As a follow up for > https://bugzilla.mozilla.org/show_bug.cgi?id=1291458#c15 we should slightly teak the documentation to incorporate when a loadingPrincipa/triggeringPrincipal should not be a SystemPrincipal.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Created attachment 8795704 [details] [diff] [review] bug_1305996_documentation_loadinfo.patch
Attachment #8795704 - Flags: review?(tanvi)
Comment on attachment 8795704 [details] [diff] [review] bug_1305996_documentation_loadinfo.patch Some replacements below. r+ with the changes. >diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl >--- a/netwerk/base/nsILoadInfo.idl >+++ b/netwerk/base/nsILoadInfo.idl >@@ -203,45 +203,67 @@ interface nsILoadInfo : nsISupports > * So if document at http://a.com/page.html loads an image from > * http://b.com/pic.jpg, then loadingPrincipal will be > * http://a.com/page.html. > * > * For <iframe> and <frame> loads, the LoadingPrincipal is the > * principal of the parent document. For top-level loads, the > * LoadingPrincipal is null. For all loads except top-level loads > * the LoadingPrincipal is never null. >+ * >+ * If the loadingPrincipal is the system principal, no security checks >+ * will be done at all, not during the initial load, and not during will be done at all. There will be no security checks on the initial load or any subsequent redirects. >+ * redirects. This includes not doing any nsIContentPolicy checks or This means there will be no nsIContentPolicy checks or any CheckLoadURI checks. >+ * any CheckLoadURI checks. Because of this, never set the >+ * loadingPrincipal to the system principal when the URI to be loaded >+ * is controlled by a webpage. >+ * If the loadingPrincipal and triggeringPrincipal are both >+ * codebase-principals, then we will at least call into codebase-principals, then we will always call into nsIContentPolicies and CheckLoadURI. >+ * nsIContentPolicies. This happens even if the uri to be loaded is The call to nsIContentPolicies and CheckLoadURI happen even if the URI to be loaded is same-origin with the loadingPrincipal or triggeringPrincipal. [Note I changed it to or.] >+ * same-origin with the loadingPrincipal and triggeringPrincipal. > */ > readonly attribute nsIPrincipal loadingPrincipal; > And the same changes apply to the triggeringPrincipal section below.
Attachment #8795704 - Flags: review?(tanvi) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b001b0ed40e1 Tweak Documentation for nsILoadInfo. r=tanvi
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.