Bug 1317641 - Some loadinfo security flags should not apply in case of a redirect. r=bz
authorDragana Damjanovic <dd.mozilla@gmail.com>
Wed, 23 Nov 2016 17:54:58 -0500
changeset 324139 9935254c39eef9d14de419dd6163ff453cc1ce16
parent 324138 b323faf96458c2fc32e6f60f5b49eca69727b8ea
child 324140 5e508878b3d81e2823246ebf85bb470762581a15
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewersbz
bugs1317641
milestone53.0a1
Bug 1317641 - Some loadinfo security flags should not apply in case of a redirect. r=bz
caps/nsScriptSecurityManager.cpp
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -321,19 +321,22 @@ nsScriptSecurityManager::GetChannelResul
             if (!principalToInherit) {
               principalToInherit = loadInfo->TriggeringPrincipal();
             }
             principalToInherit.forget(aPrincipal);
             return NS_OK;
         }
 
         nsSecurityFlags securityFlags = loadInfo->GetSecurityMode();
-        if (securityFlags == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS ||
-            securityFlags == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS ||
-            securityFlags == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) {
+        // The data: inheritance flags should only apply to the initial load,
+        // not to loads that it might have redirected to.
+        if (loadInfo->RedirectChain().IsEmpty() &&
+            (securityFlags == nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS ||
+             securityFlags == nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS ||
+             securityFlags == nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS)) {
 
             nsCOMPtr<nsIURI> uri;
             nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri));
             NS_ENSURE_SUCCESS(rv, rv); 
             nsCOMPtr<nsIPrincipal> principalToInherit = loadInfo->PrincipalToInherit();
             if (!principalToInherit) {
               principalToInherit = loadInfo->TriggeringPrincipal();
             }