KotJohansson/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 14:54:25 +00:00
Code Issues Projects Releases Wiki Activity

Issue #2736 - Part 6: Re-work <script> src attribute.

Browse Source 
Use subject principal as triggering principal in <script> "src" attribute.
This commit is contained in:
Moonchild
2025-04-29 09:47:42 +02:00
committed by roytam1
parent 2bdb9f3d85
commit 1f638b22ec
6 changed files with 47 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dom/html/HTMLScriptElement.cpp
+10 -5
View File
@@ -166,9 +166,9 @@ HTMLScriptElement::Defer()
}
void
HTMLScriptElement::SetSrc(const nsAString& aSrc, ErrorResult& rv)
HTMLScriptElement::SetSrc(const nsAString& aSrc, nsIPrincipal& aTriggeringPrincipal, ErrorResult& rv)
{
rv = SetAttrHelper(nsGkAtoms::src, aSrc);
SetHTMLAttr(nsGkAtoms::src, aSrc, aTriggeringPrincipal, rv);
}
void
@@ -230,16 +230,21 @@ HTMLScriptElement::SetNoModule(bool aValue, ErrorResult& aRv)
}
nsresult
HTMLScriptElement::AfterSetAttr(int32_t aNamespaceID, nsIAtom* aName,
HTMLScriptElement::AfterSetAttr(int32_t aNameSpaceID, nsIAtom* aName,
const nsAttrValue* aValue,
const nsAttrValue* aOldValue,
nsIPrincipal* aMaybeScriptedPrincipal,
bool aNotify)
{
if (nsGkAtoms::async == aName && kNameSpaceID_None == aNamespaceID) {
if (aName == nsGkAtoms::async && aNameSpaceID == kNameSpaceID_None) {
mForceAsync = false;
}
return nsGenericHTMLElement::AfterSetAttr(aNamespaceID, aName,
if (aName == nsGkAtoms::src && aNameSpaceID == kNameSpaceID_None) {
mSrcTriggeringPrincipal = nsContentUtils::GetAttrTriggeringPrincipal(
this, aValue ? aValue->GetStringValue() : EmptyString(),
aMaybeScriptedPrincipal);
}
return nsGenericHTMLElement::AfterSetAttr(aNameSpaceID, aName,
aValue, aOldValue,
aMaybeScriptedPrincipal,
aNotify);
dom/html/HTMLScriptElement.h
+5 -1
View File
@@ -67,7 +67,11 @@ public:
void SetCharset(const nsAString& aCharset, ErrorResult& rv);
void SetDefer(bool aDefer, ErrorResult& rv);
bool Defer();
void SetSrc(const nsAString& aSrc, ErrorResult& rv);
void GetSrc(nsString& aSrc, nsIPrincipal&)
{
GetSrc(aSrc);
};
void SetSrc(const nsAString& aSrc, nsIPrincipal& aTriggeringPrincipal, ErrorResult& rv);
void SetType(const nsAString& aType, ErrorResult& rv);
void SetHtmlFor(const nsAString& aHtmlFor, ErrorResult& rv);
void SetEvent(const nsAString& aEvent, ErrorResult& rv);
dom/script/ScriptLoader.cpp
+19 -10
View File
@@ -869,6 +869,8 @@ ScriptLoader::StartFetchingModuleAndDependencies(ModuleLoadRequest* aParent,
RefPtr<ModuleLoadRequest> childRequest =
ModuleLoadRequest::CreateStaticImport(aURI, aParent);
childRequest->mTriggeringPrincipal = aParent->mTriggeringPrincipal;
aParent->mImports.AppendElement(childRequest);
RefPtr<GenericPromise> ready = childRequest->mReady.Ensure(__func__);
@@ -1329,15 +1331,16 @@ ScriptLoader::StartLoad(ScriptLoadRequest *aRequest, const nsAString &aType,
securityFlags |= nsILoadInfo::SEC_ALLOW_CHROME;
nsCOMPtr<nsIChannel> channel;
nsresult rv = NS_NewChannel(getter_AddRefs(channel),
aRequest->mURI,
context,
securityFlags,
contentPolicyType,
loadGroup,
prompter,
nsIRequest::LOAD_NORMAL |
nsIChannel::LOAD_CLASSIFY_URI);
nsresult rv = NS_NewChannelWithTriggeringPrincipal(
getter_AddRefs(channel),
aRequest->mURI,
context,
aRequest->mTriggeringPrincipal,
securityFlags,
contentPolicyType,
loadGroup,
prompter,
nsIRequest::LOAD_NORMAL);
NS_ENSURE_SUCCESS(rv, rv);
@@ -1638,10 +1641,14 @@ ScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)
}
}
nsCOMPtr<nsIPrincipal> principal = scriptContent->NodePrincipal();
nsCOMPtr<nsIPrincipal> principal = aElement->GetScriptURITriggeringPrincipal();
if (!principal) {
principal = scriptContent->NodePrincipal();
}
request = CreateLoadRequest(scriptKind, scriptURI, aElement, principal,
ourCORSMode, sriMetadata, referrerPolicy);
request->mTriggeringPrincipal = Move(principal);
request->mIsInline = false;
request->SetScriptMode(aElement->GetScriptDeferred(),
aElement->GetScriptAsync());
@@ -1764,6 +1771,7 @@ ScriptLoader::ProcessScriptElement(nsIScriptElement *aElement)
SRIMetadata(), // SRI doesn't apply
referrerPolicy);
request->mIsInline = true;
request->mTriggeringPrincipal = mDocument->NodePrincipal();
request->mLineNo = aElement->GetScriptLineNumber();
// Only the 'async' attribute is heeded on an inline module script and
@@ -3077,6 +3085,7 @@ ScriptLoader::PreloadURI(nsIURI *aURI,
mDocument->NodePrincipal(),
Element::StringToCORSMode(aCrossOrigin), sriMetadata,
aReferrerPolicy);
request->mTriggeringPrincipal = mDocument->NodePrincipal();
request->mIsInline = false;
request->SetScriptMode(aDefer, aAsync);
request->SetIsPreloadRequest();
dom/script/ScriptLoader.h
+1
View File
@@ -248,6 +248,7 @@ public:
char16_t* mScriptTextBuf; // Holds script text for non-inline scripts. Don't
size_t mScriptTextLength; // use nsString so we can give ownership to jsapi.
const nsCOMPtr<nsIURI> mURI;
nsCOMPtr<nsIPrincipal> mTriggeringPrincipal;
nsCOMPtr<nsIPrincipal> mOriginPrincipal;
nsAutoCString mURL; // Keep the URI's filename alive during off thread parsing.
int32_t mLineNo;
dom/script/nsIScriptElement.h
+11
View File
@@ -68,6 +68,12 @@ public:
return mUri;
}
nsIPrincipal* GetScriptURITriggeringPrincipal()
{
NS_PRECONDITION(mFrozen, "Not ready for this call yet!");
return mSrcTriggeringPrincipal;
}
/**
* Script source text for inline script elements.
*/
@@ -363,6 +369,11 @@ protected:
*/
nsCOMPtr<nsIURI> mUri;
/**
* The triggering principal for the src URL.
*/
nsCOMPtr<nsIPrincipal> mSrcTriggeringPrincipal;
/**
* The creator parser of a non-defer, non-async parser-inserted script.
*/
dom/webidl/HTMLScriptElement.webidl
+1 -1
View File
@@ -10,7 +10,7 @@
[HTMLConstructor]
interface HTMLScriptElement : HTMLElement {
[CEReactions, SetterThrows]
[CEReactions, NeedsSubjectPrincipal, SetterThrows]
attribute DOMString src;
[CEReactions, SetterThrows]
attribute DOMString type;