Disable cross origin check for mozbrowser-enabled top level pipelines

2025-07-23 07:13:52 +01:00 · 2016-03-28 10:29:31 +02:00 · 2016-03-28 10:29:31 +02:00 · dd08e904eb
commit dd08e904eb
parent b97ffffb48
3 changed files with 54 additions and 6 deletions
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@ -62,6 +62,7 @@ use time;
 use timers::{OneshotTimerCallback, OneshotTimerHandle};
 use url::Url;
 use url::percent_encoding::{utf8_percent_encode, USERNAME_ENCODE_SET, PASSWORD_ENCODE_SET};
+use util::prefs;
 use util::str::DOMString;

 pub type SendParam = BlobOrStringOrURLSearchParams;
@ -866,6 +867,22 @@ impl XMLHttpRequest {
    fn process_headers_available(&self, cors_request: Option<CORSRequest>,
                                 gen_id: GenerationId, metadata: Metadata) -> Result<(), Error> {

+        let bypass_cross_origin_check = {
+            // We want to be able to do cross-origin requests in browser.html.
+            // If the XHR happens in a top level window and the mozbrowser
+            // preference is enabled, we allow bypassing the CORS check.
+            // This is a temporary measure until we figure out Servo privilege
+            // story. See https://github.com/servo/servo/issues/9582
+            if let GlobalRoot::Window(win) = self.global() {
+                let is_root_pipeline = win.parent_info().is_none();
+                let is_mozbrowser_enabled = prefs::get_pref("dom.mozbrowser.enabled").as_boolean().unwrap_or(false);
+                is_root_pipeline && is_mozbrowser_enabled
+            } else {
+                false
+            }
+        };
+
+        if !bypass_cross_origin_check {
            if let Some(ref req) = cors_request {
                match metadata.headers {
                    Some(ref h) if allow_cross_origin_request(req, h) => {},
@ -875,6 +892,9 @@ impl XMLHttpRequest {
                    }
                }
            }
+        } else {
+            debug!("Bypassing cross origin check");
+        }

        *self.response_url.borrow_mut() = metadata.final_url.serialize_no_fragment();

--- a/tests/wpt/mozilla/meta/MANIFEST.json
+++ b/tests/wpt/mozilla/meta/MANIFEST.json
@ -6060,6 +6060,12 @@
            "url": "/_mozilla/mozilla/mime_sniffing_font_context.html"
          }
        ],
+        "mozilla/mozbrowser/crossorigin_xhr.html": [
+          {
+            "path": "mozilla/mozbrowser/crossorigin_xhr.html",
+            "url": "/_mozilla/mozilla/mozbrowser/crossorigin_xhr.html"
+          }
+        ],
        "mozilla/mozbrowser/iframe_goback.html": [
          {
            "path": "mozilla/mozbrowser/iframe_goback.html",
--- a/tests/wpt/mozilla/tests/mozilla/mozbrowser/crossorigin_xhr.html
+++ b/tests/wpt/mozilla/tests/mozilla/mozbrowser/crossorigin_xhr.html
@ -0,0 +1,22 @@
+<head>
+<title>cross origin xhr() with mozbrowser</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+async_test(function(t) {
+  var xhr = new XMLHttpRequest();
+  xhr.open("GET", "http://www2.web-platform.test:8000");
+  xhr.send();
+
+  xhr.onerror = this.unreached_func("Cross origin xhr() should not have failed");
+
+  xhr.onload = this.step_func_done(() => {
+    assert_equals(xhr.status, 200, "Cross origin xhr() is successful");
+  });
+});
+
+</script>
+</body>