From f3ab6311bcbd12f665d2d42444ecd8ec5994878d Mon Sep 17 00:00:00 2001
From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 20 May 2009 16:07:18 -0700
Subject: [PATCH] Add prefs to disable CORS, as well as fix compliance issue in
 Access-Control-Request-Headers header. r/sr/a=jst

---
 content/base/src/nsCrossSiteListenerProxy.cpp | 24 ++++++++++++++++---
 content/base/src/nsCrossSiteListenerProxy.h   |  3 +++
 content/base/test/test_CrossSiteXHR.html      |  8 +++----
 layout/build/nsLayoutStatics.cpp              |  3 +++
 4 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/content/base/src/nsCrossSiteListenerProxy.cpp b/content/base/src/nsCrossSiteListenerProxy.cpp
index c87357be9f0..7da7f1896d4 100644
--- a/content/base/src/nsCrossSiteListenerProxy.cpp
+++ b/content/base/src/nsCrossSiteListenerProxy.cpp
@@ -55,7 +55,8 @@
 #include "nsCommaSeparatedTokenizer.h"
 #include "nsXMLHttpRequest.h"
 
-static NS_DEFINE_CID(kCParserCID, NS_PARSER_CID);
+static PRBool gDisableCORS = PR_FALSE;
+static PRBool gDisableCORSPrivateData = PR_FALSE;
 
 class nsChannelCanceller
 {
@@ -84,6 +85,14 @@ NS_IMPL_ISUPPORTS4(nsCrossSiteListenerProxy, nsIStreamListener,
                    nsIRequestObserver, nsIChannelEventSink,
                    nsIInterfaceRequestor)
 
+/* static */
+void
+nsCrossSiteListenerProxy::Startup()
+{
+  nsContentUtils::AddBoolPrefVarCache("content.cors.disable", &gDisableCORS);
+  nsContentUtils::AddBoolPrefVarCache("content.cors.no_private_data", &gDisableCORSPrivateData);
+}
+
 nsCrossSiteListenerProxy::nsCrossSiteListenerProxy(nsIStreamListener* aOuter,
                                                    nsIPrincipal* aRequestingPrincipal,
                                                    nsIChannel* aChannel,
@@ -91,7 +100,7 @@ nsCrossSiteListenerProxy::nsCrossSiteListenerProxy(nsIStreamListener* aOuter,
                                                    nsresult* aResult)
   : mOuterListener(aOuter),
     mRequestingPrincipal(aRequestingPrincipal),
-    mWithCredentials(aWithCredentials),
+    mWithCredentials(aWithCredentials && !gDisableCORSPrivateData),
     mRequestApproved(PR_FALSE),
     mHasBeenCrossSite(PR_FALSE),
     mIsPreflight(PR_FALSE)
@@ -117,13 +126,18 @@ nsCrossSiteListenerProxy::nsCrossSiteListenerProxy(nsIStreamListener* aOuter,
                                                    nsresult* aResult)
   : mOuterListener(aOuter),
     mRequestingPrincipal(aRequestingPrincipal),
-    mWithCredentials(aWithCredentials),
+    mWithCredentials(aWithCredentials && !gDisableCORSPrivateData),
     mRequestApproved(PR_FALSE),
     mHasBeenCrossSite(PR_FALSE),
     mIsPreflight(PR_TRUE),
     mPreflightMethod(aPreflightMethod),
     mPreflightHeaders(aPreflightHeaders)
 {
+  for (PRUint32 i = 0; i < mPreflightHeaders.Length(); ++i) {
+    ToLowerCase(mPreflightHeaders[i]);
+  }
+  mPreflightHeaders.Sort();
+
   aChannel->GetNotificationCallbacks(getter_AddRefs(mOuterNotificationCallbacks));
   aChannel->SetNotificationCallbacks(this);
 
@@ -211,6 +225,10 @@ nsCrossSiteListenerProxy::CheckRequestApproved(nsIRequest* aRequest,
     return NS_OK;
   }
 
+  if (gDisableCORS) {
+    return NS_ERROR_DOM_BAD_URI;
+  }
+
   // Check if the request failed
   nsresult status;
   nsresult rv = aRequest->GetStatus(&status);
diff --git a/content/base/src/nsCrossSiteListenerProxy.h b/content/base/src/nsCrossSiteListenerProxy.h
index ffb12807319..e4c2dd1a389 100644
--- a/content/base/src/nsCrossSiteListenerProxy.h
+++ b/content/base/src/nsCrossSiteListenerProxy.h
@@ -78,6 +78,9 @@ public:
   NS_DECL_NSIINTERFACEREQUESTOR
   NS_DECL_NSICHANNELEVENTSINK
 
+  // Must be called at startup.
+  static void Startup();
+
 private:
   nsresult UpdateChannel(nsIChannel* aChannel);
   nsresult CheckRequestApproved(nsIRequest* aRequest, PRBool aIsRedirect);
diff --git a/content/base/test/test_CrossSiteXHR.html b/content/base/test/test_CrossSiteXHR.html
index d8ec483ef87..b799cccdcaa 100644
--- a/content/base/test/test_CrossSiteXHR.html
+++ b/content/base/test/test_CrossSiteXHR.html
@@ -460,10 +460,10 @@ function runTest() {
     if ("headers" in test) {
       req.url += "&headers=" + escape(test.headers.toSource());
       reqHeaders =
-        escape([name for (name in test.headers)].filter(function(name)
-          name != "Content-Type" &&
-          name != "Accept" &&
-          name != "Accept-Language").join(","));
+        escape([name for (name in test.headers)].map(String.toLowerCase).filter(function(name)
+          name != "content-type" &&
+          name != "accept" &&
+          name != "accept-language").sort().join(","));
       req.url += reqHeaders ? "&requestHeaders=" + reqHeaders : "";
     }
     if ("allowHeaders" in test)
diff --git a/layout/build/nsLayoutStatics.cpp b/layout/build/nsLayoutStatics.cpp
index 5dbfe58a200..743d6090328 100644
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -83,6 +83,7 @@
 #include "nsIFocusEventSuppressor.h"
 #include "nsDOMThreadService.h"
 #include "nsHTMLDNSPrefetch.h"
+#include "nsCrossSiteListenerProxy.h"
 
 #ifdef MOZ_XUL
 #include "nsXULPopupManager.h"
@@ -267,6 +268,8 @@ nsLayoutStatics::Initialize()
   nsAudioStream::InitLibrary();
 #endif
 
+  nsCrossSiteListenerProxy::Startup();
+
   return NS_OK;
 }