From 1fead4cd75afc72192d451cc8a1c69e78a873542 Mon Sep 17 00:00:00 2001 From: Honza Bambas Date: Thu, 13 Jul 2017 05:51:00 +0200 Subject: [PATCH] Bug 1256122 - Let nsContentSecurityManager check if a redirect may load against the target channel's final URI, r=bz This allows protocol handlers that load data from a privileged URI (chrome/file/jar) to make the channel's principal as well as the redirect to look like (to) an unprivileged URI or a URI allowed to load to function correctly. --- dom/security/nsContentSecurityManager.cpp | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 2cbf787ce532..0872c3b0fdb5 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -509,21 +509,14 @@ nsContentSecurityManager::AsyncOnChannelRedirect(nsIChannel* aOldChannel, GetChannelResultPrincipal(aOldChannel, getter_AddRefs(oldPrincipal)); nsCOMPtr newURI; - aNewChannel->GetURI(getter_AddRefs(newURI)); - nsCOMPtr newOriginalURI; - aNewChannel->GetOriginalURI(getter_AddRefs(newOriginalURI)); - - NS_ENSURE_STATE(oldPrincipal && newURI && newOriginalURI); + Unused << NS_GetFinalChannelURI(aNewChannel, getter_AddRefs(newURI)); + NS_ENSURE_STATE(oldPrincipal && newURI); const uint32_t flags = nsIScriptSecurityManager::LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT | nsIScriptSecurityManager::DISALLOW_SCRIPT; nsresult rv = nsContentUtils::GetSecurityManager()-> CheckLoadURIWithPrincipal(oldPrincipal, newURI, flags); - if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) { - rv = nsContentUtils::GetSecurityManager()-> - CheckLoadURIWithPrincipal(oldPrincipal, newOriginalURI, flags); - } NS_ENSURE_SUCCESS(rv, rv); aCb->OnRedirectVerifyCallback(NS_OK);