commit 464f9221b09b70e05950a44ebb4f3c1f0bfde179 Author: Arthur Edelstein arthuredelstein@gmail.com Date: Thu May 19 22:58:18 2016 -0700
fixup! Bug #15502. Isolate blob, mediasource & mediastream URLs to first party --- dom/base/nsXMLHttpRequest.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/dom/base/nsXMLHttpRequest.cpp b/dom/base/nsXMLHttpRequest.cpp index 2c68e65..9d1ead5 100644 --- a/dom/base/nsXMLHttpRequest.cpp +++ b/dom/base/nsXMLHttpRequest.cpp @@ -1697,8 +1697,13 @@ nsXMLHttpRequest::Open(const nsACString& inMethod, const nsACString& url,
// If we have the document, use it. Unfortunately, for dedicated workers // 'doc' ends up being the parent document, which is not the document - // that we want to use. So make sure to avoid using 'doc' in that situation. - if (doc && doc->NodePrincipal() == mPrincipal) { + // that we want to use because it has the wrong Content Security Policy. + // So make sure to avoid using 'doc' in that situation. + // However, for blob urls, we don't care about CSP but we do need to + // pass on the parent document to get the correct first party. + bool isBlob = false; + if (doc && (doc->NodePrincipal() == mPrincipal || + (NS_SUCCEEDED(uri->SchemeIs("blob", &isBlob)) && isBlob))) { rv = NS_NewChannel(getter_AddRefs(mChannel), uri, doc,