Bug 515460 - enforce CSP during script redirects, r=jst, a=dholbert_sheriff

2024-09-13 09:24:08 -07:00 · 2010-04-23 12:49:48 -07:00 · 2010-04-23 12:49:48 -07:00 · a0d39d75e7
commit a0d39d75e7
parent cdca2eb7e4
1 changed files with 16 additions and 1 deletions
--- a/content/base/src/nsScriptLoader.cpp
+++ b/content/base/src/nsScriptLoader.cpp
@ -72,6 +72,8 @@
 #include "nsDocShellCID.h"
 #include "nsIContentSecurityPolicy.h"
 #include "prlog.h"
+#include "nsIChannelPolicy.h"
+#include "nsChannelPolicy.h"

 #ifdef PR_LOGGING
 static PRLogModuleInfo* gCspPRLog;
@ -285,10 +287,23 @@ nsScriptLoader::StartLoad(nsScriptLoadRequest *aRequest, const nsAString &aType)

  nsCOMPtr<nsIInterfaceRequestor> prompter(do_QueryInterface(docshell));

+  // check for a Content Security Policy to pass down to the channel
+  // that will be created to load the script
+  nsCOMPtr<nsIChannelPolicy> channelPolicy;
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
+  rv = mDocument->NodePrincipal()->GetCsp(getter_AddRefs(csp));
+  NS_ENSURE_SUCCESS(rv, rv);
+  if (csp) {
+    channelPolicy = do_CreateInstance("@mozilla.org/nschannelpolicy;1");
+    channelPolicy->SetContentSecurityPolicy(csp);
+    channelPolicy->SetLoadType(nsIContentPolicy::TYPE_SCRIPT);
+  }
+
  nsCOMPtr<nsIChannel> channel;
  rv = NS_NewChannel(getter_AddRefs(channel),
                     aRequest->mURI, nsnull, loadGroup,
-                     prompter, nsIRequest::LOAD_NORMAL);
+                     prompter, nsIRequest::LOAD_NORMAL,
+                     channelPolicy);
  NS_ENSURE_SUCCESS(rv, rv);

  nsCOMPtr<nsIHttpChannel> httpChannel(do_QueryInterface(channel));