summaryrefslogtreecommitdiff
path: root/docshell
diff options
context:
space:
mode:
authorjanekptacijarabaci <janekptacijarabaci@seznam.cz>2017-08-25 09:25:03 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-22 11:18:23 +0100
commit018a6599a12489a92c4e8b6b2a548276a98769ef (patch)
treed55ccf486d68b1dde83f56a95bb6e8121a7ba48f /docshell
parent4ee10e06a28f46681d0c794f4877dd6ca241b7bd (diff)
downloaduxp-018a6599a12489a92c4e8b6b2a548276a98769ef.tar.gz
CSP: Upgrade SO navigational requests per spec.
Diffstat (limited to 'docshell')
-rw-r--r--docshell/base/nsDocShell.cpp23
1 files changed, 23 insertions, 0 deletions
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index ab119a016a..2e08e67207 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -11025,6 +11025,29 @@ nsDocShell::DoURILoad(nsIURI* aURI,
}
}
+ // Navigational requests that are same origin need to be upgraded in case
+ // upgrade-insecure-requests is present. Please note that in that case
+ // the triggeringPrincipal is holding the CSP that potentially
+ // holds upgrade-insecure-requests.
+ nsCOMPtr<nsIContentSecurityPolicy> csp;
+ aTriggeringPrincipal->GetCsp(getter_AddRefs(csp));
+ if (csp) {
+ bool upgradeInsecureRequests = false;
+ csp->GetUpgradeInsecureRequests(&upgradeInsecureRequests);
+ if (upgradeInsecureRequests) {
+ // only upgrade if the navigation is same origin
+ nsCOMPtr<nsIPrincipal> resultPrincipal;
+ rv = nsContentUtils::GetSecurityManager()->
+ GetChannelResultPrincipal(channel,
+ getter_AddRefs(resultPrincipal));
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (resultPrincipal->Equals(aTriggeringPrincipal)) {
+ static_cast<mozilla::LoadInfo*>(loadInfo.get())->SetUpgradeInsecureRequests();
+ }
+ }
+ }
+
+
nsCOMPtr<nsIApplicationCacheChannel> appCacheChannel =
do_QueryInterface(channel);
if (appCacheChannel) {