Bug 248052 Add a contract ID for a global channeleventsink. Make the

scriptsecuritymanager register for that and implement nsIChannelEventSink. Veto redirects if CheckLoadURI fails. Remove the explicit usage of nsIScriptSecurityManager from nsHttpChannel.cpp. This eliminates js and xpconnect from REQUIRES, and brings us closer to remove caps. r=darin sr=bz
2005-11-08 20:47:16 +00:00 · 2005-11-08 20:47:16 +00:00 · d73e12f724
--- a/caps/include/nsScriptSecurityManager.h
+++ b/caps/include/nsScriptSecurityManager.h
@ -52,6 +52,7 @@
 #include "nsCOMPtr.h"
 #include "nsIPrefService.h"
 #include "nsISecurityPref.h"
+#include "nsIChannelEventSink.h"
 #include "nsIJSContextStack.h"
 #include "nsIObserver.h"
 #include "pldhash.h"
@ -346,6 +347,7 @@ private:

 class nsScriptSecurityManager : public nsIScriptSecurityManager,
                                public nsIPrefSecurityCheck,
+                                public nsIChannelEventSink,
                                public nsIObserver
 {
 public:
@ -357,6 +359,7 @@ public:
    NS_DECL_NSISCRIPTSECURITYMANAGER
    NS_DECL_NSIXPCSECURITYMANAGER
    NS_DECL_NSIPREFSECURITYCHECK
+    NS_DECL_NSICHANNELEVENTSINK
    NS_DECL_NSIOBSERVER

    static nsScriptSecurityManager*
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@ -428,10 +428,11 @@ DeleteDomainEntry(nsHashKey *aKey, void *aData, void* closure)
 ////////////////////////////////////
 // Methods implementing ISupports //
 ////////////////////////////////////
-NS_IMPL_ISUPPORTS4(nsScriptSecurityManager,
+NS_IMPL_ISUPPORTS5(nsScriptSecurityManager,
                   nsIScriptSecurityManager,
                   nsIXPCSecurityManager,
                   nsIPrefSecurityCheck,
+                   nsIChannelEventSink,
                   nsIObserver)

 ///////////////////////////////////////////////////
@ -2872,6 +2873,25 @@ nsScriptSecurityManager::CanAccessSecurityPreferences(PRBool* _retval)
    return IsCapabilityEnabled("CapabilityPreferencesAccess", _retval);  
 }

+/////////////////////////////////////////////
+// Method implementing nsIChannelEventSink //
+/////////////////////////////////////////////
+NS_IMETHODIMP
+nsScriptSecurityManager::OnChannelRedirect(nsIChannel* oldChannel, 
+                                           nsIChannel* newChannel,
+                                           PRUint32 redirFlags)
+{
+    nsCOMPtr<nsIURI> oldURI, newURI;
+    oldChannel->GetURI(getter_AddRefs(oldURI));
+    newChannel->GetURI(getter_AddRefs(newURI));
+
+    NS_ENSURE_STATE(oldURI && newURI);
+
+    const PRUint32 flags = nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
+                           nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA;
+    return CheckLoadURI(oldURI, newURI, flags);
+}
+

 /////////////////////////////////////
 // Method implementing nsIObserver //
--- a/caps/src/nsSecurityManagerFactory.cpp
+++ b/caps/src/nsSecurityManagerFactory.cpp
@ -53,6 +53,7 @@
 #include "nsIServiceManager.h"
 #include "nsString.h"
 #include "nsPrefsCID.h"
+#include "nsNetCID.h"

 ///////////////////////
 // nsSecurityNameSet //
@ -422,6 +423,20 @@ static const nsModuleComponentInfo capsComponentInfo[] =
      nsIClassInfo::MAIN_THREAD_ONLY
    },

+    { NS_SCRIPTSECURITYMANAGER_CLASSNAME,
+      NS_SCRIPTSECURITYMANAGER_CID,
+      NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID,
+      Construct_nsIScriptSecurityManager,
+      RegisterSecurityNameSet,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsnull,
+      nsIClassInfo::MAIN_THREAD_ONLY
+    },
+
+

    { NS_PRINCIPAL_CLASSNAME, 
      NS_PRINCIPAL_CID, 
--- a/netwerk/build/nsNetCID.h
+++ b/netwerk/build/nsNetCID.h
@ -746,4 +746,16 @@
    {0xa1, 0x6c, 0x00, 0x50, 0x04, 0x1c, 0xaf, 0x44} \
 }

+/******************************************************************************
+ * Contracts that can be implemented by necko users.
+ */
+
+/**
+ * This contract ID will be gotten as a service and gets the opportunity to look
+ * at and veto all redirects that are processed by necko.
+ */
+#define NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID \
+  "@mozilla.org/netwerk/global-channel-event-sink;1"
+
+
 #endif // nsNetCID_h__
--- a/netwerk/protocol/http/src/Makefile.in
+++ b/netwerk/protocol/http/src/Makefile.in
@ -54,8 +54,6 @@ REQUIRES	= xpcom \
 		  intl \
 		  unicharutil \
 		  caps \
-		  xpconnect \
-		  js \
 		  uconv \
 		  $(NULL)

--- a/netwerk/protocol/http/src/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/src/nsHttpChannel.cpp
@ -52,7 +52,6 @@
 #include "nsXPCOM.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIURL.h"
-#include "nsIScriptSecurityManager.h"
 #include "nsIIDNService.h"
 #include "nsIStreamListenerTee.h"
 #include "nsISeekableStream.h"
@ -2036,16 +2035,6 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
                           getter_AddRefs(newURI));
    if (NS_FAILED(rv)) return rv;

-    // verify that this is a legal redirect
-    nsCOMPtr<nsIScriptSecurityManager> securityManager = 
-             do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
-    if (securityManager) {
-        rv = securityManager->CheckLoadURI(mURI, newURI,
-                                           nsIScriptSecurityManager::DISALLOW_FROM_MAIL |
-                                           nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
-        if (NS_FAILED(rv)) return rv;
-    }
-
    // Kill the current cache entry if we are redirecting
    // back to ourself.
    PRBool redirectingBackToSameURI = PR_FALSE;
@ -2083,6 +2072,20 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
    rv = SetupReplacementChannel(newURI, newChannel, preserveMethod);
    if (NS_FAILED(rv)) return rv;

+    PRUint32 redirectFlags;
+    if (redirectType == 301) // Moved Permanently
+        redirectFlags = nsIChannelEventSink::REDIRECT_PERMANENT;
+    else
+        redirectFlags = nsIChannelEventSink::REDIRECT_TEMPORARY;
+
+    // verify that this is a legal redirect
+    nsCOMPtr<nsIChannelEventSink> globalObserver = 
+             do_GetService(NS_GLOBAL_CHANNELEVENTSINK_CONTRACTID);
+    if (globalObserver) {
+        rv = globalObserver->OnChannelRedirect(this, newChannel, redirectFlags);
+        if (NS_FAILED(rv)) return rv;
+    }
+
    // call out to the event sink to notify it of this redirection.
    nsCOMPtr<nsIHttpEventSink> httpEventSink;
    GetCallback(httpEventSink);
@ -2095,12 +2098,7 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
    nsCOMPtr<nsIChannelEventSink> channelEventSink;
    GetCallback(channelEventSink);
    if (channelEventSink) {
-        PRUint32 flags;
-        if (redirectType == 301) // Moved Permanently
-            flags = nsIChannelEventSink::REDIRECT_PERMANENT;
-        else
-            flags = nsIChannelEventSink::REDIRECT_TEMPORARY;
-        rv = channelEventSink->OnChannelRedirect(this, newChannel, flags);
+        rv = channelEventSink->OnChannelRedirect(this, newChannel, redirectFlags);
        if (NS_FAILED(rv)) return rv;
    }
    // XXX we used to talk directly with the script security manager, but that