Bug 1467852 Align LoadInfo::mServiceWorkerTaintingSynthesized handling with other service worker fields. r=valentin

2018-06-10 18:44:38 -07:00 · 2018-06-10 18:44:38 -07:00 · 6301585f22
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@ -396,7 +396,8 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
  , mForcePreflight(rhs.mForcePreflight)
  , mIsPreflight(rhs.mIsPreflight)
  , mLoadTriggeredFromExternal(rhs.mLoadTriggeredFromExternal)
-  , mServiceWorkerTaintingSynthesized(rhs.mServiceWorkerTaintingSynthesized)
+  // mServiceWorkerTaintingSynthesized must be handled specially during redirect
+  , mServiceWorkerTaintingSynthesized(false)
 {
 }

--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@ -83,14 +83,6 @@ public:
  // when a separate request is made with the same security properties.
  already_AddRefed<nsILoadInfo> CloneForNewRequest() const;

-  // The service worker and fetch specifications require returning the
-  // exact tainting level of the Response passed to FetchEvent.respondWith().
-  // This method allows us to override the tainting level in that case.
-  //
-  // NOTE: This should not be used outside of service worker code! Use
-  //       nsILoadInfo::MaybeIncreaseTainting() instead.
-  void SynthesizeServiceWorkerTainting(LoadTainting aTainting);
-
  void SetIsPreflight();
  void SetUpgradeInsecureRequests();
  void SetBrowserUpgradeInsecureRequests();
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@ -44,6 +44,7 @@ native OriginAttributes(mozilla::OriginAttributes);
 [ref] native const_ServiceWorkerDescriptorRef(const mozilla::dom::ServiceWorkerDescriptor);
 [ref] native const_MaybeServiceWorkerDescriptorRef(const mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor>);
 [ptr] native PerformanceStoragePtr(mozilla::dom::PerformanceStorage);
+      native LoadTainting(mozilla::LoadTainting);

 typedef unsigned long nsSecurityFlags;

@ -991,4 +992,14 @@ interface nsILoadInfo : nsISupports
   */
  [noscript, nostdcall, notxpcom]
  PerformanceStoragePtr GetPerformanceStorage();
+
+  /* The service worker and fetch specifications require returning the
+   * exact tainting level of the Response passed to FetchEvent.respondWith().
+   * This method allows us to override the tainting level in that case.
+   *
+   * NOTE: This should not be used outside of service worker code! Use
+   *       nsILoadInfo::MaybeIncreaseTainting() instead.
+   */
+  [noscript, nostdcall, notxpcom]
+  void SynthesizeServiceWorkerTainting(in LoadTainting aTainting);
 };
--- a/netwerk/protocol/http/HttpChannelChild.cpp
+++ b/netwerk/protocol/http/HttpChannelChild.cpp
@ -1808,6 +1808,10 @@ HttpChannelChild::BeginNonIPCRedirect(nsIURI* responseURI,
 {
  LOG(("HttpChannelChild::BeginNonIPCRedirect [this=%p]\n", this));

+  // This method is only used by child-side service workers.  It should not be
+  // used by new code.  We want to remove it in the future.
+  MOZ_DIAGNOSTIC_ASSERT(mSynthesizedResponse);
+
  // If the response has been redirected, propagate all the URLs to content.
  // Thus, the exact value of the redirect flag does not matter as long as it's
  // not REDIRECT_INTERNAL.
@ -1833,6 +1837,20 @@ HttpChannelChild::BeginNonIPCRedirect(nsIURI* responseURI,
      httpChannelChild->OverrideSecurityInfoForNonIPCRedirect(mSecurityInfo);
    }

+    // Normally we don't propagate the LoadInfo's service worker tainting
+    // synthesis flag on redirect.  A real redirect normally will want to allow
+    // normal tainting to proceed from its starting taint.  For this particular
+    // redirect, though, we are performing a redirect to communicate the URL of
+    // the service worker synthetic response itself.  This redirect still represents
+    // the synthetic response, so we must preserve the flag.
+    if (mLoadInfo && mLoadInfo->GetServiceWorkerTaintingSynthesized()) {
+      nsCOMPtr<nsILoadInfo> newChannelLoadInfo;
+      Unused << newChannel->GetLoadInfo(getter_AddRefs(newChannelLoadInfo));
+      if (newChannelLoadInfo) {
+        newChannelLoadInfo->SynthesizeServiceWorkerTainting(mLoadInfo->GetTainting());
+      }
+    }
+
    nsCOMPtr<nsIEventTarget> target = GetNeckoTarget();
    MOZ_ASSERT(target);

--- a/netwerk/protocol/http/InterceptedHttpChannel.cpp
+++ b/netwerk/protocol/http/InterceptedHttpChannel.cpp
@ -272,6 +272,17 @@ InterceptedHttpChannel::RedirectForResponseURL(nsIURI* aResponseURI,
  newChannel->SetLoadInfo(redirectLoadInfo);
  NS_ENSURE_SUCCESS(rv, rv);

+  // Normally we don't propagate the LoadInfo's service worker tainting
+  // synthesis flag on redirect.  A real redirect normally will want to allow
+  // normal tainting to proceed from its starting taint.  For this particular
+  // redirect, though, we are performing a redirect to communicate the URL of
+  // the service worker synthetic response itself.  This redirect still represents
+  // the synthetic response, so we must preserve the flag.
+  if (redirectLoadInfo && mLoadInfo &&
+      mLoadInfo->GetServiceWorkerTaintingSynthesized()) {
+    redirectLoadInfo->SynthesizeServiceWorkerTainting(mLoadInfo->GetTainting());
+  }
+
  rv = SetupReplacementChannel(aResponseURI, newChannel, true, flags);
  NS_ENSURE_SUCCESS(rv, rv);