Bug 1226437 - Speculative CSP should set speculative referrer policy instead of actual referrer policy. r=sicking

dom/base/nsDocument.cpp

@@ -2653,23 +2653,12 @@ nsDocument::ApplySettingsFromCSP(bool aSpeculative)
   }
 
   // 2) apply settings from speculative csp
-  nsCOMPtr<nsIContentSecurityPolicy> preloadCsp;
-  rv = NodePrincipal()->GetPreloadCsp(getter_AddRefs(preloadCsp));
-  if (preloadCsp) {
-    // Set up any Referrer Policy specified by CSP
-    bool hasReferrerPolicy = false;
-    uint32_t referrerPolicy = mozilla::net::RP_Default;
-    rv = preloadCsp->GetReferrerPolicy(&referrerPolicy, &hasReferrerPolicy);
+  if (!mUpgradeInsecurePreloads) {
+    nsCOMPtr<nsIContentSecurityPolicy> preloadCsp;
+    rv = NodePrincipal()->GetPreloadCsp(getter_AddRefs(preloadCsp));
     NS_ENSURE_SUCCESS_VOID(rv);
-    if (hasReferrerPolicy) {
-      // please note that referrer policy spec defines that the latest
-      // policy awlays wins, hence we can safely overwrite the policy here.
-      mReferrerPolicy = static_cast<ReferrerPolicy>(referrerPolicy);
-      mReferrerPolicySet = true;
-    }
-    if (!mUpgradeInsecurePreloads) {
-      rv = preloadCsp->GetUpgradeInsecureRequests(&mUpgradeInsecurePreloads);
-      NS_ENSURE_SUCCESS_VOID(rv);
+    if (preloadCsp) {
+      preloadCsp->GetUpgradeInsecureRequests(&mUpgradeInsecurePreloads);
     }
   }
 }

parser/html/nsHtml5TreeOpExecutor.cpp

@@ -1051,6 +1051,15 @@ nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP)
                                 true); // delivered through the meta tag
   NS_ENSURE_SUCCESS_VOID(rv);
 
+  // Record "speculated" referrer policy for preloads
+  bool hasReferrerPolicy = false;
+  uint32_t referrerPolicy = mozilla::net::RP_Default;
+  rv = preloadCsp->GetReferrerPolicy(&referrerPolicy, &hasReferrerPolicy);
+  NS_ENSURE_SUCCESS_VOID(rv);
+  if (hasReferrerPolicy) {
+    SetSpeculationReferrerPolicy(static_cast<ReferrerPolicy>(referrerPolicy));
+  }
+
   mDocument->ApplySettingsFromCSP(true);
 }