Bug 1331295 - nsNullPrincipal should be created using OriginAttributes of the docShell in case the principal is null, r=smaug

docshell/base/crashtests/1331295.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+function boom() {
+  setTimeout(function(){
+    var o=document.getElementById('b');
+    document.getElementById('a').appendChild(o.parentNode.removeChild(o));
+  },0);
+  var o=document.getElementById('c');
+  var p=document.getElementById('b');
+  p.id=[o.id, o.id=p.id][0];
+  o=document.getElementById('b');
+  o.setAttribute('sandbox', 'disc');
+  window.location.reload(true);
+}
+</script>
+</head>
+<body onload="boom();">
+<header id='a'></header>
+<output id='b'></output>
+<iframe id='c' sandbox='allow-same-origin' src='http://a'></iframe>
+</body>
+</html>

docshell/base/crashtests/crashtests.list

@@ -13,3 +13,4 @@ load 614499-1.html
 load 678872-1.html
 skip-if(Android) pref(dom.disable_open_during_load,false) load 914521.html
 pref(browser.send_pings,true) load 1257730-1.html
+load 1331295.html

docshell/base/nsDocShell.cpp

@@ -8100,7 +8100,11 @@ nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal* aPrincipal,
   if (docFactory) {
     nsCOMPtr<nsIPrincipal> principal;
     if (mSandboxFlags & SANDBOXED_ORIGIN) {
-      principal = nsNullPrincipal::CreateWithInheritedAttributes(aPrincipal);
+      if (aPrincipal) {
+        principal = nsNullPrincipal::CreateWithInheritedAttributes(aPrincipal);
+      } else {
+        principal = nsNullPrincipal::CreateWithInheritedAttributes(this);
+      }
     } else {
       principal = aPrincipal;
     }