Closed Bug 553448 Opened 14 years ago Closed 14 years ago

nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction should return JS_TRUE when no subjectPrincipal exists

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mozilla+ben, Assigned: mozilla+ben)

References

Details

Attachments

(1 file)

Patch emending CSP behavior.
2.01 KB, patch
mrbkap
: review+
dveditz
: superreview+
Details | Diff | Splinter Review 
In the xpcshell we don't have any notion of subject principals (in fact, we don't even have a document).  Failing to find a subjectPrincipal in such an environment should not cause CSP to forbid access.
Added an NS_ASSERTION to be sure that no principals could be found at all when subjectPrincipal is null.
Attachment #433451 - Flags: superreview?(dveditz)
Attachment #433451 - Flags: review?(mrbkap)
Comment on attachment 433451 [details] [diff] [review]
Patch emending CSP behavior.

Add a comment near the assertion about why we are asserting that there's no findObjectPrincipals hook and r=me.
Attachment #433451 - Flags: review?(mrbkap) → review+
Comment on attachment 433451 [details] [diff] [review]
Patch emending CSP behavior.

>-    if (callbacks) {
>-        return callbacks->contentSecurityPolicyAllows &&
>-               callbacks->contentSecurityPolicyAllows(cx);
>-    }
>+    if (callbacks && callbacks->contentSecurityPolicyAllows)
>+        return callbacks->contentSecurityPolicyAllows(cx);
> 
>     return JS_TRUE;

For posterity's sake, this change deserves explanation.  Simply, we should allow clients to set callbacks without setting a contendSecurityPolicyAllows callback.

In the situation that inspired this bug, the callbacks->contentSecurityPolicyAllows function pointer was none other than nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction, by the way.
(In reply to comment #2)
> (From update of attachment 433451 [details] [diff] [review])
> Add a comment near the assertion about why we are asserting that there's no
> findObjectPrincipals hook and r=me.

Added a comment pointing to this bug.
Comment on attachment 433451 [details] [diff] [review]
Patch emending CSP behavior.

sr=dveditz
Attachment #433451 - Flags: superreview?(dveditz) → superreview+
Thanks for your help tracking this down, dveditz and mrbkap.

Pushed to projects/electrolysis:
http://hg.mozilla.org/projects/electrolysis/rev/b45221bb1371

Should I also land on mozilla-central, or just wait for e10s to be merged with m-c?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: