author | vinoth <cegvinoth@gmail.com> |
Thu, 18 Jan 2018 10:50:04 +0100 | |
changeset 722012 | d49cff6bd2a82c3c01c3ca3ee63ac5c85032d3ad |
parent 719657 | 1d79ae6437772ba7c18e99116d0fee16481921d5 |
child 746505 | 5cc58689b96d06a1814c4621d139cbad8906ed6f |
child 750467 | 6d924ba97913ac8a63e24a9c4d6678af41d4e4f9 |
push id | 96027 |
push user | bmo:cegvinoth@gmail.com |
push date | Thu, 18 Jan 2018 09:50:21 +0000 |
bugs | 1399990 |
milestone | 59.0a1 |
netwerk/protocol/http/nsHttpChannel.cpp | file | annotate | diff | comparison | revisions | |
toolkit/components/telemetry/Histograms.json | file | annotate | diff | comparison | revisions |
--- a/netwerk/protocol/http/nsHttpChannel.cpp +++ b/netwerk/protocol/http/nsHttpChannel.cpp @@ -1451,53 +1451,52 @@ EnsureMIMEOfScript(nsIURI* aURI, nsHttpR } if (aLoadInfo->GetExternalContentPolicyType() != nsIContentPolicy::TYPE_SCRIPT) { // if this is not a script load, then there is nothing to do return NS_OK; } nsAutoCString contentType; - nsCOMPtr<nsIURI> requestURI; - nsAutoCString requestURIString; - nsAutoCString responseURIString; - nsAutoCString corsOrigin; aResponseHead->ContentType(contentType); NS_ConvertUTF8toUTF16 typeString(contentType); if (nsContentUtils::IsJavascriptMIMEType(typeString)) { // script load has type script AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::javaScript); return NS_OK; } - if (aLoadInfo->LoadingPrincipal()) { - aLoadInfo->LoadingPrincipal()->GetURI(getter_AddRefs(requestURI)); - if (requestURI) { - requestURI->GetPrePath(requestURIString); - } - aURI->GetPrePath(responseURIString); - if (requestURIString.Equals(responseURIString)) { - //same origin - AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::same_origin); - } else { - bool cors = false; - nsresult rv = aResponseHead->GetHeader(nsHttp::ResolveAtom("Access-Control-Allow-Origin"), corsOrigin); - if (NS_SUCCEEDED(rv)) { - //cors origin - if (corsOrigin.Equals("*") || corsOrigin.Equals(requestURIString)) { - AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::CORS_same_origin); - cors = true; - } + nsCOMPtr<nsIURI> requestURI; + nsAutoCString requestURIString; + aLoadInfo->TriggeringPrincipal()->GetURI(getter_AddRefs(requestURI)); + if (requestURI) { + requestURI->GetPrePath(requestURIString); + } + + nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager(); + nsresult rv = ssm->CheckSameOriginURI(requestURI, aURI, false); + if (NS_SUCCEEDED(rv)) { + //same origin + AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::same_origin); + } else { + bool cors = false; + nsAutoCString corsOrigin; + rv = aResponseHead->GetHeader(nsHttp::ResolveAtom("Access-Control-Allow-Origin"), corsOrigin); + if (NS_SUCCEEDED(rv)) { + //cors origin + if (corsOrigin.Equals("*") || corsOrigin.Equals(requestURIString)) { + AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::CORS_origin); + cors = true; } - if (!cors) { - //cross origin - AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::cross_origin); - } + } + if (!cors) { + //cross origin + AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::cross_origin); } } bool block = false; if (StringBeginsWith(contentType, NS_LITERAL_CSTRING("image/"))) { // script load has type image AccumulateCategorical(Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_2::image); block = true;
--- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -7798,18 +7798,18 @@ "description": "Whether the user is in safe mode (No, Yes, Forced)" }, "SCRIPT_BLOCK_INCORRECT_MIME_2": { "record_in_processes": ["main", "content"], "alert_emails": ["ckerschbaumer@mozilla.com"], "bug_numbers": [1288361, 1299267, 1399990], "expires_in_version": "63", "kind": "categorical", - "labels": ["unknown","javaScript","image", "audio", "video","text_plain","text_csv","text_xml","app_octet_stream","app_xml","text_html","empty","worker_load","importSript_load","script_load","same_origin","CORS_same_origin","cross_origin"], - "description": "Whether the script load has a MIME type of ...? (unknown, javaScript, image, audio, video, text_plain, text_csv, text_xml, app_octet_stream, app_xml, text_html, empty). Whether the script load is from ...? (worker_load, importSript_load, script_load). Whether the script load is of ...? (same_origin, CORS_same_origin, cross_origin)" + "labels": ["unknown","javaScript","image", "audio", "video","text_plain","text_csv","text_xml","app_octet_stream","app_xml","text_html","empty","worker_load","importSript_load","script_load","same_origin","CORS_origin","cross_origin"], + "description": "Whether the script load has a MIME type of ...? (unknown, javaScript, image, audio, video, text_plain, text_csv, text_xml, app_octet_stream, app_xml, text_html, empty). Whether the script load is from ...? (worker_load, importSript_load, script_load). Whether the script load is of ...? (same_origin, CORS_origin, cross_origin)" }, "XCTO_NOSNIFF_BLOCK_IMAGE": { "record_in_processes": ["main", "content"], "alert_emails": ["ckerschbaumer@mozilla.com"], "bug_numbers": [1302539], "expires_in_version": "56", "kind": "enumerated", "n_values": 3,