diff options
| author | Moonchild <mcwerewolf@gmail.com> | 2018-05-01 09:53:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-01 09:53:46 +0200 |
| commit | ae45e61da06ba989fcbb856183d9578d4d4f51ed (patch) | |
| tree | 5c7dea17ce684c1cce57011ef487370c22d0e677 /dom/plugins/base | |
| parent | fefce8f7ccbc476cfc46e61b01eff069346d3c73 (diff) | |
| parent | cc4036a9cd56d504667c07fe215e61b22ab0e1f4 (diff) | |
| download | UXP-ae45e61da06ba989fcbb856183d9578d4d4f51ed.tar UXP-ae45e61da06ba989fcbb856183d9578d4d4f51ed.tar.gz UXP-ae45e61da06ba989fcbb856183d9578d4d4f51ed.tar.lz UXP-ae45e61da06ba989fcbb856183d9578d4d4f51ed.tar.xz UXP-ae45e61da06ba989fcbb856183d9578d4d4f51ed.zip | |
Merge pull request #311 from janekptacijarabaci/security_blocking_data_2
Use asyncOpen2() for docshell loads
Diffstat (limited to 'dom/plugins/base')
| -rw-r--r-- | dom/plugins/base/nsPluginInstanceOwner.cpp | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/dom/plugins/base/nsPluginInstanceOwner.cpp b/dom/plugins/base/nsPluginInstanceOwner.cpp index 291ae576d..d5b1eb9ea 100644 --- a/dom/plugins/base/nsPluginInstanceOwner.cpp +++ b/dom/plugins/base/nsPluginInstanceOwner.cpp @@ -535,16 +535,6 @@ NS_IMETHODIMP nsPluginInstanceOwner::GetURL(const char *aURL, nsresult rv = NS_NewURI(getter_AddRefs(uri), aURL, baseURI); NS_ENSURE_SUCCESS(rv, NS_ERROR_FAILURE); - if (aDoCheckLoadURIChecks) { - nsCOMPtr<nsIScriptSecurityManager> secMan( - do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv)); - NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE); - - rv = secMan->CheckLoadURIWithPrincipal(content->NodePrincipal(), uri, - nsIScriptSecurityManager::STANDARD); - NS_ENSURE_SUCCESS(rv, rv); - } - nsCOMPtr<nsIInputStream> headersDataStream; if (aPostStream && aHeadersData) { if (!aHeadersDataLen) @@ -563,8 +553,21 @@ NS_IMETHODIMP nsPluginInstanceOwner::GetURL(const char *aURL, Preferences::GetInt("privacy.popups.disable_from_plugins"); nsAutoPopupStatePusher popupStatePusher((PopupControlState)blockPopups); + + // if security checks (in particular CheckLoadURIWithPrincipal) needs + // to be skipped we are creating a codebasePrincipal to make sure + // that security check succeeds. Please note that we do not want to + // fall back to using the systemPrincipal, because that would also + // bypass ContentPolicy checks which should still be enforced. + nsCOMPtr<nsIPrincipal> triggeringPrincipal; + if (!aDoCheckLoadURIChecks) { + mozilla::PrincipalOriginAttributes attrs = + BasePrincipal::Cast(content->NodePrincipal())->OriginAttributesRef(); + triggeringPrincipal = BasePrincipal::CreateCodebasePrincipal(uri, attrs); + } + rv = lh->OnLinkClick(content, uri, unitarget.get(), NullString(), - aPostStream, headersDataStream, true); + aPostStream, headersDataStream, true, triggeringPrincipal); return rv; } |