Bug 1262963 - Add env var for bypassing origin check of cssom. r=heycam
MozReview-Commit-ID: 2iMx3sz1QKS
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -296,16 +296,19 @@ bool nsContentUtils::sIsCustomElementsEn
bool nsContentUtils::sSendPerformanceTimingNotifications = false;
bool nsContentUtils::sUseActivityCursor = false;
bool nsContentUtils::sAnimationsAPICoreEnabled = false;
bool nsContentUtils::sAnimationsAPIElementAnimateEnabled = false;
bool nsContentUtils::sGetBoxQuadsEnabled = false;
bool nsContentUtils::sSkipCursorMoveForSameValueSet = false;
bool nsContentUtils::sRequestIdleCallbackEnabled = false;
bool nsContentUtils::sLowerNetworkPriority = false;
+#ifndef RELEASE_OR_BETA
+bool nsContentUtils::sBypassCSSOMOriginCheck = false;
+#endif
int32_t nsContentUtils::sPrivacyMaxInnerWidth = 1000;
int32_t nsContentUtils::sPrivacyMaxInnerHeight = 1000;
nsContentUtils::UserInteractionObserver*
nsContentUtils::sUserInteractionObserver = nullptr;
uint32_t nsContentUtils::sHandlingInputTimeout = 1000;
@@ -710,16 +713,20 @@ nsContentUtils::Init()
Preferences::AddBoolVarCache(&sSkipCursorMoveForSameValueSet,
"dom.input.skip_cursor_move_for_same_value_set",
true);
Preferences::AddBoolVarCache(&sRequestIdleCallbackEnabled,
"dom.requestIdleCallback.enabled", false);
+#ifndef RELEASE_OR_BETA
+ sBypassCSSOMOriginCheck = getenv("MOZ_BYPASS_CSSOM_ORIGIN_CHECK");
+#endif
+
Preferences::AddBoolVarCache(&sLowerNetworkPriority,
"privacy.trackingprotection.lower_network_priority", false);
Element::InitCCCallbacks();
Unused << nsRFPService::GetOrCreate();
nsCOMPtr<nsIUUIDGenerator> uuidGenerator =
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@@ -2227,16 +2227,31 @@ public:
* Returns true if the requestIdleCallback API should be enabled.
*/
static bool RequestIdleCallbackEnabled()
{
return sRequestIdleCallbackEnabled;
}
/**
+ * Returns true if CSSOM origin check should be skipped for WebDriver
+ * based crawl to be able to collect data from cross-origin CSS style
+ * sheets. This can be enabled by setting environment variable
+ * MOZ_BYPASS_CSSOM_ORIGIN_CHECK.
+ */
+ static bool BypassCSSOMOriginCheck()
+ {
+#ifdef RELEASE_OR_BETA
+ return false;
+#else
+ return sBypassCSSOMOriginCheck;
+#endif
+ }
+
+ /**
* Return true if this doc is controlled by a ServiceWorker.
*/
static bool IsControlledByServiceWorker(nsIDocument* aDocument);
/**
* Fire mutation events for changes caused by parsing directly into a
* context node.
*
@@ -3092,16 +3107,19 @@ private:
static bool sSendPerformanceTimingNotifications;
static bool sUseActivityCursor;
static bool sAnimationsAPICoreEnabled;
static bool sAnimationsAPIElementAnimateEnabled;
static bool sGetBoxQuadsEnabled;
static bool sSkipCursorMoveForSameValueSet;
static bool sRequestIdleCallbackEnabled;
static bool sLowerNetworkPriority;
+#ifndef RELEASE_OR_BETA
+ static bool sBypassCSSOMOriginCheck;
+#endif
static uint32_t sCookiesLifetimePolicy;
static uint32_t sCookiesBehavior;
static int32_t sPrivacyMaxInnerWidth;
static int32_t sPrivacyMaxInnerHeight;
class UserInteractionObserver;
static UserInteractionObserver* sUserInteractionObserver;
--- a/layout/style/StyleSheet.cpp
+++ b/layout/style/StyleSheet.cpp
@@ -604,18 +604,20 @@ StyleSheet::SubjectSubsumesInnerPrincipa
ErrorResult& aRv)
{
StyleSheetInfo& info = SheetInfo();
if (aSubjectPrincipal.Subsumes(info.mPrincipal)) {
return;
}
- // Allow access only if CORS mode is not NONE
- if (GetCORSMode() == CORS_NONE) {
+ // Allow access only if CORS mode is not NONE and the security flag
+ // is not turned off.
+ if (GetCORSMode() == CORS_NONE &&
+ !nsContentUtils::BypassCSSOMOriginCheck()) {
aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
return;
}
// Now make sure we set the principal of our inner to the subjectPrincipal.
// We do this because we're in a situation where the caller would not normally
// be able to access the sheet, but the sheet has opted in to being read.
// Unfortunately, that means it's also opted in to being _edited_, and if the