Bug 1380263 - data: URI should inherit origin attributes. r=smaug

2017-07-18 17:53:14 +08:00 · 2017-07-18 17:53:14 +08:00 · abec4b9645
--- a/browser/components/originattributes/test/browser/browser_firstPartyIsolation_aboutPages.js
+++ b/browser/components/originattributes/test/browser/browser_firstPartyIsolation_aboutPages.js
@ -83,11 +83,8 @@ add_task(async function test_remote_window_open_data_uri() {
    Assert.ok(content.document.nodePrincipal.isNullPrincipal,
              "The principal of data: document should be a NullPrincipal.");

-    let str = content.document.nodePrincipal.originNoSuffix;
-    let expectDomain = str.substring("moz-nullprincipal:{".length, str.length - 1) + ".mozilla";
-    Assert.equal(content.document.nodePrincipal.originAttributes.firstPartyDomain,
-                 expectDomain,
-                 "data: URI should have firstPartyDomain set to " + expectDomain);
+    Assert.ok(content.document.nodePrincipal.originAttributes.firstPartyDomain != "",
+              "data: URI should have firstPartyDomain set.");
  });

  win.close();
@ -116,14 +113,11 @@ add_task(async function test_remote_window_open_data_uri2() {
    Assert.ok(content.document.nodePrincipal.isNullPrincipal,
              "The principal of data: document should be a NullPrincipal.");

-    let str = content.document.nodePrincipal.originNoSuffix;
-    let expectDomain = str.substring("moz-nullprincipal:{".length, str.length - 1) + ".mozilla";
-    Assert.equal(content.document.nodePrincipal.originAttributes.firstPartyDomain,
-                 expectDomain,
-                 "data: URI should have firstPartyDomain set to " + expectDomain);
+    Assert.ok(content.document.nodePrincipal.originAttributes.firstPartyDomain != "",
+              "data: URI should have firstPartyDomain set.");

    Assert.equal(iframe.contentDocument.nodePrincipal.originAttributes.firstPartyDomain,
-                 expectDomain,
+                 content.document.nodePrincipal.originAttributes.firstPartyDomain,
                 "iframe should inherit firstPartyDomain from parent document.");
    Assert.equal(iframe.contentDocument.cookie, "test2=foo", "iframe should have cookies");
  });
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -10959,21 +10959,25 @@ nsDocShell::DoURILoad(nsIURI* aURI,
  MOZ_ASSERT(aTriggeringPrincipal, "Need a valid triggeringPrincipal");

  bool isSandBoxed = mSandboxFlags & SANDBOXED_ORIGIN;
-  // only inherit if we have a aPrincipalToInherit
-  bool inherit = false;
+
+  // We want to inherit aPrincipalToInherit when:
+  // 1. ChannelShouldInheritPrincipal returns true.
+  // 2. aURI is not data: URI, or data: URI is not configured as unique opaque
+  //    origin.
+  bool inheritAttrs = false, inheritPrincipal = false;

  if (aPrincipalToInherit) {
+    inheritAttrs = nsContentUtils::ChannelShouldInheritPrincipal(
+      aPrincipalToInherit,
+      aURI,
+      true, // aInheritForAboutBlank
+      isSrcdoc);
+
    bool isData;
    bool isURIUniqueOrigin = nsIOService::IsDataURIUniqueOpaqueOrigin() &&
                             NS_SUCCEEDED(aURI->SchemeIs("data", &isData)) &&
                             isData;
-    // If aURI is data: URI and is treated as a unique opaque origin, we don't
-    // want to inherit principal.
-    inherit = nsContentUtils::ChannelShouldInheritPrincipal(
-      aPrincipalToInherit,
-      aURI,
-      true, // aInheritForAboutBlank
-      isSrcdoc) && !isURIUniqueOrigin ;
+    inheritPrincipal = inheritAttrs && !isURIUniqueOrigin;
  }

  nsLoadFlags loadFlags = mDefaultLoadFlags;
@ -10991,7 +10995,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
    securityFlags |= nsILoadInfo::SEC_LOAD_ERROR_PAGE;
  }

-  if (inherit) {
+  if (inheritPrincipal) {
    securityFlags |= nsILoadInfo::SEC_FORCE_INHERIT_PRINCIPAL;
  }
  if (isSandBoxed) {
@ -11040,14 +11044,9 @@ nsDocShell::DoURILoad(nsIURI* aURI,

  OriginAttributes attrs;

-  // If inherit is true, which means loadInfo will have SEC_FORCE_INHERIT_PRINCIPAL
-  // set, so later when we create principal of the document from
-  // nsScriptSecurityManager::GetChannelResultPrincipal, we will use
-  // principalToInherit of the loadInfo as the document principal.
-  // Therefore we use the origin attributes from aPrincipalToInherit.
-  //
+  // Inherit origin attributes from aPrincipalToInherit if inheritAttrs is true.
  // Otherwise we just use the origin attributes from docshell.
-  if (inherit) {
+  if (inheritAttrs) {
    MOZ_ASSERT(aPrincipalToInherit, "We should have aPrincipalToInherit here.");
    attrs = aPrincipalToInherit->OriginAttributesRef();
    // If firstPartyIsolation is not enabled, then PrincipalToInherit should