Bug 732209 part 6. Allow web pages to access cross-origin stylesheets if the CORS headers say so. r=dbaron,sicking

When gaining such access, the web page resets the stylesheet to its principal, because it can now edit the sheet.

layout/style/nsCSSStyleSheet.cpp

@@ -1589,7 +1589,7 @@ nsCSSStyleSheet::DidDirty()
 }
 
 nsresult
-nsCSSStyleSheet::SubjectSubsumesInnerPrincipal() const
+nsCSSStyleSheet::SubjectSubsumesInnerPrincipal()
 {
   // Get the security manager and do the subsumes check
   nsIScriptSecurityManager *securityManager =
@@ -1612,7 +1612,26 @@ nsCSSStyleSheet::SubjectSubsumesInnerPrincipal() const
   }
   
   if (!nsContentUtils::IsCallerTrustedForWrite()) {
-    return NS_ERROR_DOM_SECURITY_ERR;
+    // Allow access only if CORS mode is not NONE
+    if (GetCORSMode() == CORS_NONE) {
+      return NS_ERROR_DOM_SECURITY_ERR;
+    }
+
+    // Now make sure we set the principal of our inner to the
+    // subjectPrincipal.  That means we need a unique inner, of
+    // course.  But we don't want to do that if we're not complete
+    // yet.  Luckily, all the callers of this method throw anyway if
+    // not complete, so we can just do that here too.
+    if (!mInner->mComplete) {
+      return NS_ERROR_DOM_INVALID_ACCESS_ERR;
+    }
+
+    rv = WillDirty();
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    mInner->mPrincipal = subjectPrincipal;
+
+    DidDirty();
   }
 
   return NS_OK;

layout/style/nsCSSStyleSheet.h

@@ -265,8 +265,9 @@ protected:
 
   // Return success if the subject principal subsumes the principal of our
   // inner, error otherwise.  This will also succeed if the subject has
-  // UniversalXPConnect.
-  nsresult SubjectSubsumesInnerPrincipal() const;
+  // UniversalXPConnect or if access is allowed by CORS.  In the latter case,
+  // it will set the principal of the inner to the subject principal.
+  nsresult SubjectSubsumesInnerPrincipal();
 
   // Add the namespace mapping from this @namespace rule to our namespace map
   nsresult RegisterNamespaceRule(mozilla::css::Rule* aRule);

layout/style/test/test_bug732209.html

@@ -27,7 +27,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=732209
         crossorigin="use-credentials">
   <link rel="stylesheet"
         href="http://example.com/tests/layout/style/test/bug732209-css.sjs?seven&cors-anonymous">
-  <link rel="stylesheet"
+  <link rel="stylesheet" id="cross-origin-sheet"
         href="http://example.com/tests/layout/style/test/bug732209-css.sjs?eight&cors-anonymous"
         crossorigin>
   <link rel="stylesheet"
@@ -71,6 +71,19 @@ addLoadEvent(function() {
     is(getComputedStyle(spans[i], "").color, "rgb(0, 128, 0)",
        "Span " + spans[i].id + " should be green");
   }
+
+  try {
+    var sheet = $("cross-origin-sheet").sheet;
+    dump('aaa');
+    is(sheet.cssRules.length, 2,
+       "Should be able to get length of list of rules");
+    is(sheet.cssRules[0].style.color, "green",
+       "Should be able to read individual rules");
+  } catch (e) {
+    ok(false,
+       "Should be allowed to access cross-origin sheet that opted in with CORS: " + e);
+  }
+
   SimpleTest.finish();
 });