Bug 1331295 - nsNullPrincipal should be created using OriginAttributes of the docShell in case the principal is null. r=smaug, a=lizzard
authorAndrea Marchesini <amarchesini@mozilla.com>
Thu, 16 Feb 2017 14:33:39 +0100
changeset 354341 0c2cd04d98131c112d6fbf666b6c57315e3e56fb
parent 354340 d5c64168f67f9c7af9e605ba6d495a32750fd84f
child 354342 c8b603a9fbd62761f4e0a18f2312a1dbf56c7e1e
push id6896
push userryanvm@gmail.com
push dateSat, 18 Feb 2017 16:13:31 +0000
treeherdermozilla-esr52@42db8a0b3673 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug, lizzard
bugs1331295
milestone52.0
Bug 1331295 - nsNullPrincipal should be created using OriginAttributes of the docShell in case the principal is null. r=smaug, a=lizzard
docshell/base/crashtests/1331295.html
docshell/base/crashtests/crashtests.list
docshell/base/nsDocShell.cpp
new file mode 100644
--- /dev/null
+++ b/docshell/base/crashtests/1331295.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+function boom() {
+  setTimeout(function(){
+    var o=document.getElementById('b');
+    document.getElementById('a').appendChild(o.parentNode.removeChild(o));
+  },0);
+  var o=document.getElementById('c');
+  var p=document.getElementById('b');
+  p.id=[o.id, o.id=p.id][0];
+  o=document.getElementById('b');
+  o.setAttribute('sandbox', 'disc');
+  window.location.reload(true);
+}
+</script>
+</head>
+<body onload="boom();">
+<header id='a'></header>
+<output id='b'></output>
+<iframe id='c' sandbox='allow-same-origin' src='http://a'></iframe>
+</body>
+</html>
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@@ -8,8 +8,9 @@ load 432114-2.html
 load 436900-1.html
 asserts(0-1) load 436900-2.html # bug 566159
 load 500328-1.html
 load 514779-1.xhtml
 load 614499-1.html
 load 678872-1.html
 skip-if(Android) pref(dom.disable_open_during_load,false) load 914521.html
 pref(browser.send_pings,true) load 1257730-1.html
+load 1331295.html
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8077,17 +8077,21 @@ nsDocShell::CreateAboutBlankContentViewe
   mFiredUnloadEvent = false;
 
   nsCOMPtr<nsIDocumentLoaderFactory> docFactory =
     nsContentUtils::FindInternalContentViewer(NS_LITERAL_CSTRING("text/html"));
 
   if (docFactory) {
     nsCOMPtr<nsIPrincipal> principal;
     if (mSandboxFlags & SANDBOXED_ORIGIN) {
-      principal = nsNullPrincipal::CreateWithInheritedAttributes(aPrincipal);
+      if (aPrincipal) {
+        principal = nsNullPrincipal::CreateWithInheritedAttributes(aPrincipal);
+      } else {
+        principal = nsNullPrincipal::CreateWithInheritedAttributes(this);
+      }
     } else {
       principal = aPrincipal;
     }
     // generate (about:blank) document to load
     docFactory->CreateBlankDocument(mLoadGroup, principal,
                                     getter_AddRefs(blankDoc));
     if (blankDoc) {
       // Hack: set the base URI manually, since this document never