Bug 326501. Mark tree views as being suitable for untrusted code. r+sr=bzbarsky

content/base/src/nsContentUtils.cpp

@@ -1020,9 +1020,6 @@ nsContentUtils::IsCallerChrome()
 
 static PRBool IsCallerTrustedForCapability(const char* aCapability)
 {
-  if (nsContentUtils::IsCallerChrome())
-    return PR_TRUE;
-
   // The secman really should handle UniversalXPConnect case, since that
   // should include UniversalBrowserRead... doesn't right now, though.
   PRBool hasCap;

content/xul/templates/src/nsXULTreeBuilder.cpp

@@ -74,7 +74,7 @@
  */
 class nsXULTreeBuilder : public nsXULTemplateBuilder,
                          public nsIXULTreeBuilder,
-                         public nsITreeView
+                         public nsINativeTreeView
 {
 public:
     // nsISupports
@@ -85,6 +85,8 @@ public:
 
     // nsITreeView
     NS_DECL_NSITREEVIEW
+    // nsINativeTreeView: Untrusted code can use us
+    NS_IMETHOD EnsureNative() { return NS_OK; }
 
     virtual void DocumentWillBeDestroyed(nsIDocument *aDocument);
 

extensions/sql/base/src/mozSqlResult.h

@@ -293,7 +293,7 @@ class mozSqlResult : public mozISqlResult,
                      public mozISqlDataSource,
                      public nsIRDFDataSource,
                      public nsIRDFRemoteDataSource,
-                     public nsITreeView
+                     public nsINativeTreeView
 {
   public:
     mozSqlResult(mozISqlConnection* aConnection,
@@ -328,6 +328,8 @@ class mozSqlResult : public mozISqlResult,
     NS_DECL_NSIRDFREMOTEDATASOURCE
 
     NS_DECL_NSITREEVIEW
+    // nsINativeTreeView: Untrusted code can use us
+    NS_IMETHOD EnsureNative() { return NS_OK; }
 
     friend class mozSqlResultEnumerator;
     friend class mozSqlResultStream;

layout/xul/base/src/tree/public/nsITreeView.idl

@@ -225,3 +225,14 @@ interface nsITreeView : nsISupports
    */
   void performActionOnCell(in wstring action, in long row, in nsITreeColumn col);
 };
+
+/**
+ * The following interface is not scriptable and MUST NEVER BE MADE scriptable.
+ * Native treeviews implement it, and we use this to check whether a treeview
+ * is native (and therefore suitable for use by untrusted content).
+ */
+[uuid(38e0b44d-fa08-458c-83fb-3e10b12aeb45)]
+interface nsINativeTreeView : nsITreeView
+{
+  [noscript] void ensureNative();
+};

layout/xul/base/src/tree/src/nsTreeBoxObject.cpp

@@ -49,6 +49,8 @@
 #include "nsINodeInfo.h"
 #include "nsXULAtoms.h"
 #include "nsChildIterator.h"
+#include "nsContentUtils.h"
+#include "nsDOMError.h"
 
 class nsTreeBoxObject : public nsPITreeBoxObject, public nsBoxObject
 {
@@ -172,6 +174,14 @@ NS_IMETHODIMP nsTreeBoxObject::GetView(nsITreeView * *aView)
 
 NS_IMETHODIMP nsTreeBoxObject::SetView(nsITreeView * aView)
 {
+  // Untrusted content is only allowed to specify known-good views
+  if (!nsContentUtils::IsCallerTrustedForWrite()) {
+    nsCOMPtr<nsINativeTreeView> nativeTreeView = do_QueryInterface(aView);
+    if (!nativeTreeView || NS_FAILED(nativeTreeView->EnsureNative()))
+      // XXX ERRMSG need a good error here for developers
+      return NS_ERROR_DOM_SECURITY_ERR;
+  }
+
   nsITreeBoxObject* body = GetTreeBody();
   if (body) {
     body->SetView(aView);

layout/xul/base/src/tree/src/nsTreeContentView.h

@@ -50,7 +50,7 @@
 
 nsresult NS_NewTreeContentView(nsITreeContentView** aResult);
 
-class nsTreeContentView : public nsITreeView,
+class nsTreeContentView : public nsINativeTreeView,
                           public nsITreeContentView,
                           public nsStubDocumentObserver
 {
@@ -64,6 +64,8 @@ class nsTreeContentView : public nsITreeView,
     NS_DECL_ISUPPORTS
 
     NS_DECL_NSITREEVIEW
+    // nsINativeTreeView: Untrusted code can use us
+    NS_IMETHOD EnsureNative() { return NS_OK; }
 
     NS_DECL_NSITREECONTENTVIEW