From 2b0a5105b9f5a2520e96a23cbf2297ba7d3ad7d7 Mon Sep 17 00:00:00 2001
From: Ehsan Akhgari <ehsan@mozilla.com>
Date: Wed, 24 Feb 2016 13:46:38 -0500
Subject: [PATCH] Bug 1250985 - Part 2: Prevent copy constructing a Request
 object with navigate mode if a RequestInit member is present; r=bzbarsky

---
 dom/fetch/Request.cpp                         |  3 ++-
 .../test/serviceworkers/fetch/index.html      |  9 +++++++
 .../test/serviceworkers/fetch_event_worker.js | 25 +++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/dom/fetch/Request.cpp b/dom/fetch/Request.cpp
index 79a3fc96e86..df842770324 100644
--- a/dom/fetch/Request.cpp
+++ b/dom/fetch/Request.cpp
@@ -284,7 +284,8 @@ Request::Constructor(const GlobalObject& aGlobal,
     aInit.mCredentials.WasPassed() ? aInit.mCredentials.Value()
                                    : fallbackCredentials;
 
-  if (mode == RequestMode::Navigate) {
+  if (mode == RequestMode::Navigate ||
+      (aInit.IsAnyMemberPresent() && request->Mode() == RequestMode::Navigate)) {
     aRv.ThrowTypeError<MSG_INVALID_REQUEST_MODE>(NS_LITERAL_STRING("navigate"));
     return nullptr;
   }
diff --git a/dom/workers/test/serviceworkers/fetch/index.html b/dom/workers/test/serviceworkers/fetch/index.html
index 0e7ab740947..4db0fb1399b 100644
--- a/dom/workers/test/serviceworkers/fetch/index.html
+++ b/dom/workers/test/serviceworkers/fetch/index.html
@@ -117,6 +117,15 @@
     my_ok(this.test_result, "iframe load should be intercepted");
   });
 
+  test_onload(function() {
+    var elem = document.createElement('iframe');
+    elem.id = 'intercepted-iframe-2';
+    elem.src = "navigate.html";
+    return elem;
+  }, function() {
+    my_ok(this.test_result, "iframe should successfully load");
+  });
+
   gExpected++;
   var xmlDoc = document.implementation.createDocument(null, null, null);
   xmlDoc.load('load_cross_origin_xml_document_synthetic.xml');
diff --git a/dom/workers/test/serviceworkers/fetch_event_worker.js b/dom/workers/test/serviceworkers/fetch_event_worker.js
index a4ba2ae9f5f..1caef71e891 100644
--- a/dom/workers/test/serviceworkers/fetch_event_worker.js
+++ b/dom/workers/test/serviceworkers/fetch_event_worker.js
@@ -147,6 +147,31 @@ onfetch = function(ev) {
     ));
   }
 
+  else if (ev.request.url.includes("navigate.html")) {
+    var navigateModeCorrectlyChecked = false;
+    var requests = [ // should not throw
+      new Request(ev.request),
+      new Request(ev.request, undefined),
+      new Request(ev.request, null),
+      new Request(ev.request, {}),
+      new Request(ev.request, {someUnrelatedProperty: 42}),
+    ];
+    try {
+      var request3 = new Request(ev.request, {method: "GET"}); // should throw
+    } catch(e) {
+      navigateModeCorrectlyChecked = requests[0].mode == "navigate";
+    }
+    if (navigateModeCorrectlyChecked) {
+      ev.respondWith(Promise.resolve(
+        new Response("<script>window.frameElement.test_result = true;</script>", {
+          headers : {
+            "Content-Type": "text/html"
+          }
+        })
+      ));
+    }
+  }
+
   else if (ev.request.url.includes("nonexistent_worker_script.js")) {
     ev.respondWith(Promise.resolve(
       new Response("postMessage('worker-intercept-success')", {})