From 237296e6ae69c8412efa36d0e42efc34ac8cfb7c Mon Sep 17 00:00:00 2001 From: Gabor Krizsanits Date: Wed, 16 Jul 2014 14:31:59 +0200 Subject: [PATCH] Bug 1016875 - Part6: CORS and other security checks for imports. r=mrbkap --- content/base/src/ImportManager.cpp | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/content/base/src/ImportManager.cpp b/content/base/src/ImportManager.cpp index 2d24c44bc06..773d033fa48 100644 --- a/content/base/src/ImportManager.cpp +++ b/content/base/src/ImportManager.cpp @@ -10,6 +10,7 @@ #include "HTMLLinkElement.h" #include "nsContentPolicyUtils.h" #include "nsContentUtils.h" +#include "nsCrossSiteListenerProxy.h" #include "nsIChannel.h" #include "nsIChannelPolicy.h" #include "nsIContentPolicy.h" @@ -197,6 +198,7 @@ ImportLoader::Open() nsCOMPtr master = mImportParent->MasterDocument(); nsCOMPtr sop = do_QueryInterface(master); nsCOMPtr principal = sop->GetPrincipal(); + int16_t shouldLoad = nsIContentPolicy::ACCEPT; nsresult rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_SCRIPT, mURI, @@ -212,6 +214,11 @@ ImportLoader::Open() return; } + nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager(); + rv = secMan->CheckLoadURIWithPrincipal(principal, mURI, + nsIScriptSecurityManager::STANDARD); + NS_ENSURE_SUCCESS_VOID(rv); + nsCOMPtr loadGroup = mImportParent->GetDocumentLoadGroup(); nsCOMPtr channelPolicy; nsCOMPtr csp; @@ -233,7 +240,14 @@ ImportLoader::Open() channelPolicy); NS_ENSURE_SUCCESS_VOID(rv); - rv = channel->AsyncOpen(this, nullptr); + // Init CORSListenerProxy and omit credentials. + nsRefPtr corsListener = + new nsCORSListenerProxy(this, principal, + /* aWithCredentials */ false); + rv = corsListener->Init(channel, true); + NS_ENSURE_SUCCESS_VOID(rv); + + rv = channel->AsyncOpen(corsListener, nullptr); NS_ENSURE_SUCCESS_VOID(rv); BlockScripts();