Bug 1497301 part 3. Simplify Location::CheckURL. r=bholley
☠☠ backed out by 9268ec81fb01 ☠ ☠
authorBoris Zbarsky <bzbarsky@mit.edu>
Fri, 12 Oct 2018 11:07:18 -0400
changeset 489209 5d0df5f741700ae8e74d894ae95ae590b239e0ec
parent 489208 c9e04519cd763068fa380109ffdf21978932c77e
child 489210 101903689bc0ee0bc178fc5c333e198b16166fe2
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersbholley
bugs1497301
milestone64.0a1
Bug 1497301 part 3. Simplify Location::CheckURL. r=bholley The main change is to just use the principal bindings pass us to do our CheckLoadURI check. If we do that, we don't have to care about the current JSContext.
dom/base/Location.cpp
dom/base/Location.h
dom/webidl/Location.webidl
--- a/dom/base/Location.cpp
+++ b/dom/base/Location.cpp
@@ -57,101 +57,90 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(
 NS_INTERFACE_MAP_END
 
 NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Location, mInnerWindow)
 
 NS_IMPL_CYCLE_COLLECTING_ADDREF(Location)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(Location)
 
 nsresult
-Location::CheckURL(nsIURI* aURI, nsDocShellLoadInfo** aLoadInfo)
+Location::CheckURL(nsIURI* aURI, nsIPrincipal& aSubjectPrincipal, nsDocShellLoadInfo** aLoadInfo)
 {
   *aLoadInfo = nullptr;
 
   nsCOMPtr<nsIDocShell> docShell(do_QueryReferent(mDocShell));
   NS_ENSURE_TRUE(docShell, NS_ERROR_NOT_AVAILABLE);
 
   nsCOMPtr<nsIPrincipal> triggeringPrincipal;
   nsCOMPtr<nsIURI> sourceURI;
   net::ReferrerPolicy referrerPolicy = net::RP_Unset;
 
-  if (JSContext *cx = nsContentUtils::GetCurrentJSContext()) {
-    // No cx means that there's no JS running, or at least no JS that
-    // was run through code that properly pushed a context onto the
-    // context stack (as all code that runs JS off of web pages
-    // does). We won't bother with security checks in this case, but
-    // we need to create the loadinfo etc.
+  // Get security manager.
+  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
+  NS_ENSURE_STATE(ssm);
+
+  // Check to see if URI is allowed.
+  nsresult rv = ssm->CheckLoadURIWithPrincipal(&aSubjectPrincipal, aURI,
+                                               nsIScriptSecurityManager::STANDARD);
+  NS_ENSURE_SUCCESS(rv, rv);
 
-    // Get security manager.
-    nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-    NS_ENSURE_STATE(ssm);
+  // Make the load's referrer reflect changes to the document's URI caused by
+  // push/replaceState, if possible.  First, get the document corresponding to
+  // fp.  If the document's original URI (i.e. its URI before
+  // push/replaceState) matches the principal's URI, use the document's
+  // current URI as the referrer.  If they don't match, use the principal's
+  // URI.
+  //
+  // The triggering principal for this load should be the principal of the
+  // incumbent document (which matches where the referrer information is
+  // coming from) when there is an incumbent document, and the subject
+  // principal otherwise.  Note that the URI in the triggering principal
+  // may not match the referrer URI in various cases, notably including
+  // the cases when the incumbent document's document URI was modified
+  // after the document was loaded.
 
-    // Check to see if URI is allowed.
-    nsresult rv = ssm->CheckLoadURIFromScript(cx, aURI);
+  nsCOMPtr<nsPIDOMWindowInner> incumbent =
+    do_QueryInterface(mozilla::dom::GetIncumbentGlobal());
+  nsCOMPtr<nsIDocument> doc = incumbent ? incumbent->GetDoc() : nullptr;
+
+  if (doc) {
+    nsCOMPtr<nsIURI> docOriginalURI, docCurrentURI, principalURI;
+    docOriginalURI = doc->GetOriginalURI();
+    docCurrentURI = doc->GetDocumentURI();
+    rv = doc->NodePrincipal()->GetURI(getter_AddRefs(principalURI));
     NS_ENSURE_SUCCESS(rv, rv);
 
-    // Make the load's referrer reflect changes to the document's URI caused by
-    // push/replaceState, if possible.  First, get the document corresponding to
-    // fp.  If the document's original URI (i.e. its URI before
-    // push/replaceState) matches the principal's URI, use the document's
-    // current URI as the referrer.  If they don't match, use the principal's
-    // URI.
-    //
-    // The triggering principal for this load should be the principal of the
-    // incumbent document (which matches where the referrer information is
-    // coming from) when there is an incumbent document, and the subject
-    // principal otherwise.  Note that the URI in the triggering principal
-    // may not match the referrer URI in various cases, notably including
-    // the cases when the incumbent document's document URI was modified
-    // after the document was loaded.
-
-    nsCOMPtr<nsPIDOMWindowInner> incumbent =
-      do_QueryInterface(mozilla::dom::GetIncumbentGlobal());
-    nsCOMPtr<nsIDocument> doc = incumbent ? incumbent->GetDoc() : nullptr;
+    triggeringPrincipal = doc->NodePrincipal();
+    referrerPolicy = doc->GetReferrerPolicy();
 
-    if (doc) {
-      nsCOMPtr<nsIURI> docOriginalURI, docCurrentURI, principalURI;
-      docOriginalURI = doc->GetOriginalURI();
-      docCurrentURI = doc->GetDocumentURI();
-      rv = doc->NodePrincipal()->GetURI(getter_AddRefs(principalURI));
-      NS_ENSURE_SUCCESS(rv, rv);
-
-      triggeringPrincipal = doc->NodePrincipal();
-      referrerPolicy = doc->GetReferrerPolicy();
-
-      bool urisEqual = false;
-      if (docOriginalURI && docCurrentURI && principalURI) {
-        principalURI->Equals(docOriginalURI, &urisEqual);
-      }
-      if (urisEqual) {
-        sourceURI = docCurrentURI;
-      }
-      else {
-        // Use principalURI as long as it is not an NullPrincipalURI.  We
-        // could add a method such as GetReferrerURI to principals to make this
-        // cleaner, but given that we need to start using Source Browsing
-        // Context for referrer (see Bug 960639) this may be wasted effort at
-        // this stage.
-        if (principalURI) {
-          bool isNullPrincipalScheme;
-          rv = principalURI->SchemeIs(NS_NULLPRINCIPAL_SCHEME,
-                                     &isNullPrincipalScheme);
-          if (NS_SUCCEEDED(rv) && !isNullPrincipalScheme) {
-            sourceURI = principalURI;
-          }
+    bool urisEqual = false;
+    if (docOriginalURI && docCurrentURI && principalURI) {
+      principalURI->Equals(docOriginalURI, &urisEqual);
+    }
+    if (urisEqual) {
+      sourceURI = docCurrentURI;
+    }
+    else {
+      // Use principalURI as long as it is not an NullPrincipalURI.  We
+      // could add a method such as GetReferrerURI to principals to make this
+      // cleaner, but given that we need to start using Source Browsing
+      // Context for referrer (see Bug 960639) this may be wasted effort at
+      // this stage.
+      if (principalURI) {
+        bool isNullPrincipalScheme;
+        rv = principalURI->SchemeIs(NS_NULLPRINCIPAL_SCHEME,
+                                    &isNullPrincipalScheme);
+        if (NS_SUCCEEDED(rv) && !isNullPrincipalScheme) {
+          sourceURI = principalURI;
         }
       }
     }
-    else {
-      // No document; determine triggeringPrincipal by quering the
-      // subjectPrincipal, wich is the principal of the current JS
-      // compartment, or a null principal in case there is no
-      // compartment yet.
-      triggeringPrincipal = nsContentUtils::SubjectPrincipal();
-    }
+  } else {
+    // No document; just use our subject principal as the triggering principal.
+    triggeringPrincipal = &aSubjectPrincipal;
   }
 
   // Create load info
   RefPtr<nsDocShellLoadInfo> loadInfo = new nsDocShellLoadInfo();
 
   loadInfo->SetTriggeringPrincipal(triggeringPrincipal);
 
   if (sourceURI) {
@@ -202,23 +191,23 @@ Location::GetURI(nsIURI** aURI, bool aGe
 
   nsCOMPtr<nsIURIFixup> urifixup(do_GetService(NS_URIFIXUP_CONTRACTID, &rv));
   NS_ENSURE_SUCCESS(rv, rv);
 
   return urifixup->CreateExposableURI(uri, aURI);
 }
 
 nsresult
-Location::SetURI(nsIURI* aURI, bool aReplace)
+Location::SetURI(nsIURI* aURI, nsIPrincipal& aSubjectPrincipal, bool aReplace)
 {
   nsCOMPtr<nsIDocShell> docShell(do_QueryReferent(mDocShell));
   if (docShell) {
     RefPtr<nsDocShellLoadInfo> loadInfo;
 
-    if(NS_FAILED(CheckURL(aURI, getter_AddRefs(loadInfo))))
+    if(NS_FAILED(CheckURL(aURI, aSubjectPrincipal, getter_AddRefs(loadInfo))))
       return NS_ERROR_FAILURE;
 
     if (aReplace) {
       loadInfo->SetLoadType(LOAD_STOP_CONTENT_AND_REPLACE);
     } else {
       loadInfo->SetLoadType(LOAD_STOP_CONTENT);
     }
 
@@ -300,17 +289,17 @@ Location::SetHash(const nsAString& aHash
 
   aRv = NS_MutateURI(uri)
           .SetRef(hash)
           .Finalize(uri);
   if (NS_WARN_IF(aRv.Failed()) || !uri) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 void
 Location::GetHost(nsAString& aHost,
                   nsIPrincipal& aSubjectPrincipal,
                   ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
@@ -354,17 +343,17 @@ Location::SetHost(const nsAString& aHost
 
   aRv = NS_MutateURI(uri)
           .SetHostPort(NS_ConvertUTF16toUTF8(aHost))
           .Finalize(uri);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 void
 Location::GetHostname(nsAString& aHostname,
                       nsIPrincipal& aSubjectPrincipal,
                       ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
@@ -399,17 +388,17 @@ Location::SetHostname(const nsAString& a
 
   aRv = NS_MutateURI(uri)
           .SetHost(NS_ConvertUTF16toUTF8(aHostname))
           .Finalize(uri);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 nsresult
 Location::GetHref(nsAString& aHref)
 {
   aHref.Truncate();
 
   nsCOMPtr<nsIURI> uri;
@@ -425,32 +414,35 @@ Location::GetHref(nsAString& aHref)
   }
 
   AppendUTF8toUTF16(uriString, aHref);
   return NS_OK;
 }
 
 void
 Location::SetHref(const nsAString& aHref,
+                  nsIPrincipal& aSubjectPrincipal,
                   ErrorResult& aRv)
 {
-  DoSetHref(aHref, false, aRv);
+  DoSetHref(aHref, aSubjectPrincipal, false, aRv);
 }
 
 void
-Location::DoSetHref(const nsAString& aHref, bool aReplace, ErrorResult& aRv)
+Location::DoSetHref(const nsAString& aHref, nsIPrincipal& aSubjectPrincipal,
+                    bool aReplace, ErrorResult& aRv)
 {
   // Get the source of the caller
   nsCOMPtr<nsIURI> base = GetSourceBaseURL();
 
-  aRv = SetHrefWithBase(aHref, base, aReplace);
+  aRv = SetHrefWithBase(aHref, base, aSubjectPrincipal, aReplace);
 }
 
 nsresult
 Location::SetHrefWithBase(const nsAString& aHref, nsIURI* aBase,
+                          nsIPrincipal& aSubjectPrincipal,
                           bool aReplace)
 {
   nsresult result;
   nsCOMPtr<nsIURI> newUri;
 
   nsCOMPtr<nsIDocShell> docShell(do_QueryReferent(mDocShell));
 
   if (nsIDocument* doc = GetEntryDocument()) {
@@ -483,17 +475,17 @@ Location::SetHrefWithBase(const nsAStrin
         // since we only want to replace if the location is set by a
         // <script> tag in the same window.  See bug 178729.
         nsCOMPtr<nsIScriptGlobalObject> ourGlobal =
           docShell ? docShell->GetScriptGlobalObject() : nullptr;
         inScriptTag = (ourGlobal == scriptContext->GetGlobalObject());
       }
     }
 
-    return SetURI(newUri, aReplace || inScriptTag);
+    return SetURI(newUri, aSubjectPrincipal, aReplace || inScriptTag);
   }
   return result;
 }
 
 void
 Location::GetOrigin(nsAString& aOrigin,
                     nsIPrincipal& aSubjectPrincipal,
                     ErrorResult& aRv)
@@ -566,17 +558,17 @@ Location::SetPathname(const nsAString& a
 
   nsresult rv = NS_MutateURI(uri)
                   .SetFilePath(NS_ConvertUTF16toUTF8(aPathname))
                   .Finalize(uri);
   if (NS_FAILED(rv)) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 void
 Location::GetPort(nsAString& aPort,
                   nsIPrincipal& aSubjectPrincipal,
                   ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
@@ -635,17 +627,17 @@ Location::SetPort(const nsAString& aPort
 
   aRv = NS_MutateURI(uri)
           .SetPort(port)
           .Finalize(uri);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 void
 Location::GetProtocol(nsAString& aProtocol,
                       nsIPrincipal& aSubjectPrincipal,
                       ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
@@ -732,17 +724,17 @@ Location::SetProtocol(const nsAString& a
     return;
   }
 
   if (!isHttp && !isHttps) {
     // No-op, per spec.
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 void
 Location::GetSearch(nsAString& aSearch,
                     nsIPrincipal& aSubjectPrincipal,
                     ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
@@ -797,17 +789,17 @@ Location::SetSearch(const nsAString& aSe
     aRv = NS_MutateURI(uri)
             .SetQuery(NS_ConvertUTF16toUTF8(aSearch))
             .Finalize(uri);
   }
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
-  aRv = SetURI(uri);
+  aRv = SetURI(uri, aSubjectPrincipal);
 }
 
 nsresult
 Location::Reload(bool aForceget)
 {
   nsCOMPtr<nsIDocShell> docShell(do_QueryReferent(mDocShell));
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(docShell));
   nsCOMPtr<nsPIDOMWindowOuter> window = docShell ? docShell->GetWindow()
@@ -853,30 +845,30 @@ Location::Reload(bool aForceget)
   return rv;
 }
 
 void
 Location::Replace(const nsAString& aUrl,
                   nsIPrincipal& aSubjectPrincipal,
                   ErrorResult& aRv)
 {
-  DoSetHref(aUrl, true, aRv);
+  DoSetHref(aUrl, aSubjectPrincipal, true, aRv);
 }
 
 void
 Location::Assign(const nsAString& aUrl,
                  nsIPrincipal& aSubjectPrincipal,
                  ErrorResult& aRv)
 {
   if (!CallerSubsumes(&aSubjectPrincipal)) {
     aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
     return;
   }
 
-  DoSetHref(aUrl, false, aRv);
+  DoSetHref(aUrl, aSubjectPrincipal, false, aRv);
 }
 
 already_AddRefed<nsIURI>
 Location::GetSourceBaseURL()
 {
   nsIDocument* doc = GetEntryDocument();
   // If there's no entry document, we either have no Script Entry Point or one
   // that isn't a DOM Window.  This doesn't generally happen with the DOM, but
--- a/dom/base/Location.h
+++ b/dom/base/Location.h
@@ -63,16 +63,17 @@ public:
       aError.Throw(NS_ERROR_DOM_SECURITY_ERR);
       return;
     }
 
     aError = GetHref(aHref);
   }
 
   void SetHref(const nsAString& aHref,
+               nsIPrincipal& aSubjectPrincipal,
                ErrorResult& aError);
 
   void GetOrigin(nsAString& aOrigin,
                  nsIPrincipal& aSubjectPrincipal,
                  ErrorResult& aError);
 
   void GetProtocol(nsAString& aProtocol,
                    nsIPrincipal& aSubjectPrincipal,
@@ -161,27 +162,35 @@ protected:
   virtual ~Location();
 
   // In the case of jar: uris, we sometimes want the place the jar was
   // fetched from as the URI instead of the jar: uri itself.  Pass in
   // true for aGetInnermostURI when that's the case.
   // Note, this method can return NS_OK with a null value for aURL. This happens
   // if the docShell is null.
   nsresult GetURI(nsIURI** aURL, bool aGetInnermostURI = false);
-  nsresult SetURI(nsIURI* aURL, bool aReplace = false);
+  nsresult SetURI(nsIURI* aURL, nsIPrincipal& aSubjectPrincipal, bool aReplace = false);
   nsresult SetHrefWithBase(const nsAString& aHref, nsIURI* aBase,
-                           bool aReplace);
+                           nsIPrincipal& aSubjectPrincipal, bool aReplace);
 
   // Helper for Assign/SetHref/Replace
-  void DoSetHref(const nsAString& aHref, bool aReplace, ErrorResult& aRv);
+  void DoSetHref(const nsAString& aHref, nsIPrincipal& aSubjectPrincipal,
+                 bool aReplace, ErrorResult& aRv);
 
   // Get the base URL we should be using for our relative URL
   // resolution for SetHref/Assign/Replace.
   already_AddRefed<nsIURI> GetSourceBaseURL();
-  nsresult CheckURL(nsIURI *url, nsDocShellLoadInfo** aLoadInfo);
+
+  // Check whether it's OK to load the given url with the given subject
+  // principal, and if so construct the right nsDocShellLoadInfo for the load
+  // and return it.
+  nsresult CheckURL(nsIURI *url,
+                    nsIPrincipal& aSubjectPrincipal,
+                    nsDocShellLoadInfo** aLoadInfo);
+
   bool CallerSubsumes(nsIPrincipal* aSubjectPrincipal);
 
   nsString mCachedHash;
   nsCOMPtr<nsPIDOMWindowInner> mInnerWindow;
   nsWeakPtr mDocShell;
 };
 
 } // dom namespace
--- a/dom/webidl/Location.webidl
+++ b/dom/webidl/Location.webidl
@@ -15,17 +15,17 @@
 interface Location {
   // Bug 824857: no support for stringifier attributes yet.
   //  stringifier attribute USVString href;
 
   // Bug 824857 should remove this.
   [Throws, NeedsSubjectPrincipal]
   stringifier;
 
-  [Throws, CrossOriginWritable, GetterNeedsSubjectPrincipal]
+  [Throws, CrossOriginWritable, NeedsSubjectPrincipal]
            attribute USVString href;
   [Throws, NeedsSubjectPrincipal]
   readonly attribute USVString origin;
   [Throws, NeedsSubjectPrincipal]
            attribute USVString protocol;
   [Throws, NeedsSubjectPrincipal]
            attribute USVString host;
   [Throws, NeedsSubjectPrincipal]