Bug 1212904 P0 Do not abuse fetch response tainting to create opaqueredirect responses. r=ehsan
authorBen Kelly <ben@wanderview.com>
Thu, 22 Oct 2015 11:07:32 -0700
changeset 304259 6b7feb3ce23042d551b7110a34ec90433e5ac391
parent 304161 3888eea6aaf2329e5f5f44fa2b56346627ebdc7e
child 304260 342a49e40ecfc244126f323fb300693f819e127a
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan
bugs1212904
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1212904 P0 Do not abuse fetch response tainting to create opaqueredirect responses. r=ehsan
dom/fetch/FetchDriver.cpp
dom/fetch/FetchDriver.h
dom/fetch/InternalRequest.h
--- a/dom/fetch/FetchDriver.cpp
+++ b/dom/fetch/FetchDriver.cpp
@@ -46,16 +46,17 @@ NS_IMPL_ISUPPORTS(FetchDriver,
                   nsIThreadRetargetableStreamListener)
 
 FetchDriver::FetchDriver(InternalRequest* aRequest, nsIPrincipal* aPrincipal,
                          nsILoadGroup* aLoadGroup)
   : mPrincipal(aPrincipal)
   , mLoadGroup(aLoadGroup)
   , mRequest(aRequest)
   , mHasBeenCrossSite(false)
+  , mFoundOpaqueRedirect(false)
   , mResponseAvailableCalled(false)
   , mFetchCalled(false)
 {
 }
 
 FetchDriver::~FetchDriver()
 {
   // We assert this since even on failures, we should call
@@ -442,31 +443,32 @@ FetchDriver::BeginAndGetFilteredResponse
     mRequest->GetURL(reqURL);
   }
   DebugOnly<nsresult> rv = aResponse->StripFragmentAndSetUrl(reqURL);
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   // FIXME(nsm): Handle mixed content check, step 7 of fetch.
 
   RefPtr<InternalResponse> filteredResponse;
-  switch (mRequest->GetResponseTainting()) {
-    case InternalRequest::RESPONSETAINT_BASIC:
-      filteredResponse = aResponse->BasicResponse();
-      break;
-    case InternalRequest::RESPONSETAINT_CORS:
-      filteredResponse = aResponse->CORSResponse();
-      break;
-    case InternalRequest::RESPONSETAINT_OPAQUE:
-      filteredResponse = aResponse->OpaqueResponse();
-      break;
-    case InternalRequest::RESPONSETAINT_OPAQUEREDIRECT:
-      filteredResponse = aResponse->OpaqueRedirectResponse();
-      break;
-    default:
-      MOZ_CRASH("Unexpected case");
+  if (mFoundOpaqueRedirect) {
+    filteredResponse = aResponse->OpaqueRedirectResponse();
+  } else {
+    switch (mRequest->GetResponseTainting()) {
+      case InternalRequest::RESPONSETAINT_BASIC:
+        filteredResponse = aResponse->BasicResponse();
+        break;
+      case InternalRequest::RESPONSETAINT_CORS:
+        filteredResponse = aResponse->CORSResponse();
+        break;
+      case InternalRequest::RESPONSETAINT_OPAQUE:
+        filteredResponse = aResponse->OpaqueResponse();
+        break;
+      default:
+        MOZ_CRASH("Unexpected case");
+    }
   }
 
   MOZ_ASSERT(filteredResponse);
   MOZ_ASSERT(mObserver);
   mObserver->OnResponseAvailable(filteredResponse);
   mResponseAvailableCalled = true;
   return filteredResponse.forget();
 }
@@ -744,17 +746,18 @@ FetchDriver::AsyncOnChannelRedirect(nsIC
     // The HTTP cache will also error on vetoed redirects when the
     // redirect has been previously cached.
     //
     // Therefore simulate the completion of the channel to produce the
     // opaqueredirect Response and then cancel the original channel.  This
     // will result in OnStartRequest() getting called twice, but the second
     // time will be with an error response (from the Cancel) which will
     // be ignored.
-    mRequest->SetResponseTainting(InternalRequest::RESPONSETAINT_OPAQUEREDIRECT);
+    MOZ_ASSERT(!mFoundOpaqueRedirect);
+    mFoundOpaqueRedirect = true;
     unused << OnStartRequest(aOldChannel, nullptr);
     unused << OnStopRequest(aOldChannel, nullptr, NS_OK);
 
     aOldChannel->Cancel(NS_BINDING_FAILED);
 
     return NS_BINDING_FAILED;
   }
 
--- a/dom/fetch/FetchDriver.h
+++ b/dom/fetch/FetchDriver.h
@@ -78,16 +78,17 @@ private:
   nsCOMPtr<nsIPrincipal> mPrincipal;
   nsCOMPtr<nsILoadGroup> mLoadGroup;
   RefPtr<InternalRequest> mRequest;
   RefPtr<InternalResponse> mResponse;
   nsCOMPtr<nsIOutputStream> mPipeOutputStream;
   RefPtr<FetchDriverObserver> mObserver;
   nsCOMPtr<nsIDocument> mDocument;
   bool mHasBeenCrossSite;
+  bool mFoundOpaqueRedirect;
 
   DebugOnly<bool> mResponseAvailableCalled;
   DebugOnly<bool> mFetchCalled;
 
   FetchDriver() = delete;
   FetchDriver(const FetchDriver&) = delete;
   FetchDriver& operator=(const FetchDriver&) = delete;
   ~FetchDriver();
--- a/dom/fetch/InternalRequest.h
+++ b/dom/fetch/InternalRequest.h
@@ -87,17 +87,16 @@ class InternalRequest final
 public:
   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(InternalRequest)
 
   enum ResponseTainting
   {
     RESPONSETAINT_BASIC,
     RESPONSETAINT_CORS,
     RESPONSETAINT_OPAQUE,
-    RESPONSETAINT_OPAQUEREDIRECT,
   };
 
   explicit InternalRequest()
     : mMethod("GET")
     , mHeaders(new InternalHeaders(HeadersGuardEnum::None))
     , mReferrer(NS_LITERAL_STRING(kFETCH_CLIENT_REFERRER_STR))
     , mMode(RequestMode::No_cors)
     , mCredentialsMode(RequestCredentials::Omit)