From cc4036a9cd56d504667c07fe215e61b22ab0e1f4 Mon Sep 17 00:00:00 2001
From: janekptacijarabaci <janekptacijarabaci@seznam.cz>
Date: Tue, 1 May 2018 00:22:01 +0200
Subject: Bug 1344706 - Do not reuse originPrincipal as triggeringPrincipal
 within utilityOverlay.js

---
 browser/base/content/browser.js        |  8 ++++++--
 browser/base/content/content.js        |  1 +
 browser/base/content/nsContextMenu.js  |  3 ++-
 browser/base/content/utilityOverlay.js | 23 +++++++++++++++--------
 browser/modules/ContentClick.jsm       |  1 +
 5 files changed, 25 insertions(+), 11 deletions(-)

(limited to 'browser')

diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index 0349ce401..2380f5d21 100755
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -1172,6 +1172,7 @@ var gBrowserInit = {
       //                 [5]: referrerPolicy (int)
       //                 [6]: userContextId (int)
       //                 [7]: originPrincipal (nsIPrincipal)
+      //                 [8]: triggeringPrincipal (nsIPrincipal)
       else if (window.arguments.length >= 3) {
         let referrerURI = window.arguments[2];
         if (typeof(referrerURI) == "string") {
@@ -1189,7 +1190,7 @@ var gBrowserInit = {
                 window.arguments[4] || false, referrerPolicy, userContextId,
                 // pass the origin principal (if any) and force its use to create
                 // an initial about:blank viewer if present:
-                window.arguments[7], !!window.arguments[7]);
+                window.arguments[7], !!window.arguments[7], window.arguments[8]);
         window.focus();
       }
       // Note: loadOneOrMoreURIs *must not* be called if window.arguments.length >= 3.
@@ -2075,7 +2076,8 @@ function BrowserTryToCloseWindow()
 }
 
 function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy,
-                 userContextId, originPrincipal, forceAboutBlankViewerInCurrent) {
+                 userContextId, originPrincipal, forceAboutBlankViewerInCurrent,
+                 triggeringPrincipal) {
   try {
     openLinkIn(uri, "current",
                { referrerURI: referrer,
@@ -2084,6 +2086,7 @@ function loadURI(uri, referrer, postData, allowThirdPartyFixup, referrerPolicy,
                  allowThirdPartyFixup: allowThirdPartyFixup,
                  userContextId: userContextId,
                  originPrincipal,
+                 triggeringPrincipal,
                  forceAboutBlankViewerInCurrent,
                });
   } catch (e) {}
@@ -5551,6 +5554,7 @@ function handleLinkClick(event, href, linkNode) {
     referrerPolicy: referrerPolicy,
     noReferrer: BrowserUtils.linkHasNoReferrer(linkNode),
     originPrincipal: doc.nodePrincipal,
+    triggeringPrincipal: doc.nodePrincipal,
   };
 
   // The new tab/window must use the same userContextId
diff --git a/browser/base/content/content.js b/browser/base/content/content.js
index 2298d29c7..46e9b45d6 100644
--- a/browser/base/content/content.js
+++ b/browser/base/content/content.js
@@ -522,6 +522,7 @@ var ClickEventHandler = {
         } catch (e) {}
       }
       json.originPrincipal = ownerDoc.nodePrincipal;
+      json.triggeringPrincipal = ownerDoc.nodePrincipal;
 
       sendAsyncMessage("Content:Click", json);
       return;
diff --git a/browser/base/content/nsContextMenu.js b/browser/base/content/nsContextMenu.js
index cd93a803c..955184f64 100644
--- a/browser/base/content/nsContextMenu.js
+++ b/browser/base/content/nsContextMenu.js
@@ -968,6 +968,7 @@ nsContextMenu.prototype = {
   _openLinkInParameters : function (extra) {
     let params = { charset: gContextMenuContentData.charSet,
                    originPrincipal: this.principal,
+                   triggeringPrincipal: this.principal,
                    referrerURI: gContextMenuContentData.documentURIObject,
                    referrerPolicy: gContextMenuContentData.referrerPolicy,
                    noReferrer: this.linkHasNoReferrer };
@@ -1152,7 +1153,7 @@ nsContextMenu.prototype = {
       this._canvasToBlobURL(this.target).then(function(blobURL) {
         openUILink(blobURL, e, { disallowInheritPrincipal: true,
                                  referrerURI: referrerURI,
-                                 originPrincipal: systemPrincipal});
+                                 triggeringPrincipal: systemPrincipal});
       }, Cu.reportError);
     }
     else {
diff --git a/browser/base/content/utilityOverlay.js b/browser/base/content/utilityOverlay.js
index 4b6f78bf3..b041915a7 100644
--- a/browser/base/content/utilityOverlay.js
+++ b/browser/base/content/utilityOverlay.js
@@ -225,6 +225,7 @@ function openLinkIn(url, where, params) {
   var aUserContextId        = params.userContextId;
   var aIndicateErrorPageLoad = params.indicateErrorPageLoad;
   var aPrincipal            = params.originPrincipal;
+  var aTriggeringPrincipal  = params.triggeringPrincipal;
   var aForceAboutBlankViewerInCurrent =
       params.forceAboutBlankViewerInCurrent;
 
@@ -264,13 +265,18 @@ function openLinkIn(url, where, params) {
   // Please note we do not have to do that for SystemPrincipals and we
   // can not do it for NullPrincipals since NullPrincipals are only
   // identical if they actually are the same object (See Bug: 1346759)
-  if (aPrincipal && aPrincipal.isCodebasePrincipal) {
-    let attrs = {
-      userContextId: aUserContextId,
-      privateBrowsingId: aIsPrivate || (w && PrivateBrowsingUtils.isWindowPrivate(w)),
-    };
-    aPrincipal = Services.scriptSecurityManager.createCodebasePrincipal(aPrincipal.URI, attrs);
+  function useOAForPrincipal(principal) {
+    if (principal && principal.isCodebasePrincipal) {
+      let attrs = {
+        userContextId: aUserContextId,
+        privateBrowsingId: aIsPrivate || (w && PrivateBrowsingUtils.isWindowPrivate(w)),
+      };
+      return Services.scriptSecurityManager.createCodebasePrincipal(principal.URI, attrs);
+    }
+    return principal;
   }
+  aPrincipal = useOAForPrincipal(aPrincipal);
+  aTriggeringPrincipal = useOAForPrincipal(aTriggeringPrincipal);
 
   if (!w || where == "window") {
     // Strip referrer data when opening a new private window, to prevent
@@ -321,6 +327,7 @@ function openLinkIn(url, where, params) {
     sa.appendElement(referrerPolicySupports, /* weak =*/ false);
     sa.appendElement(userContextIdSupports, /* weak =*/ false);
     sa.appendElement(aPrincipal, /* weak =*/ false);
+    sa.appendElement(aTriggeringPrincipal, /* weak =*/ false);
 
     let features = "chrome,dialog=no,all";
     if (aIsPrivate) {
@@ -407,7 +414,7 @@ function openLinkIn(url, where, params) {
     }
 
     aCurrentBrowser.loadURIWithFlags(url, {
-      triggeringPrincipal: aPrincipal,
+      triggeringPrincipal: aTriggeringPrincipal,
       flags: flags,
       referrerURI: aNoReferrer ? null : aReferrerURI,
       referrerPolicy: aReferrerPolicy,
@@ -433,7 +440,7 @@ function openLinkIn(url, where, params) {
       noReferrer: aNoReferrer,
       userContextId: aUserContextId,
       originPrincipal: aPrincipal,
-      triggeringPrincipal: aPrincipal,
+      triggeringPrincipal: aTriggeringPrincipal,
     });
     browserUsedForLoad = tabUsedForLoad.linkedBrowser;
     break;
diff --git a/browser/modules/ContentClick.jsm b/browser/modules/ContentClick.jsm
index 8abc32525..40101d5d3 100644
--- a/browser/modules/ContentClick.jsm
+++ b/browser/modules/ContentClick.jsm
@@ -85,6 +85,7 @@ var ContentClick = {
       allowMixedContent: json.allowMixedContent,
       isContentWindowPrivate: json.isContentWindowPrivate,
       originPrincipal: json.originPrincipal,
+      triggeringPrincipal: json.triggeringPrincipal,
     };
 
     // The new tab/window must use the same userContextId.
-- 
cgit v1.2.3