Bug 622088 - Make XHRs' referrers reflect changes to document's URI from history.push/replaceState. r=sicking, a=bz

2024-09-13 09:24:08 -07:00 · 2011-01-30 13:46:34 -08:00 · 2011-01-30 13:46:34 -08:00 · 099591cc66
commit 099591cc66
parent 89c81d0188
5 changed files with 179 additions and 3 deletions
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@ -2395,10 +2395,45 @@ nsXMLHttpRequest::Send(nsIVariant *aBody)
    httpChannel->GetRequestMethod(method); // If GET, method name will be uppercase

    if (!nsContentUtils::IsSystemPrincipal(mPrincipal)) {
-      nsCOMPtr<nsIURI> codebase;
-      mPrincipal->GetURI(getter_AddRefs(codebase));
+      // Get the referrer for the request.
+      //
+      // If it weren't for history.push/replaceState, we could just use the
+      // principal's URI here.  But since we want changes to the URI effected
+      // by push/replaceState to be reflected in the XHR referrer, we have to
+      // be more clever.
+      //
+      // If the document's original URI (before any push/replaceStates) matches
+      // our principal, then we use the document's current URI (after
+      // push/replaceStates).  Otherwise (if the document is, say, a data:
+      // URI), we just use the principal's URI.

-      httpChannel->SetReferrer(codebase);
+      nsCOMPtr<nsIURI> principalURI;
+      mPrincipal->GetURI(getter_AddRefs(principalURI));
+
+      nsCOMPtr<nsIDocument> doc =
+        nsContentUtils::GetDocumentFromScriptContext(mScriptContext);
+
+      nsCOMPtr<nsIURI> docCurURI;
+      nsCOMPtr<nsIURI> docOrigURI;
+      if (doc) {
+        docCurURI = doc->GetDocumentURI();
+        docOrigURI = doc->GetOriginalURI();
+      }
+
+      nsCOMPtr<nsIURI> referrerURI;
+
+      if (principalURI && docCurURI && docOrigURI) {
+        PRBool equal = PR_FALSE;
+        principalURI->Equals(docOrigURI, &equal);
+        if (equal) {
+          referrerURI = docCurURI;
+        }
+      }
+
+      if (!referrerURI)
+        referrerURI = principalURI;
+
+      httpChannel->SetReferrer(referrerURI);
    }

    // Some extensions override the http protocol handler and provide their own
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -422,6 +422,9 @@ _TEST_FILES2 = \
 		file_x-frame-options_main.html \
 		file_x-frame-options_page.sjs \
 		test_createHTMLDocument.html \
+		test_bug622088.html \
+		file_bug622088_inner.html \
+		file_bug622088.sjs \
 		test_bug564047.html \
 		test_bug567350.html \
 		test_bug574596.html \
--- a/content/base/test/file_bug622088.sjs
+++ b/content/base/test/file_bug622088.sjs
@ -0,0 +1,6 @@
+function handleRequest(request, response)
+{
+  // Echos the referrer back to the requester.
+  response.setHeader('Content-Type', 'text/plain', false);
+  response.write(request.getHeader('Referer'));
+}
--- a/content/base/test/file_bug622088_inner.html
+++ b/content/base/test/file_bug622088_inner.html
@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script>
+function load() {
+  (window.opener || window.parent).innerLoaded(window);
+}
+
+function doXHR(req) {
+  // Do a sync XHR and return the XHR's referrer.
+  if (!req) {
+    req = new XMLHttpRequest();
+  }
+
+  // file_bug622088.sjs echos its referrer back to us.  We need to refer to it
+  // using an absolute URI because we sometimes pass in |req| from a window
+  // which has a data: URI.  In that case, a relative path would not get
+  // resolved properly!
+  //
+  // Resolve our relative URI to an absolute one by creating an anchor element
+  // and reading its href property.
+  var anchor = document.createElement('a');
+  anchor.href = 'file_bug622088.sjs';
+
+  dump('anchor.href=' + anchor.href + '\n');
+
+  req.open('GET', anchor.href, false);
+  req.send(null);
+  return req.responseText;
+}
+</script>
+</head>
+
+<body onload='load()'>
+<!--Inner frame target for test_bug622088_2.html. -->
+</body>
+
+</html>
--- a/content/base/test/test_bug622088.html
+++ b/content/base/test/test_bug622088.html
@ -0,0 +1,94 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 622088 - Test that XHR gives the referrer corresponding to the dynamic script context.</title>
+  <script type="text/javascript" src="/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=622088">Mozilla Bug 622088</a>
+<pre id="test">
+
+<iframe id='iframe' src='file_bug622088_inner.html'></iframe>
+
+<iframe id='dataWindow' src="data:text/html,<html><head>
+<script>function getXHRObject() { return new XMLHttpRequest(); }</script>
+</head><body onload='parent.dataWindowLoaded()'>Hello!!</body></html>"></iframe>
+
+<script class="testbody" type="application/javascript;version=1.8">
+
+// Bug 622088 - Test that XHR gives the referrer corresponding to the
+// dynamic script context.
+
+SimpleTest.waitForExplicitFinish();
+
+var innerFinishedLoading = false;
+function innerLoaded(inner) {
+  // Here, we're being called through inner's onload handler, so our referrer
+  // should be inner's URL.
+  var referrer = inner.doXHR();
+  is (referrer, inner.document.location, 'Expected inner frame location');
+
+  // Now change the location of the inner frame.  This should be reflected in
+  // the XHR's referrer.
+  inner.history.pushState('', '', Math.random());
+  referrer = inner.doXHR();
+  is (referrer, inner.document.location, 'Expected inner frame location after pushstate');
+
+  innerFinishedLoading = true;
+}
+
+var dataWindowFinishedLoading = false;
+function dataWindowLoaded() {
+  dataWindowFinishedLoading = true;
+}
+
+function callXHR() {
+  if (innerFinishedLoading && dataWindowFinishedLoading) {
+    var inner = document.getElementById('iframe').contentWindow;
+    var referrer = inner.doXHR();
+    is (referrer, inner.document.location,
+        'Expected inner frame location when called from outer frame.');
+
+    var referrer = inner.doXHR(new XMLHttpRequest());
+    is (referrer, document.location,
+        "Expected outer frame location when called with outer's XHR object.");
+
+    // Now do a request within the inner window using an XMLHttpRequest
+    // retrieved from a data: URI.  The referrer should be this window, not the
+    // data: URI.
+    var dataWindow = document.getElementById('dataWindow').contentWindow;
+    var referrer = inner.doXHR(dataWindow.getXHRObject());
+    is (referrer, document.location,
+        "Expected outer frame location when called with data's XHR object.");
+
+    // Now do that test again, but after having changed the outer window's URI.
+    // This currently fails, due to basically bug 631949.  It's not even clear
+    // what the right behavior is.  So marking as a todo for now.
+    history.replaceState('', '', Math.random());
+
+    var referrer = inner.doXHR(dataWindow.getXHRObject());
+    todo_is (referrer, document.location,
+             "Expected outer frame location when called with data's XHR object " +
+             "after replaceState.");
+
+    // In case you're temped, you probably don't want to do history.pushState
+    // here and test again with the outer frame.  Calling pushState on the
+    // outer frame messes up Mochitest in subtle ways.
+
+    SimpleTest.finish();
+  }
+  else {
+    // ugh.
+    setTimeout(callXHR, 0);
+  }
+}
+
+callXHR();
+
+</script>
+</pre>
+</body>
+</html>