mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 997987 - Remove usage of nsIScriptSecurityManager::GetSubjectPrincipal. r=Ms2ger
This commit is contained in:
Bobby Holley
parent
fb9b110bf9
commit
0a5fb33d0a
@ -340,26 +340,10 @@ NS_IMPL_ISUPPORTS(nsScriptSecurityManager,
|
||||
bool
|
||||
nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
|
||||
{
|
||||
// Get the security manager
|
||||
nsScriptSecurityManager *ssm =
|
||||
nsScriptSecurityManager::GetScriptSecurityManager();
|
||||
|
||||
NS_ASSERTION(ssm, "Failed to get security manager service");
|
||||
if (!ssm)
|
||||
return false;
|
||||
|
||||
nsresult rv;
|
||||
nsIPrincipal* subjectPrincipal = ssm->GetSubjectPrincipal(cx, &rv);
|
||||
|
||||
NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get nsIPrincipal from js context");
|
||||
if (NS_FAILED(rv))
|
||||
return false; // Not just absence of principal, but failure.
|
||||
|
||||
if (!subjectPrincipal)
|
||||
return true;
|
||||
|
||||
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
nsCOMPtr<nsIContentSecurityPolicy> csp;
|
||||
rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
|
||||
nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
|
||||
NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get CSP from principal.");
|
||||
|
||||
// don't do anything unless there's a CSP
|
||||
@ -410,27 +394,10 @@ NS_IMETHODIMP
|
||||
nsScriptSecurityManager::CheckSameOrigin(JSContext* cx,
|
||||
nsIURI* aTargetURI)
|
||||
{
|
||||
nsresult rv;
|
||||
|
||||
// Get a context if necessary
|
||||
if (!cx)
|
||||
{
|
||||
cx = GetCurrentJSContext();
|
||||
if (!cx)
|
||||
return NS_OK; // No JS context, so allow access
|
||||
}
|
||||
MOZ_ASSERT_IF(cx, cx == nsContentUtils::GetCurrentJSContext());
|
||||
|
||||
// Get a principal from the context
|
||||
nsIPrincipal* sourcePrincipal = GetSubjectPrincipal(cx, &rv);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
if (!sourcePrincipal)
|
||||
{
|
||||
NS_WARNING("CheckSameOrigin called on script w/o principals; should this happen?");
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsIPrincipal* sourcePrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
if (sourcePrincipal == mSystemPrincipal)
|
||||
{
|
||||
// This is a system (chrome) script, so allow access
|
||||
@ -506,17 +473,10 @@ NS_IMETHODIMP
|
||||
nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
|
||||
{
|
||||
// Get principal of currently executing script.
|
||||
nsresult rv;
|
||||
nsIPrincipal* principal = GetSubjectPrincipal(cx, &rv);
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
// Native code can load all URIs.
|
||||
if (!principal)
|
||||
return NS_OK;
|
||||
|
||||
rv = CheckLoadURIWithPrincipal(principal, aURI,
|
||||
nsIScriptSecurityManager::STANDARD);
|
||||
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
|
||||
nsIPrincipal* principal = nsContentUtils::GetSubjectPrincipal();
|
||||
nsresult rv = CheckLoadURIWithPrincipal(principal, aURI,
|
||||
nsIScriptSecurityManager::STANDARD);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
// OK to load
|
||||
return NS_OK;
|
||||
@ -965,19 +925,7 @@ nsScriptSecurityManager::SubjectPrincipalIsSystem(bool* aIsSystem)
|
||||
if (!mSystemPrincipal)
|
||||
return NS_OK;
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subject;
|
||||
nsresult rv = GetSubjectPrincipal(getter_AddRefs(subject));
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
if(!subject)
|
||||
{
|
||||
// No subject principal means no JS is running;
|
||||
// this is the equivalent of system principal code
|
||||
*aIsSystem = true;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subject = nsContentUtils::GetSubjectPrincipal();
|
||||
return mSystemPrincipal->Equals(subject, aIsSystem);
|
||||
}
|
||||
|
||||
@ -1144,11 +1092,8 @@ nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
|
||||
//-- Access denied, report an error
|
||||
NS_ConvertUTF8toUTF16 strName("CreateWrapperDenied");
|
||||
nsAutoCString origin;
|
||||
nsresult rv2;
|
||||
nsIPrincipal* subjectPrincipal = doGetSubjectPrincipal(&rv2);
|
||||
if (NS_SUCCEEDED(rv2) && subjectPrincipal) {
|
||||
GetPrincipalDomainOrigin(subjectPrincipal, origin);
|
||||
}
|
||||
nsIPrincipal* subjectPrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
GetPrincipalDomainOrigin(subjectPrincipal, origin);
|
||||
NS_ConvertUTF8toUTF16 originUnicode(origin);
|
||||
NS_ConvertUTF8toUTF16 classInfoName(objClassInfo.GetName());
|
||||
const char16_t* formatStrings[] = {
|
||||
@ -1162,14 +1107,11 @@ nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
|
||||
strName.AppendLiteral("ForOrigin");
|
||||
}
|
||||
nsXPIDLString errorMsg;
|
||||
// We need to keep our existing failure rv and not override it
|
||||
// with a likely success code from the following string bundle
|
||||
// call in order to throw the correct security exception later.
|
||||
rv2 = sStrBundle->FormatStringFromName(strName.get(),
|
||||
formatStrings,
|
||||
length,
|
||||
getter_Copies(errorMsg));
|
||||
NS_ENSURE_SUCCESS(rv2, rv2);
|
||||
nsresult rv = sStrBundle->FormatStringFromName(strName.get(),
|
||||
formatStrings,
|
||||
length,
|
||||
getter_Copies(errorMsg));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
SetPendingException(cx, errorMsg.get());
|
||||
return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
|
||||
|
||||
@ -386,29 +386,10 @@ DOMParser::Constructor(const GlobalObject& aOwner,
|
||||
DOMParser::Constructor(const GlobalObject& aOwner,
|
||||
ErrorResult& rv)
|
||||
{
|
||||
nsCOMPtr<nsIPrincipal> prin;
|
||||
nsCOMPtr<nsIURI> documentURI;
|
||||
nsCOMPtr<nsIURI> baseURI;
|
||||
// No arguments; use the subject principal
|
||||
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
|
||||
if (!secMan) {
|
||||
rv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
rv = secMan->GetSubjectPrincipal(getter_AddRefs(prin));
|
||||
if (rv.Failed()) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// We're called from JS; there better be a subject principal, really.
|
||||
if (!prin) {
|
||||
rv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
nsRefPtr<DOMParser> domParser = new DOMParser(aOwner.GetAsSupports());
|
||||
rv = domParser->InitInternal(aOwner.GetAsSupports(), prin, documentURI, baseURI);
|
||||
rv = domParser->InitInternal(aOwner.GetAsSupports(),
|
||||
nsContentUtils::GetSubjectPrincipal(),
|
||||
nullptr, nullptr);
|
||||
if (rv.Failed()) {
|
||||
return nullptr;
|
||||
}
|
||||
@ -464,24 +445,8 @@ DOMParser::Init(nsIPrincipal* aPrincipal, nsIURI* aDocumentURI,
|
||||
nsIScriptContext* scriptContext = GetScriptContextFromJSContext(cx);
|
||||
|
||||
nsCOMPtr<nsIPrincipal> principal = aPrincipal;
|
||||
|
||||
if (!principal && !aDocumentURI) {
|
||||
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
|
||||
if (!secMan) {
|
||||
rv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return;
|
||||
}
|
||||
|
||||
rv = secMan->GetSubjectPrincipal(getter_AddRefs(principal));
|
||||
if (rv.Failed()) {
|
||||
return;
|
||||
}
|
||||
|
||||
// We're called from JS; there better be a subject principal, really.
|
||||
if (!principal) {
|
||||
rv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return;
|
||||
}
|
||||
principal = nsContentUtils::GetSubjectPrincipal();
|
||||
}
|
||||
|
||||
rv = Init(principal, aDocumentURI, aBaseURI,
|
||||
|
||||
@ -1578,45 +1578,19 @@ nsContentUtils::CanCallerAccess(nsIDOMNode *aNode)
|
||||
bool
|
||||
nsContentUtils::CanCallerAccess(nsINode* aNode)
|
||||
{
|
||||
// XXXbz why not check the IsCapabilityEnabled thing up front, and not bother
|
||||
// with the system principal games? But really, there should be a simpler
|
||||
// API here, dammit.
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
nsresult rv = sSecurityManager->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
|
||||
NS_ENSURE_SUCCESS(rv, false);
|
||||
|
||||
if (!subjectPrincipal) {
|
||||
// we're running as system, grant access to the node.
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
return CanCallerAccess(subjectPrincipal, aNode->NodePrincipal());
|
||||
return CanCallerAccess(GetSubjectPrincipal(), aNode->NodePrincipal());
|
||||
}
|
||||
|
||||
// static
|
||||
bool
|
||||
nsContentUtils::CanCallerAccess(nsPIDOMWindow* aWindow)
|
||||
{
|
||||
// XXXbz why not check the IsCapabilityEnabled thing up front, and not bother
|
||||
// with the system principal games? But really, there should be a simpler
|
||||
// API here, dammit.
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
nsresult rv = sSecurityManager->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
|
||||
NS_ENSURE_SUCCESS(rv, false);
|
||||
|
||||
if (!subjectPrincipal) {
|
||||
// we're running as system, grant access to the node.
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIScriptObjectPrincipal> scriptObject =
|
||||
do_QueryInterface(aWindow->IsOuterWindow() ?
|
||||
aWindow->GetCurrentInnerWindow() : aWindow);
|
||||
NS_ENSURE_TRUE(scriptObject, false);
|
||||
|
||||
return CanCallerAccess(subjectPrincipal, scriptObject->GetPrincipal());
|
||||
return CanCallerAccess(GetSubjectPrincipal(), scriptObject->GetPrincipal());
|
||||
}
|
||||
|
||||
//static
|
||||
|
||||
@ -6335,23 +6335,13 @@ nsIDocument::LoadBindingDocument(const nsAString& aURI, ErrorResult& rv)
|
||||
return;
|
||||
}
|
||||
|
||||
// Figure out the right principal to use
|
||||
nsCOMPtr<nsIPrincipal> subject;
|
||||
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
|
||||
if (secMan) {
|
||||
rv = secMan->GetSubjectPrincipal(getter_AddRefs(subject));
|
||||
if (rv.Failed()) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if (!subject) {
|
||||
// Fall back to our principal. Or should we fall back to the null
|
||||
// principal? The latter would just mean no binding loads....
|
||||
subject = NodePrincipal();
|
||||
}
|
||||
|
||||
BindingManager()->LoadBindingDocument(this, uri, subject);
|
||||
// Note - This computation of subjectPrincipal isn't necessarily sensical.
|
||||
// It's just designed to preserve the old semantics during a mass-conversion
|
||||
// patch.
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal =
|
||||
nsContentUtils::GetCurrentJSContext() ? nsContentUtils::GetSubjectPrincipal()
|
||||
: NodePrincipal();
|
||||
BindingManager()->LoadBindingDocument(this, uri, subjectPrincipal);
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
|
||||
@ -2849,27 +2849,10 @@ nsHTMLDocument::SetDesignMode(const nsAString & aDesignMode)
|
||||
void
|
||||
nsHTMLDocument::SetDesignMode(const nsAString& aDesignMode, ErrorResult& rv)
|
||||
{
|
||||
if (!nsContentUtils::IsCallerChrome()) {
|
||||
nsCOMPtr<nsIPrincipal> subject;
|
||||
nsIScriptSecurityManager *secMan = nsContentUtils::GetSecurityManager();
|
||||
rv = secMan->GetSubjectPrincipal(getter_AddRefs(subject));
|
||||
if (rv.Failed()) {
|
||||
return;
|
||||
}
|
||||
if (subject) {
|
||||
bool subsumes;
|
||||
rv = subject->Subsumes(NodePrincipal(), &subsumes);
|
||||
if (rv.Failed()) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!subsumes) {
|
||||
rv.Throw(NS_ERROR_DOM_PROP_ACCESS_DENIED);
|
||||
return;
|
||||
}
|
||||
}
|
||||
if (!nsContentUtils::GetSubjectPrincipal()->Subsumes(NodePrincipal())) {
|
||||
rv.Throw(NS_ERROR_DOM_PROP_ACCESS_DENIED);
|
||||
return;
|
||||
}
|
||||
|
||||
bool editableMode = HasFlag(NODE_IS_EDITABLE);
|
||||
if (aDesignMode.LowerCaseEqualsASCII(editableMode ? "off" : "on")) {
|
||||
SetEditableFlag(!editableMode);
|
||||
|
||||
@ -8645,7 +8645,7 @@ nsDocShell::CheckLoadingPermissions()
|
||||
// frames in the new window through window.frames[] (which is
|
||||
// allAccess for historic reasons), so we still need to do this
|
||||
// check on load.
|
||||
nsresult rv = NS_OK, sameOrigin = NS_OK;
|
||||
nsresult rv = NS_OK;
|
||||
|
||||
if (!gValidateOrigin || !IsFrame()) {
|
||||
// Origin validation was turned off, or we're not a frame.
|
||||
@ -8654,16 +8654,10 @@ nsDocShell::CheckLoadingPermissions()
|
||||
return rv;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIScriptSecurityManager> securityManager =
|
||||
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
// We're a frame. Check that the caller has write permission to
|
||||
// the parent before allowing it to load anything into this
|
||||
// docshell.
|
||||
nsCOMPtr<nsIPrincipal> subjPrincipal;
|
||||
rv = securityManager->GetSubjectPrincipal(getter_AddRefs(subjPrincipal));
|
||||
NS_ENSURE_TRUE(NS_SUCCEEDED(rv) && subjPrincipal, rv);
|
||||
// Note - The check for a current JSContext here isn't necessarily sensical.
|
||||
// It's just designed to preserve the old semantics during a mass-conversion
|
||||
// patch.
|
||||
NS_ENSURE_TRUE(nsContentUtils::GetCurrentJSContext(), NS_OK);
|
||||
|
||||
// Check if the caller is from the same origin as this docshell,
|
||||
// or any of its ancestors.
|
||||
@ -8677,17 +8671,9 @@ nsDocShell::CheckLoadingPermissions()
|
||||
return NS_ERROR_UNEXPECTED;
|
||||
}
|
||||
|
||||
// Compare origins
|
||||
bool subsumes;
|
||||
sameOrigin = subjPrincipal->Subsumes(p, &subsumes);
|
||||
if (NS_SUCCEEDED(sameOrigin)) {
|
||||
if (subsumes) {
|
||||
// Same origin, permit load
|
||||
|
||||
return sameOrigin;
|
||||
}
|
||||
|
||||
sameOrigin = NS_ERROR_DOM_PROP_ACCESS_DENIED;
|
||||
if (nsContentUtils::GetSubjectPrincipal()->Subsumes(p)) {
|
||||
// Same origin, permit load
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIDocShellTreeItem> tmp;
|
||||
@ -8695,7 +8681,7 @@ nsDocShell::CheckLoadingPermissions()
|
||||
item.swap(tmp);
|
||||
} while (item);
|
||||
|
||||
return sameOrigin;
|
||||
return NS_ERROR_DOM_PROP_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
//*****************************************************************************
|
||||
|
||||
@ -2014,9 +2014,6 @@ nsGlobalWindow::SetInitialPrincipalToSubject()
|
||||
|
||||
// First, grab the subject principal.
|
||||
nsCOMPtr<nsIPrincipal> newWindowPrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
if (!newWindowPrincipal) {
|
||||
newWindowPrincipal = nsContentUtils::GetSystemPrincipal();
|
||||
}
|
||||
|
||||
// Now, if we're about to use the system principal or an nsExpandedPrincipal,
|
||||
// make sure we're not using it for a content docshell.
|
||||
@ -6055,53 +6052,42 @@ nsGlobalWindow::MakeScriptDialogTitle(nsAString &aOutTitle)
|
||||
// Try to get a host from the running principal -- this will do the
|
||||
// right thing for javascript: and data: documents.
|
||||
|
||||
nsresult rv = NS_OK;
|
||||
NS_ASSERTION(nsContentUtils::GetSecurityManager(),
|
||||
"Global Window has no security manager!");
|
||||
if (nsContentUtils::GetSecurityManager()) {
|
||||
nsCOMPtr<nsIPrincipal> principal;
|
||||
rv = nsContentUtils::GetSecurityManager()->
|
||||
GetSubjectPrincipal(getter_AddRefs(principal));
|
||||
nsCOMPtr<nsIPrincipal> principal = nsContentUtils::GetSubjectPrincipal();
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
nsresult rv = principal->GetURI(getter_AddRefs(uri));
|
||||
// Note - The check for the current JSContext here isn't necessarily sensical.
|
||||
// It's just designed to preserve existing behavior during a mass-conversion
|
||||
// patch.
|
||||
if (NS_SUCCEEDED(rv) && uri && nsContentUtils::GetCurrentJSContext()) {
|
||||
// remove user:pass for privacy and spoof prevention
|
||||
|
||||
if (NS_SUCCEEDED(rv) && principal) {
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
rv = principal->GetURI(getter_AddRefs(uri));
|
||||
nsCOMPtr<nsIURIFixup> fixup(do_GetService(NS_URIFIXUP_CONTRACTID));
|
||||
if (fixup) {
|
||||
nsCOMPtr<nsIURI> fixedURI;
|
||||
rv = fixup->CreateExposableURI(uri, getter_AddRefs(fixedURI));
|
||||
if (NS_SUCCEEDED(rv) && fixedURI) {
|
||||
nsAutoCString host;
|
||||
fixedURI->GetHost(host);
|
||||
|
||||
if (NS_SUCCEEDED(rv) && uri) {
|
||||
// remove user:pass for privacy and spoof prevention
|
||||
if (!host.IsEmpty()) {
|
||||
// if this URI has a host we'll show it. For other
|
||||
// schemes (e.g. file:) we fall back to the localized
|
||||
// generic string
|
||||
|
||||
nsCOMPtr<nsIURIFixup> fixup(do_GetService(NS_URIFIXUP_CONTRACTID));
|
||||
if (fixup) {
|
||||
nsCOMPtr<nsIURI> fixedURI;
|
||||
rv = fixup->CreateExposableURI(uri, getter_AddRefs(fixedURI));
|
||||
if (NS_SUCCEEDED(rv) && fixedURI) {
|
||||
nsAutoCString host;
|
||||
fixedURI->GetHost(host);
|
||||
nsAutoCString prepath;
|
||||
fixedURI->GetPrePath(prepath);
|
||||
|
||||
if (!host.IsEmpty()) {
|
||||
// if this URI has a host we'll show it. For other
|
||||
// schemes (e.g. file:) we fall back to the localized
|
||||
// generic string
|
||||
|
||||
nsAutoCString prepath;
|
||||
fixedURI->GetPrePath(prepath);
|
||||
|
||||
NS_ConvertUTF8toUTF16 ucsPrePath(prepath);
|
||||
const char16_t *formatStrings[] = { ucsPrePath.get() };
|
||||
nsXPIDLString tempString;
|
||||
nsContentUtils::FormatLocalizedString(nsContentUtils::eCOMMON_DIALOG_PROPERTIES,
|
||||
"ScriptDlgHeading",
|
||||
formatStrings,
|
||||
tempString);
|
||||
aOutTitle = tempString;
|
||||
}
|
||||
}
|
||||
NS_ConvertUTF8toUTF16 ucsPrePath(prepath);
|
||||
const char16_t *formatStrings[] = { ucsPrePath.get() };
|
||||
nsXPIDLString tempString;
|
||||
nsContentUtils::FormatLocalizedString(nsContentUtils::eCOMMON_DIALOG_PROPERTIES,
|
||||
"ScriptDlgHeading",
|
||||
formatStrings,
|
||||
tempString);
|
||||
aOutTitle = tempString;
|
||||
}
|
||||
}
|
||||
}
|
||||
else { // failed to get subject principal
|
||||
NS_WARNING("No script principal? Who is calling alert/confirm/prompt?!");
|
||||
}
|
||||
}
|
||||
|
||||
if (aOutTitle.IsEmpty()) {
|
||||
@ -11693,28 +11679,14 @@ nsGlobalWindow::SetTimeoutOrInterval(nsIScriptTimeoutHandler *aHandler,
|
||||
// If our principals subsume the subject principal then use the subject
|
||||
// principal. Otherwise, use our principal to avoid running script in
|
||||
// elevated principals.
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
nsresult rv;
|
||||
rv = nsContentUtils::GetSecurityManager()->
|
||||
GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
|
||||
if (NS_FAILED(rv)) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
bool subsumes = false;
|
||||
nsCOMPtr<nsIPrincipal> ourPrincipal = GetPrincipal();
|
||||
|
||||
//
|
||||
// Note the direction of this test: We don't allow setTimeouts running with
|
||||
// chrome privileges on content windows, but we do allow setTimeouts running
|
||||
// with content privileges on chrome windows (where they can't do very much,
|
||||
// of course).
|
||||
rv = ourPrincipal->Subsumes(subjectPrincipal, &subsumes);
|
||||
if (NS_FAILED(rv)) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
if (subsumes) {
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
nsCOMPtr<nsIPrincipal> ourPrincipal = GetPrincipal();
|
||||
if (ourPrincipal->Subsumes(subjectPrincipal)) {
|
||||
timeout->mPrincipal = subjectPrincipal;
|
||||
} else {
|
||||
timeout->mPrincipal = ourPrincipal;
|
||||
@ -11730,6 +11702,7 @@ nsGlobalWindow::SetTimeoutOrInterval(nsIScriptTimeoutHandler *aHandler,
|
||||
|
||||
timeout->mWhen = TimeStamp::Now() + delta;
|
||||
|
||||
nsresult rv;
|
||||
timeout->mTimer = do_CreateInstance("@mozilla.org/timer;1", &rv);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
|
||||
@ -594,9 +594,7 @@ DataTransfer::MozGetDataAt(const nsAString& aFormat, uint32_t aIndex,
|
||||
(mEventType != NS_DRAGDROP_DROP && mEventType != NS_DRAGDROP_DRAGDROP &&
|
||||
mEventType != NS_PASTE &&
|
||||
!nsContentUtils::IsCallerChrome())) {
|
||||
nsresult rv = NS_OK;
|
||||
principal = GetCurrentPrincipal(&rv);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
principal = nsContentUtils::GetSubjectPrincipal();
|
||||
}
|
||||
|
||||
uint32_t count = item.Length();
|
||||
@ -625,9 +623,9 @@ DataTransfer::MozGetDataAt(const nsAString& aFormat, uint32_t aIndex,
|
||||
MOZ_ASSERT(sp, "This cannot fail on the main thread.");
|
||||
nsIPrincipal* dataPrincipal = sp->GetPrincipal();
|
||||
NS_ENSURE_TRUE(dataPrincipal, NS_ERROR_DOM_SECURITY_ERR);
|
||||
NS_ENSURE_TRUE(principal || (principal = GetCurrentPrincipal(&rv)),
|
||||
NS_ERROR_DOM_SECURITY_ERR);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (!principal) {
|
||||
principal = nsContentUtils::GetSubjectPrincipal();
|
||||
}
|
||||
bool equals = false;
|
||||
NS_ENSURE_TRUE(NS_SUCCEEDED(principal->Equals(dataPrincipal, &equals)) && equals,
|
||||
NS_ERROR_DOM_SECURITY_ERR);
|
||||
@ -697,11 +695,8 @@ DataTransfer::MozSetDataAt(const nsAString& aFormat, nsIVariant* aData,
|
||||
return NS_ERROR_DOM_SECURITY_ERR;
|
||||
}
|
||||
|
||||
nsresult rv = NS_OK;
|
||||
nsIPrincipal* principal = GetCurrentPrincipal(&rv);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
return SetDataWithPrincipal(aFormat, aData, aIndex, principal);
|
||||
return SetDataWithPrincipal(aFormat, aData, aIndex,
|
||||
nsContentUtils::GetSubjectPrincipal());
|
||||
}
|
||||
|
||||
void
|
||||
@ -754,12 +749,7 @@ DataTransfer::MozClearDataAtHelper(const nsAString& aFormat, uint32_t aIndex,
|
||||
nsAutoString format;
|
||||
GetRealFormat(aFormat, format);
|
||||
|
||||
nsresult rv = NS_OK;
|
||||
nsIPrincipal* principal = GetCurrentPrincipal(&rv);
|
||||
if (NS_FAILED(rv)) {
|
||||
aRv = rv;
|
||||
return;
|
||||
}
|
||||
nsIPrincipal* principal = nsContentUtils::GetSubjectPrincipal();
|
||||
|
||||
// if the format is empty, clear all formats
|
||||
bool clearall = format.IsEmpty();
|
||||
@ -1089,21 +1079,6 @@ DataTransfer::SetDataWithPrincipal(const nsAString& aFormat,
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsIPrincipal*
|
||||
DataTransfer::GetCurrentPrincipal(nsresult* rv)
|
||||
{
|
||||
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
|
||||
|
||||
nsCOMPtr<nsIPrincipal> currentPrincipal;
|
||||
*rv = ssm->GetSubjectPrincipal(getter_AddRefs(currentPrincipal));
|
||||
NS_ENSURE_SUCCESS(*rv, nullptr);
|
||||
|
||||
if (!currentPrincipal)
|
||||
ssm->GetSystemPrincipal(getter_AddRefs(currentPrincipal));
|
||||
|
||||
return currentPrincipal.get();
|
||||
}
|
||||
|
||||
void
|
||||
DataTransfer::GetRealFormat(const nsAString& aInFormat, nsAString& aOutFormat)
|
||||
{
|
||||
|
||||
@ -219,9 +219,6 @@ public:
|
||||
|
||||
protected:
|
||||
|
||||
// returns a weak reference to the current principal
|
||||
nsIPrincipal* GetCurrentPrincipal(nsresult* rv);
|
||||
|
||||
// converts some formats used for compatibility in aInFormat into aOutFormat.
|
||||
// Text and text/unicode become text/plain, and URL becomes text/uri-list
|
||||
void GetRealFormat(const nsAString& aInFormat, nsAString& aOutFormat);
|
||||
|
||||
@ -241,18 +241,12 @@ DOMStorage::CanUseStorage(DOMStorage* aStorage)
|
||||
}
|
||||
|
||||
// chrome can always use aStorage regardless of permission preferences
|
||||
if (nsContentUtils::IsCallerChrome()) {
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal =
|
||||
nsContentUtils::GetSubjectPrincipal();
|
||||
if (nsContentUtils::IsSystemPrincipal(subjectPrincipal)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
nsresult rv = nsContentUtils::GetSecurityManager()->
|
||||
GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
|
||||
NS_ENSURE_SUCCESS(rv, false);
|
||||
|
||||
// if subjectPrincipal were null we'd have returned after
|
||||
// IsCallerChrome().
|
||||
|
||||
nsCOMPtr<nsIPermissionManager> permissionManager =
|
||||
services::GetPermissionManager();
|
||||
if (!permissionManager) {
|
||||
|
||||
@ -1252,15 +1252,8 @@ NS_IMETHODIMP
|
||||
txMozillaXSLTProcessor::Initialize(nsISupports* aOwner, JSContext* cx,
|
||||
JSObject* obj, const JS::CallArgs& args)
|
||||
{
|
||||
nsCOMPtr<nsIPrincipal> prin;
|
||||
nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
|
||||
NS_ENSURE_TRUE(secMan, NS_ERROR_UNEXPECTED);
|
||||
|
||||
nsresult rv = secMan->GetSubjectPrincipal(getter_AddRefs(prin));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
NS_ENSURE_TRUE(prin, NS_ERROR_UNEXPECTED);
|
||||
|
||||
return Init(prin);
|
||||
MOZ_ASSERT(nsContentUtils::GetCurrentJSContext());
|
||||
return Init(nsContentUtils::GetSubjectPrincipal());
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
|
||||
@ -39,6 +39,7 @@
|
||||
#include "mozilla/Services.h"
|
||||
#include "mozilla/dom/Element.h"
|
||||
#include "nsISimpleEnumerator.h"
|
||||
#include "nsContentUtils.h"
|
||||
|
||||
#if DEBUG
|
||||
#include "nsIWebNavigation.h"
|
||||
@ -660,21 +661,8 @@ nsresult nsWebBrowserFind::SearchInFrame(nsIDOMWindow* aWindow,
|
||||
nsCOMPtr<nsIDocument> theDoc = do_QueryInterface(domDoc);
|
||||
if (!theDoc) return NS_ERROR_FAILURE;
|
||||
|
||||
nsCOMPtr<nsIScriptSecurityManager> secMan =
|
||||
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subject;
|
||||
rv = secMan->GetSubjectPrincipal(getter_AddRefs(subject));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
if (subject) {
|
||||
bool subsumes;
|
||||
rv = subject->Subsumes(theDoc->NodePrincipal(), &subsumes);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (!subsumes) {
|
||||
return NS_ERROR_DOM_PROP_ACCESS_DENIED;
|
||||
}
|
||||
if (!nsContentUtils::GetSubjectPrincipal()->Subsumes(theDoc->NodePrincipal())) {
|
||||
return NS_ERROR_DOM_PROP_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIFind> find = do_CreateInstance(NS_FIND_CONTRACTID, &rv);
|
||||
|
||||
@ -785,15 +785,14 @@ nsWindowWatcher::OpenWindowInternal(nsIDOMWindow *aParent,
|
||||
|
||||
// Now we have to set the right opener principal on the new window. Note
|
||||
// that we have to do this _before_ starting any URI loads, thanks to the
|
||||
// sync nature of javascript: loads. Since this is the only place where we
|
||||
// set said opener principal, we need to do it for all URIs, including
|
||||
// chrome ones. So to deal with the mess that is bug 79775, just press on in
|
||||
// a reasonable way even if GetSubjectPrincipal fails. In that case, just
|
||||
// use a null subjectPrincipal.
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
if (NS_FAILED(sm->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal)))) {
|
||||
subjectPrincipal = nullptr;
|
||||
}
|
||||
// sync nature of javascript: loads.
|
||||
//
|
||||
// Note: The check for the current JSContext isn't necessarily sensical.
|
||||
// It's just designed to preserve old semantics during a mass-conversion
|
||||
// patch.
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal =
|
||||
nsContentUtils::GetCurrentJSContext() ? nsContentUtils::GetSubjectPrincipal()
|
||||
: nullptr;
|
||||
|
||||
if (windowIsNew) {
|
||||
// Now set the opener principal on the new window. Note that we need to do
|
||||
|
||||
@ -1615,47 +1615,30 @@ nsCSSStyleSheet::DidDirty()
|
||||
nsresult
|
||||
nsCSSStyleSheet::SubjectSubsumesInnerPrincipal()
|
||||
{
|
||||
// Get the security manager and do the subsumes check
|
||||
nsIScriptSecurityManager *securityManager =
|
||||
nsContentUtils::GetSecurityManager();
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::GetSubjectPrincipal();
|
||||
if (subjectPrincipal->Subsumes(mInner->mPrincipal)) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIPrincipal> subjectPrincipal;
|
||||
nsresult rv = securityManager->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
if (!subjectPrincipal) {
|
||||
// Allow access only if CORS mode is not NONE
|
||||
if (GetCORSMode() == CORS_NONE) {
|
||||
return NS_ERROR_DOM_SECURITY_ERR;
|
||||
}
|
||||
|
||||
bool subsumes;
|
||||
rv = subjectPrincipal->Subsumes(mInner->mPrincipal, &subsumes);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
if (subsumes) {
|
||||
return NS_OK;
|
||||
// Now make sure we set the principal of our inner to the
|
||||
// subjectPrincipal. That means we need a unique inner, of
|
||||
// course. But we don't want to do that if we're not complete
|
||||
// yet. Luckily, all the callers of this method throw anyway if
|
||||
// not complete, so we can just do that here too.
|
||||
if (!mInner->mComplete) {
|
||||
return NS_ERROR_DOM_INVALID_ACCESS_ERR;
|
||||
}
|
||||
|
||||
if (!nsContentUtils::IsCallerChrome()) {
|
||||
// Allow access only if CORS mode is not NONE
|
||||
if (GetCORSMode() == CORS_NONE) {
|
||||
return NS_ERROR_DOM_SECURITY_ERR;
|
||||
}
|
||||
|
||||
// Now make sure we set the principal of our inner to the
|
||||
// subjectPrincipal. That means we need a unique inner, of
|
||||
// course. But we don't want to do that if we're not complete
|
||||
// yet. Luckily, all the callers of this method throw anyway if
|
||||
// not complete, so we can just do that here too.
|
||||
if (!mInner->mComplete) {
|
||||
return NS_ERROR_DOM_INVALID_ACCESS_ERR;
|
||||
}
|
||||
WillDirty();
|
||||
|
||||
WillDirty();
|
||||
mInner->mPrincipal = subjectPrincipal;
|
||||
|
||||
mInner->mPrincipal = subjectPrincipal;
|
||||
|
||||
DidDirty();
|
||||
}
|
||||
DidDirty();
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
@ -172,7 +172,6 @@ public:
|
||||
nsCOMPtr<nsISupports> m_kungFuDeathGrip;
|
||||
JSContext *m_cx;
|
||||
JS::PersistentRooted<JSObject*> m_scope;
|
||||
nsCOMPtr<nsIPrincipal> m_principals;
|
||||
nsXPIDLCString m_jsCallback;
|
||||
NS_DECL_ISUPPORTS
|
||||
};
|
||||
@ -2037,24 +2036,7 @@ nsCrypto::GenerateCRMFRequest(JSContext* aContext,
|
||||
// when the request has been generated.
|
||||
//
|
||||
|
||||
nsCOMPtr<nsIScriptSecurityManager> secMan =
|
||||
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
|
||||
if (MOZ_UNLIKELY(!secMan)) {
|
||||
aRv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIPrincipal> principals;
|
||||
nsresult rv = secMan->GetSubjectPrincipal(getter_AddRefs(principals));
|
||||
if (NS_FAILED(nrv)) {
|
||||
aRv.Throw(nrv);
|
||||
return nullptr;
|
||||
}
|
||||
if (MOZ_UNLIKELY(!principals)) {
|
||||
aRv.Throw(NS_ERROR_UNEXPECTED);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
MOZ_ASSERT(nsContentUtils::GetCurrentJSContext());
|
||||
nsCryptoRunArgs *args = new nsCryptoRunArgs(aContext);
|
||||
|
||||
args->m_kungFuDeathGrip = GetISupportsFromContext(aContext);
|
||||
@ -2062,11 +2044,10 @@ nsCrypto::GenerateCRMFRequest(JSContext* aContext,
|
||||
if (!aJsCallback.IsVoid()) {
|
||||
args->m_jsCallback = aJsCallback;
|
||||
}
|
||||
args->m_principals = principals;
|
||||
|
||||
nsCryptoRunnable *cryptoRunnable = new nsCryptoRunnable(args);
|
||||
|
||||
rv = NS_DispatchToMainThread(cryptoRunnable);
|
||||
nsresult rv = NS_DispatchToMainThread(cryptoRunnable);
|
||||
if (NS_FAILED(rv)) {
|
||||
aRv.Throw(rv);
|
||||
delete cryptoRunnable;
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
#include "nsIStringBundle.h"
|
||||
#include "nsReadableUtils.h"
|
||||
|
||||
#include "nsContentUtils.h"
|
||||
#include "nsEscape.h"
|
||||
#include "nsPIDOMWindow.h"
|
||||
#include "nsIWebNavigation.h"
|
||||
@ -208,15 +209,8 @@ nsresult nsWebShellWindow::Initialize(nsIXULWindow* aParent,
|
||||
// SetInitialPrincipalToSubject. This avoids creating the about:blank document
|
||||
// and then blowing it away with a second one, which can cause problems for the
|
||||
// top-level chrome window case. See bug 789773.
|
||||
nsCOMPtr<nsIScriptSecurityManager> ssm =
|
||||
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
|
||||
if (ssm) { // Sometimes this happens really early See bug 793370.
|
||||
nsCOMPtr<nsIPrincipal> principal;
|
||||
ssm->GetSubjectPrincipal(getter_AddRefs(principal));
|
||||
if (!principal) {
|
||||
ssm->GetSystemPrincipal(getter_AddRefs(principal));
|
||||
}
|
||||
rv = mDocShell->CreateAboutBlankContentViewer(principal);
|
||||
if (nsContentUtils::IsInitialized()) { // Sometimes this happens really early See bug 793370.
|
||||
rv = mDocShell->CreateAboutBlankContentViewer(nsContentUtils::GetSubjectPrincipal());
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
nsCOMPtr<nsIDocument> doc = do_GetInterface(mDocShell);
|
||||
NS_ENSURE_TRUE(!!doc, NS_ERROR_FAILURE);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user