Without this change, StreamBlobImpl will copy the underlying nsIInputStream using NS_CloneInputStream when it is first requested, which can cause us to create a new nsPipe and NS_AsyncCopy the old stream into it. This unfortunately requires us to replace the stored stream with a cloned input stream from the pipe, which could theoretically lead to a race, as there's no synchronization on the mInputStream member.

I've marked this bug as a security bug out of an abundance of caution, however I don't know how common or exploitable this situation is. It appears we hit the codepath only 3 times in tests based on ccov (https://searchfox.org/mozilla-central/rev/072f9e6b7f10a00e12d0a02ac713431d0a7ee368/dom/file/StreamBlobImpl.cpp#85). Doing this would require us to create a StreamBlobImpl from an input stream which is not cloneable, meaning we either deserialize a non-cloneable input stream (which currently is fairly uncommon, but is more common after bug 1754004 where I found this), or we construct one in XMLHttpRequestWorker::SendInternal (https://searchfox.org/mozilla-central/rev/072f9e6b7f10a00e12d0a02ac713431d0a7ee368/dom/xhr/XMLHttpRequestWorker.cpp#1634), which I think is probably fairly difficult to exploit, as the blob is created and then used only once.

I have a proposed patch to move the logic to ensure the stream is cloneable to occur during the StreamBlobImpl constructor, which also allows us to customize properties of the nsPipe used to clone the stream, such as setting the capacity precisely to avoid wasted allocations, and using a larger buffer size for large messages to reduce allocations.

I'll mark this as sec-other because you don't think it would be exploitable. It can be adjusted if you want.

P2 assuming that Nika is already working on this.

This patch moves the logic to ensure the stream is cloneable to during
StreamBlobImpl's constructor, allowing it to customize the properties of
the nsPipe used for non-cloneable streams, and ensuring that the blob is
storing a complete copy of the streamed data without requiring it to be
consumed.

This codepath is currently fairly infrequently used, but will be used
more frequently once DataPipe is used for IPC streams.

Depends on D141032

Make the provided stream cloneable eagerly in StreamBlobImpl, r=asuth
https://hg.mozilla.org/integration/autoland/rev/297bda3439b29163f959cd746502c42852a4d42e
https://hg.mozilla.org/mozilla-central/rev/297bda3439b2

Part 2: Fix hybrid build breakage. CLOSED TREE
https://hg.mozilla.org/integration/autoland/rev/5253da2a17270aa5efa10e513f0609454c086d7f
https://hg.mozilla.org/mozilla-central/rev/5253da2a1727