Bug 1638711 - Do document security checks in parent process. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D75720

dom/security/nsCSPService.cpp

@@ -20,6 +20,7 @@
 #include "nsContentPolicyUtils.h"
 #include "nsNetUtil.h"
 #include "mozilla/net/DocumentLoadListener.h"
+#include "mozilla/net/DocumentChannel.h"
 
 using namespace mozilla;
 
@@ -251,6 +252,16 @@ CSPService::AsyncOnChannelRedirect(nsIChannel* oldChannel,
     }
   }
 
+  // Don't do these checks if we're switching from DocumentChannel
+  // to a real channel. In that case, we should already have done
+  // the checks in the parent process. AsyncOnChannelRedirect
+  // isn't called in the content process if we switch process,
+  // so checking here would just hide bugs in the process switch
+  // cases.
+  if (RefPtr<net::DocumentChannel> docChannel = do_QueryObject(oldChannel)) {
+    return NS_OK;
+  }
+
   nsCOMPtr<nsIURI> newUri;
   nsresult rv = newChannel->GetURI(getter_AddRefs(newUri));
   NS_ENSURE_SUCCESS(rv, rv);

dom/security/nsMixedContentBlocker.cpp

@@ -46,6 +46,7 @@
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/net/DNS.h"
 #include "mozilla/net/DocumentLoadListener.h"
+#include "mozilla/net/DocumentChannel.h"
 
 using namespace mozilla;
 using namespace mozilla::dom;
@@ -143,6 +144,16 @@ nsMixedContentBlocker::AsyncOnChannelRedirect(
     return NS_OK;
   }
 
+  // Don't do these checks if we're switching from DocumentChannel
+  // to a real channel. In that case, we should already have done
+  // the checks in the parent process. AsyncOnChannelRedirect
+  // isn't called in the content process if we switch process,
+  // so checking here would just hide bugs in the process switch
+  // cases.
+  if (RefPtr<net::DocumentChannel> docChannel = do_QueryObject(aOldChannel)) {
+    return NS_OK;
+  }
+
   nsresult rv;
   nsCOMPtr<nsIURI> oldUri;
   rv = aOldChannel->GetURI(getter_AddRefs(oldUri));

netwerk/base/LoadInfo.cpp

@@ -570,10 +570,7 @@ LoadInfo::LoadInfo(dom::CanonicalBrowsingContext* aBrowsingContext,
       mFrameOuterWindowID(aFrameOuterWindowID),
       mBrowsingContextID(0),
       mFrameBrowsingContextID(0),
-      // annyG: we are mimicking the old LoadInfo since it has gone through
-      // security checks in the content and we wouldn't reach this point
-      // if the load got blocked earlier.
-      mInitialSecurityCheckDone(true),
+      mInitialSecurityCheckDone(false),
       mIsThirdPartyContext(false),
       mIsThirdPartyContextToTopWindow(true),
       mIsFormSubmission(false),

netwerk/ipc/DocumentChannelChild.cpp

@@ -46,8 +46,6 @@ DocumentChannelChild::AsyncOpen(nsIStreamListener* aListener) {
   nsresult rv = NS_OK;
 
   nsCOMPtr<nsIStreamListener> listener = aListener;
-  rv = nsContentSecurityManager::doContentSecurityCheck(this, listener);
-  NS_ENSURE_SUCCESS(rv, rv);
 
   NS_ENSURE_TRUE(gNeckoChild, NS_ERROR_FAILURE);
   NS_ENSURE_ARG_POINTER(listener);