Bug 1297156: Always use the content security policy from the triggering principal for favicon loads.
Normally we use the CSP defined by the principal of the node loading something.
In the case of a xul:image element loading a favicon we need to use the
triggering principal.
MozReview-Commit-ID: EYVMGWzw03k
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -157,18 +157,18 @@ CSPService::ShouldLoad(nsIURI *aContentL
}
// Find a principal to retrieve the CSP from. If we don't have a context node
// (because, for instance, the load originates in a service worker), or the
// requesting principal's CSP overrides our document CSP, use the request
// principal. Otherwise, use the document principal.
nsCOMPtr<nsINode> node(do_QueryInterface(aRequestContext));
nsCOMPtr<nsIPrincipal> principal;
- if (!node || (aRequestPrincipal &&
- BasePrincipal::Cast(aRequestPrincipal)->OverridesCSP(node->NodePrincipal()))) {
+ if (!node || aContentType == nsIContentPolicy::TYPE_INTERNAL_IMAGE_FAVICON ||
+ (aRequestPrincipal && BasePrincipal::Cast(aRequestPrincipal)->OverridesCSP(node->NodePrincipal()))) {
principal = aRequestPrincipal;
} else {
principal = node->NodePrincipal();
}
if (!principal) {
// if we can't query a principal, then there is nothing to do.
return NS_OK;
}