Bug 1825882 - Replace IsSystemLoad() with CanModify() in ChannelWrapper r=rpl

Differential Revision: https://phabricator.services.mozilla.com/D174508

toolkit/components/extensions/webrequest/ChannelWrapper.cpp

@@ -664,17 +664,17 @@ bool ChannelWrapper::Matches(
       return false;
     }
 
-    bool isProxy =
-        aOptions.mIsProxy && aExtension->HasPermission(nsGkAtoms::proxy);
-    // Proxies are allowed access to all urls, including restricted urls.
-    if (!aExtension->CanAccessURI(urlInfo, false, !isProxy, true)) {
+    // The third parameter (aCheckRestricted) is false because we already check
+    // restricted URLs below as part of CanModify().
+    if (!aExtension->CanAccessURI(urlInfo, false, false, true)) {
       return false;
     }
 
+    // Proxies are allowed access to all urls, including restricted urls.
     // If this isn't the proxy phase of the request, check that the extension
     // has origin permissions for origin that originated the request.
-    if (!isProxy) {
-      if (IsSystemLoad()) {
+    if (!aOptions.mIsProxy || !aExtension->HasPermission(nsGkAtoms::proxy)) {
+      if (!CanModify()) {
         return false;
       }
 
@@ -682,11 +682,14 @@ bool ChannelWrapper::Matches(
       // Extensions with the file:-permission may observe requests from file:
       // origins, because such documents can already be modified by content
       // scripts anyway.
-      if (origin && !aExtension->CanAccessURI(*origin, false, true, true)) {
+      if (origin && !aExtension->CanAccessURI(*origin, false, false, true)) {
         return false;
       }
     }
   }
+  // In theory, we could still be checking CanModify() even if !aExtension
+  // because the check is independent of extensions. However, we do not because
+  // there is no way for unprivileged code to end up with !aExtension.
 
   return true;
 }