1544534 - Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P1)

Description

[Christoph Kerschbaumer [:ckerschb]]

Using a clean profile do:

• Navigate to data:application/json,["visit%20http://mozilla.org"]
• It should open the JSON Viewer, with a mozilla.org link, click on it

Assertion in nsDocshell fires exhibiting that the explicit CSP and the CSP on the triggeringPrincipal are not equal.

Comment 1

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_1544534_fix_csp_problem.patch

Jonathan, Gijs, I found the problem why the assertion in nsDoShell is firing, but I am not sure if it's worth landing my patch given that we are so close to land Bug 965637 (which is ready for review today). Probably we might open a can of worms.

In detail:
We have not been serializing the CSP within the Principal for NullPrincipals. Please note that we have never been doing that and the problem disappears after Bug 965637, which would remove all the code we would add within this patch.

I think it might be the better solution to add a carveout to the assertion within nsDocshell and just do not assert for NullPrincipals so the update within Bug 1540069 can land.

What do you think?

Comment 2

[:Gijs (he/him)]

Assuming bug 965637 lands soon that wfm.

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

Attachment: Bug 1544534: Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal. r=gijs

Comment 4

[Pulsebot]

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/7a36097057bd
Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal. r=Gijs

Comment 5

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/7a36097057bd

Comment 6

[Jonathan Kingston [:jkt] he/him]

Clearing ni. We agreed over slack.