Bug 1462077 P2 Add a release assert in ClientHandle::Control() that enforces same-origin policy. r=asuth

dom/clients/manager/ClientHandle.cpp

@@ -9,6 +9,7 @@
 #include "ClientHandleChild.h"
 #include "ClientHandleOpChild.h"
 #include "ClientManager.h"
+#include "ClientPrincipalUtils.h"
 #include "ClientState.h"
 #include "mozilla/dom/PClientManagerChild.h"
 #include "mozilla/dom/ServiceWorkerDescriptor.h"
@@ -122,6 +123,11 @@ ClientHandle::Control(const ServiceWorkerDescriptor& aServiceWorker)
   RefPtr<GenericPromise::Private> outerPromise =
     new GenericPromise::Private(__func__);
 
+  // We should never have a cross-origin controller.  Since this would be
+  // same-origin policy violation we do a full release assertion here.
+  MOZ_RELEASE_ASSERT(ClientMatchPrincipalInfo(mClientInfo.PrincipalInfo(),
+                                              aServiceWorker.PrincipalInfo()));
+
   StartOp(ClientControlledArgs(aServiceWorker.ToIPC()),
     [outerPromise](const ClientOpResult& aResult) {
       outerPromise->Resolve(true, __func__);