зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1307730 - Disallow CORS fetches when we have an expanded principal; r=bzbarsky
It's not possible to construct a useful Origin header when we have an expanded principal and are about to perform a CORS fetch. Therefore, instead of sending a CORS fetch with an |Origin: null| header, we must fail the request.
This commit is contained in:
Родитель
929f35de3b
Коммит
7cbf03adb5
|
@ -630,6 +630,7 @@ skip-if = buildapp == 'b2g'
|
|||
[test_bug1274806.html]
|
||||
[test_bug1281963.html]
|
||||
[test_bug1295852.html]
|
||||
[test_bug1307730.html]
|
||||
[test_caretPositionFromPoint.html]
|
||||
[test_change_policy.html]
|
||||
skip-if = buildapp == 'b2g' #no ssl support
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=1307730
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 1307730</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1307730">Mozilla Bug 1307730</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
const Cu = SpecialPowers.Cu;
|
||||
|
||||
function runTest() {
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "https://example.com", false);
|
||||
try {
|
||||
xhr.send();
|
||||
} catch (e) {
|
||||
return e.name;
|
||||
}
|
||||
return 'XHR succeeded';
|
||||
}
|
||||
|
||||
function evalInSandbox(sandbox, func) {
|
||||
return SpecialPowers.unwrap(Cu.evalInSandbox(`(${func.toString()})()`, sandbox));
|
||||
}
|
||||
|
||||
let sandbox = Cu.Sandbox([window, "https://example.org"],
|
||||
{wantGlobalProperties: ['XMLHttpRequest']});
|
||||
is(evalInSandbox(sandbox, runTest), 'NetworkError',
|
||||
"Shouldn't be able to make a CORS request with an expanded principal");
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
|
@ -602,6 +602,7 @@ nsCORSListenerProxy::CheckRequestApproved(nsIRequest* aRequest)
|
|||
}
|
||||
|
||||
if (mWithCredentials || !allowedOriginHeader.EqualsLiteral("*")) {
|
||||
MOZ_ASSERT(!nsContentUtils::IsExpandedPrincipal(mOriginHeaderPrincipal));
|
||||
nsAutoCString origin;
|
||||
nsContentUtils::GetASCIIOrigin(mOriginHeaderPrincipal, origin);
|
||||
|
||||
|
@ -950,6 +951,12 @@ nsCORSListenerProxy::UpdateChannel(nsIChannel* aChannel,
|
|||
uri->GetUserPass(userpass);
|
||||
NS_ENSURE_TRUE(userpass.IsEmpty(), NS_ERROR_DOM_BAD_URI);
|
||||
|
||||
// If we have an expanded principal here, we'll reject the CORS request,
|
||||
// because we can't send a useful Origin header which is required for CORS.
|
||||
if (nsContentUtils::IsExpandedPrincipal(mOriginHeaderPrincipal)) {
|
||||
return NS_ERROR_DOM_BAD_URI;
|
||||
}
|
||||
|
||||
// Add the Origin header
|
||||
nsAutoCString origin;
|
||||
rv = nsContentUtils::GetASCIIOrigin(mOriginHeaderPrincipal, origin);
|
||||
|
|
Загрузка…
Ссылка в новой задаче