Bug 1378552 - Reduce the liklihood of inadvertently misusing NullPrincipal::Create(). r=ckerschb

NullPrincipal::Create() (will null OA) may cause an OriginAttributes bypass. We change Create() so OriginAttributes is no longer optional, and rename Create() with no arguments to make it more explicit about what the caller is doing. MozReview-Commit-ID: 7DQGlgh1tgJ
2018-03-22 13:36:20 -05:00 · 2018-03-22 13:36:20 -05:00 · 449237fc51
--- a/caps/NullPrincipal.cpp
+++ b/caps/NullPrincipal.cpp
@ -66,6 +66,12 @@ NullPrincipal::Create(const OriginAttributes& aOriginAttributes, nsIURI* aURI)
  return nullPrin.forget();
 }

+/* static */ already_AddRefed<NullPrincipal>
+NullPrincipal::CreateWithoutOriginAttributes()
+{
+  return NullPrincipal::Create(mozilla::OriginAttributes(), nullptr);
+}
+
 nsresult
 NullPrincipal::Init(const OriginAttributes& aOriginAttributes, nsIURI* aURI)
 {
--- a/caps/NullPrincipal.h
+++ b/caps/NullPrincipal.h
@ -64,9 +64,12 @@ public:
  CreateWithInheritedAttributes(nsIDocShell* aDocShell, bool aIsFirstParty = false);

  static already_AddRefed<NullPrincipal>
-  Create(const mozilla::OriginAttributes& aOriginAttributes = mozilla::OriginAttributes(),
+  Create(const mozilla::OriginAttributes& aOriginAttributes,
         nsIURI* aURI = nullptr);

+  static already_AddRefed<NullPrincipal>
+  CreateWithoutOriginAttributes();
+
  nsresult Init(const mozilla::OriginAttributes& aOriginAttributes = mozilla::OriginAttributes(),
                nsIURI* aURI = nullptr);

--- a/dom/base/DOMParser.cpp
+++ b/dom/base/DOMParser.cpp
@ -346,7 +346,7 @@ DOMParser::Init(nsIPrincipal* principal, nsIURI* documentURI,
      // Don't give DOMParsers the system principal.  Use a null
      // principal instead.
      mOriginalPrincipalWasSystem = true;
-      mPrincipal = NullPrincipal::Create();
+      mPrincipal = NullPrincipal::CreateWithoutOriginAttributes();

      if (!mDocumentURI) {
        rv = mPrincipal->GetURI(getter_AddRefs(mDocumentURI));
@ -457,7 +457,7 @@ DOMParser::SetUpDocument(DocumentFlavor aFlavor, nsIDOMDocument** aResult)
    NS_ENSURE_TRUE(!mAttemptedInit, NS_ERROR_NOT_INITIALIZED);
    AttemptedInitMarker marker(&mAttemptedInit);

-    nsCOMPtr<nsIPrincipal> prin = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> prin = NullPrincipal::CreateWithoutOriginAttributes();
    rv = Init(prin, nullptr, nullptr, scriptHandlingObject);
    NS_ENSURE_SUCCESS(rv, rv);
  }
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@ -590,7 +590,7 @@ nsContentUtils::Init()
  sSecurityManager->GetSystemPrincipal(&sSystemPrincipal);
  MOZ_ASSERT(sSystemPrincipal);

-  RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::Create();
+  RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  if (!nullPrincipal) {
    return NS_ERROR_FAILURE;
  }
@ -5220,7 +5220,7 @@ nsContentUtils::ConvertToPlainText(const nsAString& aSourceBuffer,
 {
  nsCOMPtr<nsIURI> uri;
  NS_NewURI(getter_AddRefs(uri), "about:blank");
-  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();
  nsCOMPtr<nsIDOMDocument> domDocument;
  nsresult rv = NS_NewDOMDocument(getter_AddRefs(domDocument),
                                  EmptyString(),
--- a/dom/base/nsNodeInfoManager.cpp
+++ b/dom/base/nsNodeInfoManager.cpp
@ -110,7 +110,7 @@ nsNodeInfoManager::Init(nsIDocument *aDocument)
  NS_PRECONDITION(!mPrincipal,
                  "Being inited when we already have a principal?");

-  mPrincipal = NullPrincipal::Create();
+  mPrincipal = NullPrincipal::CreateWithoutOriginAttributes();

  if (aDocument) {
    mBindingManager = new nsBindingManager(aDocument);
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@ -1586,7 +1586,7 @@ nsTreeSanitizer::InitializeStatics()
    sAttributesMathML->PutEntry(*kAttributesMathML[i]);
  }

-  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();
  principal.forget(&sNullPrincipal);
 }

--- a/dom/bindings/SimpleGlobalObject.cpp
+++ b/dom/bindings/SimpleGlobalObject.cpp
@ -118,7 +118,7 @@ SimpleGlobalObject::Create(GlobalType globalType, JS::Handle<JS::Value> proto)
           .setSystemZone();

    if (NS_IsMainThread()) {
-      nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+      nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();
      options.creationOptions().setTrace(xpc::TraceXPCGlobal);
      global = xpc::CreateGlobalObject(cx, js::Jsvalify(&SimpleGlobalClass),
                                       nsJSPrincipals::get(principal),
--- a/dom/console/ConsoleUtils.cpp
+++ b/dom/console/ConsoleUtils.cpp
@ -150,7 +150,7 @@ ConsoleUtils::GetOrCreateSandbox(JSContext* aCx)
    nsIXPConnect* xpc = nsContentUtils::XPConnect();
    MOZ_ASSERT(xpc, "This should never be null!");

-    RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::Create();
+    RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();

    JS::Rooted<JSObject*> sandbox(aCx);
    nsresult rv = xpc->CreateSandbox(aCx, nullPrincipal, sandbox.address());
--- a/dom/indexedDB/IDBObjectStore.cpp
+++ b/dom/indexedDB/IDBObjectStore.cpp
@ -1379,7 +1379,7 @@ private:
      MOZ_ASSERT(xpc, "This should never be null!");

      // Let's use a null principal.
-      nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+      nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();

      JS::Rooted<JSObject*> sandbox(aCx);
      nsresult rv = xpc->CreateSandbox(aCx, principal, sandbox.address());
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@ -773,7 +773,7 @@ GetCreateWindowParams(mozIDOMWindowProxy* aParent,
  *aFullZoom = 1.0f;
  auto* opener = nsPIDOMWindowOuter::From(aParent);
  if (!opener) {
-    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
    NS_ADDREF(*aTriggeringPrincipal = nullPrincipal);
    return NS_OK;
  }
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@ -563,7 +563,7 @@ TabParent::RecvDropLinks(nsTArray<nsString>&& aLinks)
    if (loadUsingSystemPrincipal) {
      triggeringPrincipal = nsContentUtils::GetSystemPrincipal();
    } else {
-      triggeringPrincipal = NullPrincipal::Create();
+      triggeringPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
    }
    browser->DropLinks(aLinks.Length(), links.get(), triggeringPrincipal);
  }
--- a/gfx/thebes/gfxSVGGlyphs.cpp
+++ b/gfx/thebes/gfxSVGGlyphs.cpp
@ -357,7 +357,7 @@ gfxSVGGlyphsDocument::ParseDocument(const uint8_t *aBuffer, uint32_t aBufLen)
    rv = NS_NewURI(getter_AddRefs(uri), mSVGGlyphsDocumentURI);
    NS_ENSURE_SUCCESS(rv, rv);

-    nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();

    nsCOMPtr<nsIDOMDocument> domDoc;
    rv = NS_NewDOMDocument(getter_AddRefs(domDoc),
--- a/image/decoders/icon/android/nsIconChannel.cpp
+++ b/image/decoders/icon/android/nsIconChannel.cpp
@ -115,7 +115,7 @@ moz_icon_to_channel(nsIURI* aURI, const nsACString& aFileExt,
  // nsIconProtocolHandler::NewChannel2 will provide the correct loadInfo for
  // this iconChannel. Use the most restrictive security settings for the
  // temporary loadInfo to make sure the channel can not be openend.
-  nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::Create();
+  nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  return NS_NewInputStreamChannel(aChannel,
                                  aURI,
                                  stream.forget(),
--- a/image/decoders/icon/gtk/nsIconChannel.cpp
+++ b/image/decoders/icon/gtk/nsIconChannel.cpp
@ -106,7 +106,7 @@ moz_gdk_pixbuf_to_channel(GdkPixbuf* aPixbuf, nsIURI* aURI,
  // nsIconProtocolHandler::NewChannel2 will provide the correct loadInfo for
  // this iconChannel. Use the most restrictive security settings for the
  // temporary loadInfo to make sure the channel can not be openend.
-  nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::Create();
+  nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  return NS_NewInputStreamChannel(aChannel,
                                  aURI,
                                  stream.forget(),
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -979,7 +979,7 @@ xpc::CreateSandboxObject(JSContext* cx, MutableHandleValue vp, nsISupports* prin
        if (sop) {
            principal = sop->GetPrincipal();
        } else {
-            RefPtr<NullPrincipal> nullPrin = NullPrincipal::Create();
+            RefPtr<NullPrincipal> nullPrin = NullPrincipal::CreateWithoutOriginAttributes();
            principal = nullPrin;
        }
    }
--- a/layout/style/StyleSheet.cpp
+++ b/layout/style/StyleSheet.cpp
@ -240,7 +240,7 @@ StyleSheet::SetEnabled(bool aEnabled)
 StyleSheetInfo::StyleSheetInfo(CORSMode aCORSMode,
                               ReferrerPolicy aReferrerPolicy,
                               const dom::SRIMetadata& aIntegrity)
-  : mPrincipal(NullPrincipal::Create())
+  : mPrincipal(NullPrincipal::CreateWithoutOriginAttributes())
  , mCORSMode(aCORSMode)
  , mReferrerPolicy(aReferrerPolicy)
  , mIntegrity(aIntegrity)
--- a/layout/style/URLExtraData.cpp
+++ b/layout/style/URLExtraData.cpp
@ -22,7 +22,7 @@ URLExtraData::InitDummy()
  RefPtr<nsIURI> referrer = baseURI;
  sDummy = new URLExtraData(baseURI.forget(),
                            referrer.forget(),
-                            NullPrincipal::Create());
+                            NullPrincipal::CreateWithoutOriginAttributes());
 }

 /* static */ void
--- a/layout/style/test/gtest/StyloParsingBench.cpp
+++ b/layout/style/test/gtest/StyloParsingBench.cpp
@ -28,7 +28,7 @@ static void ServoParsingBench() {
  ASSERT_EQ(Encoding::UTF8ValidUpTo(css), css.Length());

  RefPtr<URLExtraData> data = new URLExtraData(
-    NullPrincipalURI::Create(), nullptr, NullPrincipal::Create());
+    NullPrincipalURI::Create(), nullptr, NullPrincipal::CreateWithoutOriginAttributes());
  for (int i = 0; i < PARSING_REPETITIONS; i++) {
    RefPtr<RawServoStyleSheetContents> stylesheet =
      Servo_StyleSheet_FromUTF8Bytes(nullptr,
@ -55,7 +55,7 @@ MOZ_GTEST_BENCH(Stylo, Servo_StyleSheet_FromUTF8Bytes_Bench, ServoParsingBench);
 static void ServoSetPropertyByIdBench(const nsACString& css) {
  RefPtr<RawServoDeclarationBlock> block = Servo_DeclarationBlock_CreateEmpty().Consume();
  RefPtr<URLExtraData> data = new URLExtraData(
-    NullPrincipalURI::Create(), nullptr, NullPrincipal::Create());
+    NullPrincipalURI::Create(), nullptr, NullPrincipal::CreateWithoutOriginAttributes());

  ASSERT_TRUE(IsUTF8(css));

@ -84,7 +84,7 @@ MOZ_GTEST_BENCH(Stylo, Servo_DeclarationBlock_SetPropertyById_WithInitialSpace_B
 static void ServoGetPropertyValueById() {
  RefPtr<RawServoDeclarationBlock> block = Servo_DeclarationBlock_CreateEmpty().Consume();
  RefPtr<URLExtraData> data = new URLExtraData(
-    NullPrincipalURI::Create(), nullptr, NullPrincipal::Create());
+    NullPrincipalURI::Create(), nullptr, NullPrincipal::CreateWithoutOriginAttributes());
  NS_NAMED_LITERAL_CSTRING(css_, "10px");
  const nsACString& css = css_;
  Servo_DeclarationBlock_SetPropertyById(
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@ -3224,7 +3224,7 @@ HttpBaseChannel::CloneLoadInfoForRedirect(nsIURI * newURI, uint32_t redirectFlag
  nsContentPolicyType contentPolicyType = mLoadInfo->GetExternalContentPolicyType();
  if (contentPolicyType == nsIContentPolicy::TYPE_DOCUMENT ||
      contentPolicyType == nsIContentPolicy::TYPE_SUBDOCUMENT) {
-    nsCOMPtr<nsIPrincipal> nullPrincipalToInherit = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> nullPrincipalToInherit = NullPrincipal::CreateWithoutOriginAttributes();
    newLoadInfo->SetPrincipalToInherit(nullPrincipalToInherit);
  }

--- a/netwerk/protocol/viewsource/nsViewSourceChannel.cpp
+++ b/netwerk/protocol/viewsource/nsViewSourceChannel.cpp
@ -67,7 +67,7 @@ nsViewSourceChannel::Init(nsIURI* uri)
    // Until then we follow the principal of least privilege and use
    // nullPrincipal as the loadingPrincipal and the least permissive
    // securityflag.
-    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();

    rv = pService->NewChannel2(path,
                               nullptr, // aOriginCharset
--- a/parser/html/nsParserUtils.cpp
+++ b/parser/html/nsParserUtils.cpp
@ -70,7 +70,7 @@ nsParserUtils::Sanitize(const nsAString& aFromStr,
 {
  nsCOMPtr<nsIURI> uri;
  NS_NewURI(getter_AddRefs(uri), "about:blank");
-  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::Create();
+  nsCOMPtr<nsIPrincipal> principal = NullPrincipal::CreateWithoutOriginAttributes();
  nsCOMPtr<nsIDOMDocument> domDocument;
  nsresult rv = NS_NewDOMDocument(getter_AddRefs(domDocument),
                                  EmptyString(),
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@ -679,7 +679,7 @@ nsExpatDriver::OpenInputStreamFromExternalDTD(const char16_t* aFPIStr,
      }
    }
    if (!loadingPrincipal) {
-      loadingPrincipal = NullPrincipal::Create();
+      loadingPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
    }
    rv = NS_NewChannel(getter_AddRefs(channel),
                       uri,
--- a/rdf/base/nsRDFXMLParser.cpp
+++ b/rdf/base/nsRDFXMLParser.cpp
@ -114,7 +114,7 @@ nsRDFXMLParser::ParseString(nsIRDFDataSource* aSink, nsIURI* aBaseURI, const nsA
    rv = NS_NewCStringInputStream(getter_AddRefs(stream), aString);
    if (NS_FAILED(rv)) return rv;

-    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::Create();
+    nsCOMPtr<nsIPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();

    // The following channel is never openend, so it does not matter what
    // securityFlags we pass; let's follow the principle of least privilege.
--- a/toolkit/components/places/nsFaviconService.cpp
+++ b/toolkit/components/places/nsFaviconService.cpp
@ -352,7 +352,7 @@ nsFaviconService::SetAndFetchFaviconForPage(nsIURI* aPageURI,
                                    nsContentUtils::eNECKO_PROPERTIES,
                                    "APIDeprecationWarning",
                                    params, ArrayLength(params));
-    loadingPrincipal = NullPrincipal::Create();
+    loadingPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  }
  NS_ENSURE_TRUE(loadingPrincipal, NS_ERROR_FAILURE);

@ -545,7 +545,7 @@ nsFaviconService::ReplaceFaviconDataFromDataURL(nsIURI* aFaviconURI,
                                    "APIDeprecationWarning",
                                    params, ArrayLength(params));

-    loadingPrincipal = NullPrincipal::Create();
+    loadingPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
  }
  NS_ENSURE_TRUE(loadingPrincipal, NS_ERROR_FAILURE);

--- a/toolkit/content/tests/unit/test_contentAreaUtils.js
+++ b/toolkit/content/tests/unit/test_contentAreaUtils.js
@ -11,8 +11,7 @@ function loadUtilsScript() {
 }

 function test_urlSecurityCheck() {
-  var nullPrincipal = Cc["@mozilla.org/nullprincipal;1"].
-                      createInstance(Ci.nsIPrincipal);
+  var nullPrincipal = Services.scriptSecurityManager.createNullPrincipal({});

  const HTTP_URI = "http://www.mozilla.org/";
  const CHROME_URI = "chrome://browser/content/browser.xul";
--- a/xpfe/appshell/nsContentTreeOwner.cpp
+++ b/xpfe/appshell/nsContentTreeOwner.cpp
@ -911,7 +911,7 @@ nsContentTreeOwner::ProvideWindow(mozIDOMWindowProxy* aParent,
    //
    // This method handles setting the opener for us, so we don't need to set it
    // ourselves.
-    RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::Create();
+    RefPtr<NullPrincipal> nullPrincipal = NullPrincipal::CreateWithoutOriginAttributes();
    return browserDOMWin->CreateContentWindow(aURI, aParent, openLocation,
                                              flags, nullPrincipal, aReturn);
  }