[tbb-commits] [tor-browser/tor-browser-45.1.0esr-6.0-1] fixup! Bug #15502. Isolate blob, mediasource & mediastream URLs to first party

gk at torproject.org gk at torproject.org
Tue May 24 17:59:42 UTC 2016


commit 464f9221b09b70e05950a44ebb4f3c1f0bfde179
Author: Arthur Edelstein <arthuredelstein at gmail.com>
Date:   Thu May 19 22:58:18 2016 -0700

    fixup! Bug #15502. Isolate blob, mediasource & mediastream URLs to first party
---
 dom/base/nsXMLHttpRequest.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dom/base/nsXMLHttpRequest.cpp b/dom/base/nsXMLHttpRequest.cpp
index 2c68e65..9d1ead5 100644
--- a/dom/base/nsXMLHttpRequest.cpp
+++ b/dom/base/nsXMLHttpRequest.cpp
@@ -1697,8 +1697,13 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
 
   // If we have the document, use it. Unfortunately, for dedicated workers
   // 'doc' ends up being the parent document, which is not the document
-  // that we want to use. So make sure to avoid using 'doc' in that situation.
-  if (doc && doc->NodePrincipal() == mPrincipal) {
+  // that we want to use because it has the wrong Content Security Policy.
+  // So make sure to avoid using 'doc' in that situation.
+  // However, for blob urls, we don't care about CSP but we do need to
+  // pass on the parent document to get the correct first party.
+  bool isBlob = false;
+  if (doc && (doc->NodePrincipal() == mPrincipal ||
+              (NS_SUCCEEDED(uri->SchemeIs("blob", &isBlob)) && isBlob))) {
     rv = NS_NewChannel(getter_AddRefs(mChannel),
                        uri,
                        doc,



More information about the tbb-commits mailing list