Verified Commit f9a896f2 authored by Daniel Holbert's avatar Daniel Holbert Committed by ma1
Browse files

Bug 1970490: Use loading principal (rather than triggering principal) for CORS... 

Bug 1970490: Use loading principal (rather than triggering principal) for CORS checks, by default. a=RyanVM

This is essentially a backout of bug 1496505, putting its change behind a new
off-by-default about:config pref[1] for now, in case there are use cases that
require it.

[1] content.cors.use_triggering_principal

Original Revision: https://phabricator.services.mozilla.com/D252611

Differential Revision: https://phabricator.services.mozilla.com/D263611
parent 56fdd37e

dom/security/nsContentSecurityManager.cpp

+12 −4
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ 
#include "mozilla/Logging.h"

#include "mozilla/Maybe.h"

#include "mozilla/Preferences.h"

#include "mozilla/StaticPrefs_content.h"

#include "mozilla/StaticPrefs_dom.h"

#include "mozilla/StaticPrefs_security.h"

#include "mozilla/Telemetry.h"
@@ -364,10 +365,17 @@ static nsresult DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo, 
    return NS_OK;

  }



  // We use the triggering principal here, rather than the loading principal

  // to ensure that anonymous CORS content in the browser resources and in

  // WebExtensions is allowed to load.

  nsIPrincipal* principal = aLoadInfo->TriggeringPrincipal();

  nsIPrincipal* principal = aLoadInfo->GetLoadingPrincipal();

  if (StaticPrefs::content_cors_use_triggering_principal()) {

    // We use the triggering principal here, rather than the loading principal,

    // to ensure that WebExtensions can reuse their own resources from content

    // that they inject into a page.

    //

    // TODO(dholbert): Is there actually a legitimate reason that WebExtensions

    // might need this (as opposed to exposing their resources for use in

    // web-content via the 'web_accessible_resources' manifest field)?

    principal = aLoadInfo->TriggeringPrincipal();

  }

  RefPtr<nsCORSListenerProxy> corsListener = new nsCORSListenerProxy(

      aInAndOutListener, principal,

      aLoadInfo->GetCookiePolicy() == nsILoadInfo::SEC_COOKIES_INCLUDE);

modules/libpref/init/StaticPrefList.yaml

+8 −0
Original line number Diff line number Diff line
@@ -1907,6 +1907,14 @@ 
  value: false

  mirror: always



# If true, we'll use the triggering principal rather than the loading principal

# when doing CORS checks.  This might be needed for WebExtensions to load their

# own resources from content that they inject into sites.

- name: content.cors.use_triggering_principal

  type: bool

  value: false

  mirror: always



# Back off timer notification after count.

# -1 means never.

- name: content.notify.backoffcount