)) {
+    nsCOMPtr<nsIURI> oldURI;
+    rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    nsCOMPtr<nsIURI> newURI;
+    rv = aNewChannel->GetURI(getter_AddRefs(newURI));
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = nsContentUtils::GetSecurityManager()->
+      CheckSameOriginURI(oldURI, newURI, PR_TRUE);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
   if (mChannelEventSink) {
     rv =
       mChannelEventSink->OnChannelRedirect(aOldChannel, aNewChannel, aFlags);
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  nsCOMPtr<nsIURI> oldURI;
-  rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCOMPtr<nsIURI> newURI;
-  rv = aNewChannel->GetURI(getter_AddRefs(newURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  rv = nsContentUtils::GetSecurityManager()->
-    CheckSameOriginURI(oldURI, newURI, PR_TRUE);
-  NS_ENSURE_SUCCESS(rv, rv);
-
   mChannel = aNewChannel;
 
   return NS_OK;
 }
 
 /////////////////////////////////////////////////////
 // nsIProgressEventSink methods:
 //
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@@ -156,16 +156,18 @@ include $(topsrcdir)/config/rules.mk
 		test_bug418214.html \
 		test_bug419527.xhtml \
 		test_bug420609.xhtml \
 		test_bug420700.html \
 		test_bug421602.html \
 		test_bug422537.html \
 		test_bug424212.html \
 		test_bug425013.html \
+		bug426308-redirect.sjs \
+		test_bug426308.html \
 		test_XHR.html \
 		file_XHR_pass1.xml \
 		file_XHR_pass2.txt \
 		file_XHR_pass3.txt \
 		file_XHR_pass3.txt^headers^ \
 		file_XHR_fail1.txt \
 		file_XHR_fail1.txt^headers^ \
 		$(NULL)
new file mode 100644
--- /dev/null
+++ b/content/base/test/bug426308-redirect.sjs
@@ -0,0 +1,4 @@
+function handleRequest(request, response) {
+  response.setStatusLine(null, 302, "Found");
+  response.setHeader("Location", request.queryString, false);
+}
new file mode 100644
--- /dev/null
+++ b/content/base/test/test_bug426308.html
@@ -0,0 +1,36 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=426308
+-->
+<head>
+  <title>Test for Bug 426308</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=426308">Mozilla Bug 426308</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 426308 **/
+
+const SJS_URL = "http://example.org:80/tests/content/base/test/bug426308-redirect.sjs";
+
+netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
+
+var req = new XMLHttpRequest();
+req.open("GET", SJS_URL + "?" + window.location.href, false);
+req.send(null);
+
+is(req.status, 200, "Redirect did not happen");
+
+</script>
+</pre>
+</body>
+</html>