Verified Commit f9a896f2 authored by Daniel Holbert's avatar Daniel Holbert Committed by ma1
Browse files

Bug 1970490: Use loading principal (rather than triggering principal) for CORS...

Bug 1970490: Use loading principal (rather than triggering principal) for CORS checks, by default. a=RyanVM

This is essentially a backout of bug 1496505, putting its change behind a new
off-by-default about:config pref[1] for now, in case there are use cases that
require it.

[1] content.cors.use_triggering_principal

Original Revision: https://phabricator.services.mozilla.com/D252611

Differential Revision: https://phabricator.services.mozilla.com/D263611
parent 56fdd37e
Loading
Loading
Loading
Loading
+12 −4
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@
#include "mozilla/Logging.h"
#include "mozilla/Maybe.h"
#include "mozilla/Preferences.h"
#include "mozilla/StaticPrefs_content.h"
#include "mozilla/StaticPrefs_dom.h"
#include "mozilla/StaticPrefs_security.h"
#include "mozilla/Telemetry.h"
@@ -364,10 +365,17 @@ static nsresult DoCORSChecks(nsIChannel* aChannel, nsILoadInfo* aLoadInfo,
    return NS_OK;
  }

  // We use the triggering principal here, rather than the loading principal
  // to ensure that anonymous CORS content in the browser resources and in
  // WebExtensions is allowed to load.
  nsIPrincipal* principal = aLoadInfo->TriggeringPrincipal();
  nsIPrincipal* principal = aLoadInfo->GetLoadingPrincipal();
  if (StaticPrefs::content_cors_use_triggering_principal()) {
    // We use the triggering principal here, rather than the loading principal,
    // to ensure that WebExtensions can reuse their own resources from content
    // that they inject into a page.
    //
    // TODO(dholbert): Is there actually a legitimate reason that WebExtensions
    // might need this (as opposed to exposing their resources for use in
    // web-content via the 'web_accessible_resources' manifest field)?
    principal = aLoadInfo->TriggeringPrincipal();
  }
  RefPtr<nsCORSListenerProxy> corsListener = new nsCORSListenerProxy(
      aInAndOutListener, principal,
      aLoadInfo->GetCookiePolicy() == nsILoadInfo::SEC_COOKIES_INCLUDE);
+8 −0
Original line number Diff line number Diff line
@@ -1907,6 +1907,14 @@
  value: false
  mirror: always

# If true, we'll use the triggering principal rather than the loading principal
# when doing CORS checks.  This might be needed for WebExtensions to load their
# own resources from content that they inject into sites.
- name: content.cors.use_triggering_principal
  type: bool
  value: false
  mirror: always

# Back off timer notification after count.
# -1 means never.
- name: content.notify.backoffcount