Check if OverridesCSP check from Bug 1529877 can be moved to frame->GetSrcTriggeringPrincipal()
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
As a follow up to Bug 1529877 we should check if we can move the OverrideCSP() check from nsFrameLoader.cpp into frame->GetSrcTriggeringPrincipal() and just not store the triggeringPrincipal in that case at all, so that we always fall back to using the node->NodePrincipal.
Assignee | ||
Updated•6 years ago
|
Comment 1•6 years ago
|
||
I think we really want to just do this check before we store the triggering principal at all, from GetAttrTriggeringPrincipal
1.
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
I did 'Preview Landing' in Lando and it showed me 'Landing Queued' but the patch never landed - until I figure out what the problem was I am requesting 'checkin-needed' for this one.
Updated•6 years ago
|
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/f101c9664b87
Do not query the CSP from the principal within LoadFrame, but rather do not even set the Principal if it does not override the CSP within nsContentUtils::GetAttrTriggeringPrincipal. r=bzbarsky
Comment 7•6 years ago
|
||
bugherder |
Description
•