Bug 1532303: Fix evaluation of Service-Worker-Allowed header r=perry,asuth
authorYaron Tausky <ytausky@mozilla.com>
Wed, 06 Mar 2019 02:11:54 +0000
changeset 520490 51a634029b4420a4ed2df59756dc2a66ade0b958
parent 520489 44d83d32e254ccdb9441b8c0388262e436918da5
child 520491 dcdb7860cae8667256dcca87711d1edea92a9bad
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersperry, asuth
bugs1532303
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1532303: Fix evaluation of Service-Worker-Allowed header r=perry,asuth The spec mandates that only the paths of the URIs resulting from evaluation of the Service-Worker-Allowed header and the registration's scope be compared, yet Gecko also includes the origin in the comparison. This commit makes Gecko follow the spec. Differential Revision: https://phabricator.services.mozilla.com/D21970
dom/serviceworkers/ServiceWorkerUpdateJob.cpp
testing/web-platform/meta/service-workers/service-worker/Service-Worker-Allowed-header.https.html.ini
--- a/dom/serviceworkers/ServiceWorkerUpdateJob.cpp
+++ b/dom/serviceworkers/ServiceWorkerUpdateJob.cpp
@@ -41,42 +41,32 @@ namespace {
  * "directory" part of the pathname, and otherwise the entire pathname should be
  * used.  ScopeStringPrefixMode allows the caller to specify the desired
  * behavior.
  */
 enum ScopeStringPrefixMode { eUseDirectory, eUsePath };
 
 nsresult GetRequiredScopeStringPrefix(nsIURI* aScriptURI, nsACString& aPrefix,
                                       ScopeStringPrefixMode aPrefixMode) {
-  nsresult rv = aScriptURI->GetPrePath(aPrefix);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
+  nsresult rv;
   if (aPrefixMode == eUseDirectory) {
     nsCOMPtr<nsIURL> scriptURL(do_QueryInterface(aScriptURI));
     if (NS_WARN_IF(!scriptURL)) {
       return NS_ERROR_FAILURE;
     }
 
-    nsAutoCString dir;
-    rv = scriptURL->GetDirectory(dir);
+    rv = scriptURL->GetDirectory(aPrefix);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
-
-    aPrefix.Append(dir);
   } else if (aPrefixMode == eUsePath) {
-    nsAutoCString path;
-    rv = aScriptURI->GetPathQueryRef(path);
+    rv = aScriptURI->GetPathQueryRef(aPrefix);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
-
-    aPrefix.Append(path);
   } else {
     MOZ_ASSERT_UNREACHABLE("Invalid value for aPrefixMode");
   }
   return NS_OK;
 }
 
 }  // anonymous namespace
 
@@ -367,17 +357,31 @@ void ServiceWorkerUpdateJob::ComparisonR
   if (maxScopeURI) {
     rv = GetRequiredScopeStringPrefix(maxScopeURI, maxPrefix, eUsePath);
     if (NS_WARN_IF(NS_FAILED(rv))) {
       FailUpdateJob(NS_ERROR_DOM_SECURITY_ERR);
       return;
     }
   }
 
-  if (!StringBeginsWith(mRegistration->Scope(), maxPrefix)) {
+  nsCOMPtr<nsIURI> scopeURI;
+  rv = NS_NewURI(getter_AddRefs(scopeURI), mRegistration->Scope(), nullptr, scriptURI);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    FailUpdateJob(NS_ERROR_FAILURE);
+    return;
+  }
+
+  nsAutoCString scopeString;
+  rv = scopeURI->GetPathQueryRef(scopeString);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    FailUpdateJob(NS_ERROR_FAILURE);
+    return;
+  }
+
+  if (!StringBeginsWith(scopeString, maxPrefix)) {
     nsAutoString message;
     NS_ConvertUTF8toUTF16 reportScope(mRegistration->Scope());
     NS_ConvertUTF8toUTF16 reportMaxPrefix(maxPrefix);
     const char16_t* params[] = {reportScope.get(), reportMaxPrefix.get()};
 
     rv = nsContentUtils::FormatLocalizedString(nsContentUtils::eDOM_PROPERTIES,
                                                "ServiceWorkerScopePathMismatch",
                                                params, message);
deleted file mode 100644
--- a/testing/web-platform/meta/service-workers/service-worker/Service-Worker-Allowed-header.https.html.ini
+++ /dev/null
@@ -1,7 +0,0 @@
-[Service-Worker-Allowed-header.https.html]
-  [Service-Worker-Allowed is cross-origin to script, registering on a normally allowed scope]
-    expected: FAIL
-
-  [Service-Worker-Allowed is cross-origin to script, registering on a normally disallowed scope]
-    expected: FAIL
-