Disable cross origin check for mozbrowser-enabled top level pipelines

3 files changed, 54 insertions, 6 deletions

diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index 8d1456a73ae..20a729c70c0 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -62,6 +62,7 @@ use time;
 use timers::{OneshotTimerCallback, OneshotTimerHandle};
 use url::Url;
 use url::percent_encoding::{utf8_percent_encode, USERNAME_ENCODE_SET, PASSWORD_ENCODE_SET};
+use util::prefs;
 use util::str::DOMString;
 
 pub type SendParam = BlobOrStringOrURLSearchParams;
@@ -866,14 +867,33 @@ impl XMLHttpRequest {
     fn process_headers_available(&self, cors_request: Option<CORSRequest>,
                                  gen_id: GenerationId, metadata: Metadata) -> Result<(), Error> {
 
-        if let Some(ref req) = cors_request {
-            match metadata.headers {
-                Some(ref h) if allow_cross_origin_request(req, h) => {},
-                _ => {
-                    self.process_partial_response(XHRProgress::Errored(gen_id, Error::Network));
-                    return Err(Error::Network);
+        let bypass_cross_origin_check = {
+            // We want to be able to do cross-origin requests in browser.html.
+            // If the XHR happens in a top level window and the mozbrowser
+            // preference is enabled, we allow bypassing the CORS check.
+            // This is a temporary measure until we figure out Servo privilege
+            // story. See https://github.com/servo/servo/issues/9582
+            if let GlobalRoot::Window(win) = self.global() {
+                let is_root_pipeline = win.parent_info().is_none();
+                let is_mozbrowser_enabled = prefs::get_pref("dom.mozbrowser.enabled").as_boolean().unwrap_or(false);
+                is_root_pipeline && is_mozbrowser_enabled
+            } else {
+                false
+            }
+        };
+
+        if !bypass_cross_origin_check {
+            if let Some(ref req) = cors_request {
+                match metadata.headers {
+                    Some(ref h) if allow_cross_origin_request(req, h) => {},
+                    _ => {
+                        self.process_partial_response(XHRProgress::Errored(gen_id, Error::Network));
+                        return Err(Error::Network);
+                    }
                 }
             }
+        } else {
+            debug!("Bypassing cross origin check");
         }
 
         *self.response_url.borrow_mut() = metadata.final_url.serialize_no_fragment();
diff --git a/tests/wpt/mozilla/meta/MANIFEST.json b/tests/wpt/mozilla/meta/MANIFEST.json
index 36534249492..947e3ae93a5 100644
--- a/tests/wpt/mozilla/meta/MANIFEST.json
+++ b/tests/wpt/mozilla/meta/MANIFEST.json
@@ -6060,6 +6060,12 @@
             "url": "/_mozilla/mozilla/mime_sniffing_font_context.html"
           }
         ],
+        "mozilla/mozbrowser/crossorigin_xhr.html": [
+          {
+            "path": "mozilla/mozbrowser/crossorigin_xhr.html",
+            "url": "/_mozilla/mozilla/mozbrowser/crossorigin_xhr.html"
+          }
+        ],
         "mozilla/mozbrowser/iframe_goback.html": [
           {
             "path": "mozilla/mozbrowser/iframe_goback.html",
diff --git a/tests/wpt/mozilla/tests/mozilla/mozbrowser/crossorigin_xhr.html b/tests/wpt/mozilla/tests/mozilla/mozbrowser/crossorigin_xhr.html
new file mode 100644
index 00000000000..180f3a915b6
--- /dev/null
+++ b/tests/wpt/mozilla/tests/mozilla/mozbrowser/crossorigin_xhr.html
@@ -0,0 +1,22 @@
+<head>
+<title>cross origin xhr() with mozbrowser</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+async_test(function(t) {
+  var xhr = new XMLHttpRequest();
+  xhr.open("GET", "http://www2.web-platform.test:8000");
+  xhr.send();
+
+  xhr.onerror = this.unreached_func("Cross origin xhr() should not have failed");
+
+  xhr.onload = this.step_func_done(() => {
+    assert_equals(xhr.status, 200, "Cross origin xhr() is successful");
+  });
+});
+
+</script>
+</body>