Bug 702439 - allow subframes of CSP documents to run javascript: URLs, r=bz

content/base/src/nsCSPService.cpp

@@ -55,6 +55,8 @@
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "nsAsyncRedirectVerifyHelper.h"
 #include "mozilla/Preferences.h"
+#include "nsIScriptError.h"
+#include "nsContentUtils.h"
 
 using namespace mozilla;
 
@@ -284,10 +286,28 @@ CSPService::AsyncOnChannelRedirect(nsIChannel *oldChannel,
   // the redirect is permitted, so propagate the Content Security Policy
   // and load type to the redirecting channel
   nsresult rv;
-  nsCOMPtr<nsIWritablePropertyBag2> props2 = do_QueryInterface(newChannel, &rv);
-  if (props2)
-    props2->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
-                                   channelPolicy);
+  nsCOMPtr<nsIWritablePropertyBag2> props2 = do_QueryInterface(newChannel);
+  if (props2) {
+    rv = props2->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
+                                        channelPolicy);
+    if (NS_SUCCEEDED(rv)) {
+      return NS_OK;
+    }
+  }
 
-  return NS_OK;
+  // The redirecting channel isn't a writable property bag, we won't be able
+  // to enforce the load policy if it redirects again, so we stop it now.
+  nsXPIDLString message;
+  nsCAutoString newUriSpec;
+  newUri->GetSpec(newUriSpec);
+  const PRUnichar *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() };
+  if (NS_SUCCEEDED(rv)) {
+    nsContentUtils::ReportToConsole(nsContentUtils::eDOM_PROPERTIES,
+                                   "InvalidRedirectChannelWarning",
+                                    formatParams, 1, nsnull, EmptyString(),
+                                    0, 0, nsIScriptError::warningFlag,
+                                    "Redirect Error");
+  }
+
+  return NS_BINDING_FAILED;
 }

content/base/test/Makefile.in

@@ -528,6 +528,9 @@ _TEST_FILES2 = \
 		test_bug693875.html \
 		test_nodelist_holes.html \
 		test_xhr_abort_after_load.html \
+		test_bug702439.html \
+		test_bug702439.html^headers^ \
+		file_bug702439.html \
 		$(NULL)
 
 _CHROME_FILES =	\

dom/locales/en-US/chrome/dom/dom.properties

@@ -115,7 +115,7 @@ nsIJSONEncodeDeprecatedWarning=nsIJSON.encode is deprecated.  Please use JSON.st
 nsIDOMWindowInternalWarning=Use of nsIDOMWindowInternal is deprecated. Use nsIDOMWindow instead.
 InputEncodingWarning=Use of inputEncoding is deprecated.
 GlobalStorageWarning=Use of globalStorage is deprecated. Please use localStorage instead.
-FullScreenDeniedDisabled=Request for full-screen was denied because full-screen API is disabled by user preference.
+InvalidRedirectChannelWarning=Unable to redirect to %S because the channel doesn't implement nsIWritablePropertyBag2.FullScreenDeniedDisabled=Request for full-screen was denied because full-screen API is disabled by user preference.
 FullScreenDeniedPlugins=Request for full-screen was denied because a document on this page contains a windowed plugin.
 FullScreenDeniedHidden=Request for full-screen was denied because the document is no longer visible.
 FullScreenDeniedIframeDisallowed=Request for full-screen was denied because at least one of the document's containing iframes does not have a "mozallowfullscreen" attribute.

netwerk/base/public/nsNetUtil.h

@@ -232,7 +232,7 @@ NS_NewChannel(nsIChannel           **result,
             if (loadFlags != nsIRequest::LOAD_NORMAL)
                 rv |= chan->SetLoadFlags(loadFlags);
             if (channelPolicy) {
-                nsCOMPtr<nsIWritablePropertyBag2> props = do_QueryInterface(chan, &rv);
+                nsCOMPtr<nsIWritablePropertyBag2> props = do_QueryInterface(chan);
                 if (props) {
                     props->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
                                                   channelPolicy);