Closed
Bug 1305996
Opened 8 years ago
Closed 8 years ago
Tweak Documentation for nsILoadInfo
Categories
(Core :: DOM: Security, defect, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
3.85 KB,
patch
|
tanvi
:
review+
|
Details | Diff | Splinter Review |
As a follow up for
> https://bugzilla.mozilla.org/show_bug.cgi?id=1291458#c15
we should slightly teak the documentation to incorporate when a loadingPrincipa/triggeringPrincipal should not be a SystemPrincipal.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8795704 -
Flags: review?(tanvi)
Comment 2•8 years ago
|
||
Comment on attachment 8795704 [details] [diff] [review] bug_1305996_documentation_loadinfo.patch Some replacements below. r+ with the changes. >diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl >--- a/netwerk/base/nsILoadInfo.idl >+++ b/netwerk/base/nsILoadInfo.idl >@@ -203,45 +203,67 @@ interface nsILoadInfo : nsISupports > * So if document at http://a.com/page.html loads an image from > * http://b.com/pic.jpg, then loadingPrincipal will be > * http://a.com/page.html. > * > * For <iframe> and <frame> loads, the LoadingPrincipal is the > * principal of the parent document. For top-level loads, the > * LoadingPrincipal is null. For all loads except top-level loads > * the LoadingPrincipal is never null. >+ * >+ * If the loadingPrincipal is the system principal, no security checks >+ * will be done at all, not during the initial load, and not during will be done at all. There will be no security checks on the initial load or any subsequent redirects. >+ * redirects. This includes not doing any nsIContentPolicy checks or This means there will be no nsIContentPolicy checks or any CheckLoadURI checks. >+ * any CheckLoadURI checks. Because of this, never set the >+ * loadingPrincipal to the system principal when the URI to be loaded >+ * is controlled by a webpage. >+ * If the loadingPrincipal and triggeringPrincipal are both >+ * codebase-principals, then we will at least call into codebase-principals, then we will always call into nsIContentPolicies and CheckLoadURI. >+ * nsIContentPolicies. This happens even if the uri to be loaded is The call to nsIContentPolicies and CheckLoadURI happen even if the URI to be loaded is same-origin with the loadingPrincipal or triggeringPrincipal. [Note I changed it to or.] >+ * same-origin with the loadingPrincipal and triggeringPrincipal. > */ > readonly attribute nsIPrincipal loadingPrincipal; > And the same changes apply to the triggeringPrincipal section below.
Attachment #8795704 -
Flags: review?(tanvi) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b001b0ed40e1 Tweak Documentation for nsILoadInfo. r=tanvi
Comment 4•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b001b0ed40e1
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•