Bug 1529877: Only query the CSP from the Principal in case it's an ExpandedPrincipal within nsFrameLoader. r=bz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Mon, 04 Mar 2019 09:33:58 +0200
changeset 520082 90615191631a422dff6c730390980e360b6b465e
parent 520081 d860aa8a661bd0270ea6282a43e41e7027aea899
child 520083 b43a92afda7d6e7430eb77941e81bd1e125ea5ab
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1529877
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1529877: Only query the CSP from the Principal in case it's an ExpandedPrincipal within nsFrameLoader. r=bz Reviewers: kmag, bzbarsky Reviewed By: kmag, bzbarsky Bug #: 1529877 Differential Revision: https://phabricator.services.mozilla.com/D21651
dom/base/nsFrameLoader.cpp
--- a/dom/base/nsFrameLoader.cpp
+++ b/dom/base/nsFrameLoader.cpp
@@ -391,21 +391,31 @@ nsresult nsFrameLoader::ReallyStartLoadi
   // is very important; needed to prevent XSS attacks on documents loaded in
   // subframes!
   if (mTriggeringPrincipal) {
     loadState->SetTriggeringPrincipal(mTriggeringPrincipal);
   } else {
     loadState->SetTriggeringPrincipal(mOwnerContent->NodePrincipal());
   }
 
-  // Currently we query the CSP from the principal, but after
-  // Bug 1529877 we should query the CSP from within GetURL and
-  // store it as a member, similar to mTriggeringPrincipal.
+  // Expanded Principals override the CSP of the document, hence we first check
+  // if the triggeringPrincipal overrides the document's principal. If so, let's
+  // query the CSP from that Principal, otherwise we use the document's CSP.
+  // Note that even after Bug 965637, Expanded Principals will hold their own
+  // CSP.
   nsCOMPtr<nsIContentSecurityPolicy> csp;
-  loadState->TriggeringPrincipal()->GetCsp(getter_AddRefs(csp));
+  if (BasePrincipal::Cast(loadState->TriggeringPrincipal())
+          ->OverridesCSP(mOwnerContent->NodePrincipal())) {
+    loadState->TriggeringPrincipal()->GetCsp(getter_AddRefs(csp));
+  } else {
+    // Currently the NodePrincipal holds the CSP for a document. After
+    // Bug 965637 we can query the CSP from mOwnerContent->OwnerDoc()
+    // instead of mOwnerContent->NodePrincipal().
+    mOwnerContent->NodePrincipal()->GetCsp(getter_AddRefs(csp));
+  }
   loadState->SetCsp(csp);
 
   nsCOMPtr<nsIURI> referrer;
 
   nsAutoString srcdoc;
   bool isSrcdoc =
       mOwnerContent->IsHTMLElement(nsGkAtoms::iframe) &&
       mOwnerContent->GetAttr(kNameSpaceID_None, nsGkAtoms::srcdoc, srcdoc);