Bug 985135 - When owner is a null principal, propagate to replacement channel on redirect. r=bz, a=sledru
authorBob Owen <bobowencode@gmail.com>
Wed, 28 May 2014 15:04:04 +0100
changeset 199385 6f561fd4e04525750c614a9c47a4a2dd908698e5
parent 199384 09f2b783db0995e5227920fb617c2cbd5545589a
child 199386 de2314073bf288e8bf3f26f7a6f7b0c27b5df17d
push id3624
push userasasaki@mozilla.com
push dateMon, 09 Jun 2014 21:49:01 +0000
treeherdermozilla-beta@b1a5da15899a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, sledru
bugs985135
milestone31.0a2
Bug 985135 - When owner is a null principal, propagate to replacement channel on redirect. r=bz, a=sledru
content/html/content/test/file_iframe_sandbox_redirect.html
content/html/content/test/file_iframe_sandbox_redirect.html^headers^
content/html/content/test/file_iframe_sandbox_redirect_target.html
content/html/content/test/mochitest.ini
content/html/content/test/test_iframe_sandbox_redirect.html
netwerk/protocol/http/HttpBaseChannel.cpp
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_redirect.html
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<body>redirect</body>
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_redirect.html^headers^
@@ -0,0 +1,2 @@
+HTTP 301 Moved Permanently
+Location: file_iframe_sandbox_redirect_target.html
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/file_iframe_sandbox_redirect_target.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<head>
+  <script>
+    onmessage = function(event) {
+      parent.postMessage(event.data + " redirect target", "*");
+    }
+  </script>
+</head>
+<body>I have been redirected</body>
--- a/content/html/content/test/mochitest.ini
+++ b/content/html/content/test/mochitest.ini
@@ -130,16 +130,19 @@ support-files =
   file_iframe_sandbox_k_if8.html
   file_iframe_sandbox_k_if9.html
   file_iframe_sandbox_navigation_fail.html
   file_iframe_sandbox_navigation_pass.html
   file_iframe_sandbox_navigation_start.html
   file_iframe_sandbox_open_window_fail.html
   file_iframe_sandbox_open_window_pass.html
   file_iframe_sandbox_pass.js
+  file_iframe_sandbox_redirect.html
+  file_iframe_sandbox_redirect.html^headers^
+  file_iframe_sandbox_redirect_target.html
   file_iframe_sandbox_top_navigation_fail.html
   file_iframe_sandbox_top_navigation_pass.html
   file_iframe_sandbox_window_form_fail.html
   file_iframe_sandbox_window_form_pass.html
   file_iframe_sandbox_window_navigation_fail.html
   file_iframe_sandbox_window_navigation_pass.html
   file_iframe_sandbox_window_top_navigation_pass.html
   file_iframe_sandbox_window_top_navigation_fail.html
@@ -438,16 +441,17 @@ skip-if = buildapp == 'b2g' # b2g(Crash,
 [test_iframe_sandbox_navigation2.html]
 skip-if = buildapp == 'b2g' || e10s # b2g(Crash, bug 904659) b2g-debug(Crash, bug 904659) b2g-desktop(Crash, bug 904659)
 [test_iframe_sandbox_plugins.html]
 skip-if = buildapp == 'b2g' || toolkit == 'android' || e10s # b2g(plugins not supported) b2g-debug(plugins not supported) b2g-desktop(plugins not supported)
 [test_iframe_sandbox_popups.html]
 skip-if = buildapp == 'b2g' # b2g(multiple concurrent window.open()s fail on B2G) b2g-debug(multiple concurrent window.open()s fail on B2G) b2g-desktop(Bug 931116, b2g desktop specific, initial triage)
 [test_iframe_sandbox_popups_inheritance.html]
 skip-if = buildapp == 'b2g' || e10s # b2g(multiple concurrent window.open()s fail on B2G) b2g-debug(multiple concurrent window.open()s fail on B2G) b2g-desktop(Bug 931116, b2g desktop specific, initial triage)
+[test_iframe_sandbox_redirect.html]
 [test_iframe_sandbox_same_origin.html]
 [test_iframe_sandbox_workers.html]
 [test_img_attributes_reflection.html]
 [test_imageSrcSet.html]
 [test_li_attributes_reflection.html]
 [test_link_attributes_reflection.html]
 [test_link_sizes.html]
 [test_map_attributes_reflection.html]
new file mode 100644
--- /dev/null
+++ b/content/html/content/test/test_iframe_sandbox_redirect.html
@@ -0,0 +1,45 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=985135
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 985135</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 985135 **/
+  SimpleTest.waitForExplicitFinish();
+  addLoadEvent(function() {
+    try {
+      var doc = frames[0].document;
+      ok(false, "Should not be able to get the document");
+      isnot(doc.body.textContent.slice(0, -1), "I have been redirected",
+            "Should not happen");
+      SimpleTest.finish();
+    } catch (e) {
+      // Check that we got the right document
+      window.onmessage = function(event) {
+        is(event.data, "who are you? redirect target",
+           "Should get the message we expect");
+        SimpleTest.finish();
+      }
+
+      frames[0].postMessage("who are you?", "*");
+    }
+  });
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=985135">Mozilla Bug 985135</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe src="file_iframe_sandbox_redirect.html" sandbox="allow-scripts"></iframe>
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -10,16 +10,17 @@
 
 #include "mozilla/net/HttpBaseChannel.h"
 
 #include "nsHttpHandler.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
 
 #include "nsICachingChannel.h"
+#include "nsIPrincipal.h"
 #include "nsISeekableStream.h"
 #include "nsITimedChannel.h"
 #include "nsIEncodedChannel.h"
 #include "nsIApplicationCacheChannel.h"
 #include "nsEscape.h"
 #include "nsStreamListenerWrapper.h"
 #include "nsISecurityConsoleMessage.h"
 #include "nsURLHelper.h"
@@ -1789,16 +1790,23 @@ HttpBaseChannel::SetupReplacementChannel
 
   // Do not pass along LOAD_CHECK_OFFLINE_CACHE
   newLoadFlags &= ~nsICachingChannel::LOAD_CHECK_OFFLINE_CACHE;
 
   newChannel->SetLoadGroup(mLoadGroup);
   newChannel->SetNotificationCallbacks(mCallbacks);
   newChannel->SetLoadFlags(newLoadFlags);
 
+  // If our owner is a null principal it will have been set as a security
+  // measure, so we want to propagate it to the new channel.
+  nsCOMPtr<nsIPrincipal> ownerPrincipal = do_QueryInterface(mOwner);
+  if (ownerPrincipal && ownerPrincipal->GetIsNullPrincipal()) {
+    newChannel->SetOwner(mOwner);
+  }
+
   // Try to preserve the privacy bit if it has been overridden
   if (mPrivateBrowsingOverriden) {
     nsCOMPtr<nsIPrivateBrowsingChannel> newPBChannel =
       do_QueryInterface(newChannel);
     if (newPBChannel) {
       newPBChannel->SetPrivate(mPrivateBrowsing);
     }
   }