Bug 1471496 part 1. Fix IsPlatformObjectSameOrigin to do the right thing when we're doing first-party isolation but turning off its effects on scripted property access. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D18029

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Boris Zbarsky 2019-01-31 15:53:24 +00:00
parent 152f200326
commit 2323f895b0

View File

@ -41,7 +41,8 @@ bool MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(JSContext* cx,
BasePrincipal* subjectPrincipal =
BasePrincipal::Cast(nsContentUtils::SubjectPrincipal(cx));
nsIPrincipal* objectPrincipal = nsContentUtils::ObjectPrincipal(obj);
BasePrincipal* objectPrincipal =
BasePrincipal::Cast(nsContentUtils::ObjectPrincipal(obj));
// The spec effectively has an EqualsConsideringDomain check here,
// because the spec has no concept of asymmetric security
@ -53,11 +54,25 @@ bool MaybeCrossOriginObjectMixins::IsPlatformObjectSameOrigin(JSContext* cx,
// SubsumesConsideringDomain give the same results and use
// EqualsConsideringDomain for the check we actually do, since it's
// stricter and more closely matches the spec.
//
// That said, if the (not very well named)
// OriginAttributes::IsRestrictOpenerAccessForFPI() method returns
// false, we want to use FastSubsumesConsideringDomainIgnoringFPD
// instead of FastEqualsConsideringDomain, because in that case we
// still want to treat things which are in different first-party
// contexts as same-origin.
MOZ_ASSERT(
subjectPrincipal->FastEqualsConsideringDomain(objectPrincipal) ==
subjectPrincipal->FastSubsumesConsideringDomain(objectPrincipal),
"Why are we in an asymmetric case here?");
return subjectPrincipal->FastEqualsConsideringDomain(objectPrincipal);
if (OriginAttributes::IsRestrictOpenerAccessForFPI()) {
return subjectPrincipal->FastEqualsConsideringDomain(objectPrincipal);
}
return subjectPrincipal->FastSubsumesConsideringDomainIgnoringFPD(
objectPrincipal) &&
objectPrincipal->FastSubsumesConsideringDomainIgnoringFPD(
subjectPrincipal);
}
bool MaybeCrossOriginObjectMixins::CrossOriginGetOwnPropertyHelper(