Bug 515460 - enforce CSP during XHR redirects, r=jst, a=dholbert_sheriff

2024-09-13 09:24:08 -07:00 · 2010-04-23 12:54:09 -07:00 · 2010-04-23 12:54:09 -07:00 · 24e0358531
commit 24e0358531
parent 40ead69f99
1 changed files with 19 additions and 2 deletions
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@ -96,6 +96,9 @@
 #include "nsIWindowWatcher.h"
 #include "nsCommaSeparatedTokenizer.h"
 #include "nsIConsoleService.h"
+#include "nsIChannelPolicy.h"
+#include "nsChannelPolicy.h"
+#include "nsIContentSecurityPolicy.h"

 #define LOAD_STR "load"
 #define ERROR_STR "error"
@ -1751,8 +1754,22 @@ nsXMLHttpRequest::OpenRequest(const nsACString& method,
  } else {
    loadFlags = nsIRequest::LOAD_BACKGROUND;
  }
-  rv = NS_NewChannel(getter_AddRefs(mChannel), uri, nsnull, loadGroup, nsnull,
-                     loadFlags);
+  // get Content Security Policy from principal to pass into channel
+  nsCOMPtr<nsIChannelPolicy> channelPolicy;
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
+  mPrincipal->GetCsp(getter_AddRefs(csp));
+  if (csp) {
+    channelPolicy = do_CreateInstance("@mozilla.org/nschannelpolicy;1");
+    channelPolicy->SetContentSecurityPolicy(csp);
+    channelPolicy->SetLoadType(nsIContentPolicy::TYPE_XMLHTTPREQUEST);
+  }
+  rv = NS_NewChannel(getter_AddRefs(mChannel),
+                     uri,
+                     nsnull,                    // ioService
+                     loadGroup,
+                     nsnull,                    // callbacks
+                     loadFlags,
+                     channelPolicy);
  if (NS_FAILED(rv)) return rv;

  // Check if we're doing a cross-origin request.