1473285 - Use resource: or other non-system principal for saving blobs of pretty-printed data from json viewer

Status: NEW

(DevTools :: JSON Viewer, enhancement, P3)

Description

[:Gijs (out for now; he/him)]

In bug 1469916 I landed a bit of a stopgap fix in the JSON viewer to using nsIWebBrowserPersist with the prettyprinted json that gets sent from the json viewer in the content process to the parent process.

It needs to send the data to the parent because you can't touch disk in the content process.

Unfortunately, the blob it creates gets a null principal because we change the json viewer's principal to be a null principal. But null principals don't travel between parent and child well, and as a result then the parent isn't allowed to save the blob URI, because the principal (new null principal) can't touch the blob URI (created from the old principal).

I worked around this by explicitly passing system principal as the triggering princpial for the blob load (as that's the only thing that can load a non-identical null principal), and added some manual checks on the data being passed in to avoid it being easily exploitable to make system principal load arbitrary URIs, but presumably we can do better here. Perhaps by adjusting how we create the blob so that it gets a resource: codebase principal or something, and then using that. Or perhaps we can somehow get the blob URI's principal? I'm not sure if we expose that somehow.

Comment 1

[Andrea Marchesini [:baku]]

> principal or something, and then using that. Or perhaps we can somehow get
> the blob URI's principal? I'm not sure if we expose that somehow.

We have nsIURIWithPrincipal, but don't use it, please. I'm removing it in 1228139.
We store the blob's principal inside BlobURLProtocolHandler in an internal hashtable and in bug 1228139 I wrote something that exposes the blobURL's principal from a nsIURI object. This can be used by any process.