Bug 413071: Fix bug in cross site XHR. r/sr=jst

content/base/src/nsCrossSiteListenerProxy.cpp

@@ -81,6 +81,7 @@ nsCrossSiteListenerProxy::ForwardRequest(PRBool aFromStop)
   }
 
   if (mAcceptState != eAccept) {
+    mAcceptState = eDeny;
     mOuterRequest->Cancel(NS_ERROR_DOM_BAD_URI);
     mOuter->OnStartRequest(mOuterRequest, mOuterContext);
 
@@ -91,6 +92,9 @@ nsCrossSiteListenerProxy::ForwardRequest(PRBool aFromStop)
       mOuter->OnStopRequest(mOuterRequest, mOuterContext, NS_ERROR_DOM_BAD_URI);
     }
 
+    // Clear this data just in case since it should never be forwarded.
+    mStoredData.Truncate();
+
     return NS_ERROR_DOM_BAD_URI;
   }
 
@@ -274,6 +278,9 @@ nsCrossSiteListenerProxy::OnDataAvailable(nsIRequest* aRequest,
                                           PRUint32 aCount)
 {
   if (mHasForwardedRequest) {
+    if (mAcceptState != eAccept) {
+      return NS_ERROR_DOM_BAD_URI;
+    }
     return mOuter->OnDataAvailable(aRequest, aContext, aInputStream, aOffset,
                                    aCount);
   }
@@ -300,7 +307,7 @@ nsCrossSiteListenerProxy::OnDataAvailable(nsIRequest* aRequest,
   // result in an error bubbling up to here. We want to ignore the error
   // in that case.
   if (mHasForwardedRequest) {
-    rv = NS_OK;
+    rv = mAcceptState == eAccept ? NS_OK : NS_ERROR_DOM_BAD_URI;
   }
   return rv;
 }

content/base/src/nsXMLHttpRequest.cpp

@@ -1161,6 +1161,17 @@ nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
 
   // Check for dangerous headers
   if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
+    
+    // Make sure we don't leak header information from denied cross-site
+    // requests.
+    if (mChannel) {
+      nsresult status;
+      mChannel->GetStatus(&status);
+      if (NS_FAILED(status)) {
+        return NS_OK;
+      }
+    }
+
     const char *kCrossOriginSafeHeaders[] = {
       "cache-control", "content-language", "content-type", "expires",
       "last-modified", "pragma"