Bug 1635020 - Check whether browsing context is discarded after returning from an IPC call r=timhuang

We keep the reference of BrowsingContext across IPC call. But the BrowsingContext may be discarded when returning from the IPC call. This crash happens when: A first-party window calls window.open(a 3rd-party url), which triggers the storage access heuristic, and then the window is closed immediatelly. This patch fixes this issue by checking IsDiscard() when returning from the IPC call. Differential Revision: https://phabricator.services.mozilla.com/D73810
2024-10-19 16:25:38 +00:00 · 2020-05-05 18:59:26 +00:00 · 2020-05-05 18:59:26 +00:00 · 25a3aeba91
commit 25a3aeba91
parent ea6c5ac8d9
1 changed files with 2 additions and 1 deletions
--- a/toolkit/components/antitracking/ContentBlocking.cpp
+++ b/toolkit/components/antitracking/ContentBlocking.cpp
@ -362,7 +362,8 @@ ContentBlocking::AllowAccessFor(
                 // we don't call OnAllowAccessFor in the parent when this is
                 // triggered by the opener heuristic, so we have to do it here.
                 // See storePermission below for the reason.
-                 if (aReason == ContentBlockingNotifier::eOpener) {
+                 if (aReason == ContentBlockingNotifier::eOpener &&
+                     !bc->IsDiscarded()) {
                   MOZ_ASSERT(bc->IsInProcess());
                   ContentBlocking::OnAllowAccessFor(bc, trackingOrigin,
                                                     behavior, aReason);