Bug 1190641 part 3. Add the sandbox propagates to auxiliary browsing contexts flag to iframe sandboxing. r=ckerschb

2024-10-20 16:55:40 +00:00 · 2016-05-06 13:56:36 -04:00 · 2016-05-06 13:56:36 -04:00 · 278db1b97e
commit 278db1b97e
parent f3092cff84
8 changed files with 86 additions and 6 deletions
--- a/dom/base/IframeSandboxKeywordList.h
+++ b/dom/base/IframeSandboxKeywordList.h
@ -23,4 +23,5 @@ SANDBOX_KEYWORD("allow-orientation-lock", alloworientationlock,
 		SANDBOXED_ORIENTATION_LOCK)
 SANDBOX_KEYWORD("allow-popups", allowpopups, SANDBOXED_AUXILIARY_NAVIGATION)
 SANDBOX_KEYWORD("allow-modals", allowmodals, SANDBOXED_MODALS)
-
+SANDBOX_KEYWORD("allow-popups-to-escape-sandbox", allowpopupstoescapesandbox,
+                SANDBOX_PROPAGATES_TO_AUXILIARY_BROWSING_CONTEXTS)
--- a/dom/base/nsGkAtomList.h
+++ b/dom/base/nsGkAtomList.h
@ -82,6 +82,7 @@ GK_ATOM(allowfullscreen, "allowfullscreen")
 GK_ATOM(allowmodals, "allow-modals")
 GK_ATOM(alloworientationlock,"allow-orientation-lock")
 GK_ATOM(allowpointerlock,"allow-pointer-lock")
+GK_ATOM(allowpopupstoescapesandbox,"allow-popups-to-escape-sandbox")
 GK_ATOM(allowpopups,"allow-popups")
 GK_ATOM(allowsameorigin,"allow-same-origin")
 GK_ATOM(allowscripts,"allow-scripts")
--- a/dom/base/nsSandboxFlags.h
+++ b/dom/base/nsSandboxFlags.h
@ -101,10 +101,17 @@ const unsigned long SANDBOXED_DOMAIN = 0x800;
 */
 const unsigned long SANDBOXED_MODALS = 0x1000;

+/**
+ * This flag prevents content from escaping the sandbox by ensuring that any
+ * auxiliary browsing context it creates inherits the content's active
+ * sandboxing flag set.
+ */
+const unsigned long SANDBOX_PROPAGATES_TO_AUXILIARY_BROWSING_CONTEXTS = 0x2000;
+
 /**
 * This flag prevents locking screen orientation.
 */
-const unsigned long SANDBOXED_ORIENTATION_LOCK = 0x2000;
+const unsigned long SANDBOXED_ORIENTATION_LOCK = 0x4000;

-const unsigned long SANDBOX_ALL_FLAGS = 0x3FFF;
+const unsigned long SANDBOX_ALL_FLAGS = 0x7FFF;
 #endif
--- a/embedding/components/windowwatcher/nsWindowWatcher.cpp
+++ b/embedding/components/windowwatcher/nsWindowWatcher.cpp
@ -872,9 +872,11 @@ nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy* aParent,
  nsCOMPtr<nsIDocShell> newDocShell(do_QueryInterface(newDocShellItem));
  NS_ENSURE_TRUE(newDocShell, NS_ERROR_UNEXPECTED);

-  // Set up sandboxing attributes if the window is new.
-  // The flags can only be non-zero for new windows.
-  if (activeDocsSandboxFlags != 0) {
+  // Copy sandbox flags to the new window if activeDocsSandboxFlags says to do
+  // so.  Note that it's only nonzero if the window is new, so clobbering
+  // sandbox flags on the window makes sense in that case.
+  if (activeDocsSandboxFlags &
+        SANDBOX_PROPAGATES_TO_AUXILIARY_BROWSING_CONTEXTS) {
    newDocShell->SetSandboxFlags(activeDocsSandboxFlags);
    if (parentWindow) {
      newDocShell->SetOnePermittedSandboxedNavigator(
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@ -40794,6 +40794,18 @@
            "url": "/html/semantics/embedded-content/the-iframe-element/iframe-load-event.html"
          }
        ],
+        "html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping.html": [
+          {
+            "path": "html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping.html",
+            "url": "/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping.html"
+          }
+        ],
+        "html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping.html": [
+          {
+            "path": "html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping.html",
+            "url": "/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping.html"
+          }
+        ],
        "html/syntax/serializing-html-fragments/serializing.html": [
          {
            "path": "html/syntax/serializing-html-fragments/serializing.html",
--- a/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping.html
+++ b/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping.html
@ -0,0 +1,25 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Check that popups from a sandboxed iframe escape the sandbox if
+       allow-popups-to-escape-sandbox is used</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<iframe sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox">
+</iframe>
+<script>
+  var t = async_test();
+  var ourOrigin;
+  onmessage = t.step_func(function(e) {
+    assert_equals(e.data, "hello", "This is our origin getter message");
+    ourOrigin = e.origin;
+
+    onmessage = t.step_func_done(function(e) {
+      assert_equals(e.origin, "null", "It came from a sandboxed iframe");
+      assert_equals(e.data.data, undefined, "Should have the right message");
+      assert_equals(e.data.origin, ourOrigin, "Should have escaped the sandbox");
+    });
+
+    document.querySelector("iframe").src = "iframe_sandbox_popups_helper.html";
+  });
+  postMessage("hello", "*");
+</script>
--- a/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper.html
+++ b/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper.html
@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<script>
+  var popupWin;
+  if (opener) {
+    // We're the popup.  Send back our state.  What we really want to send is
+    // our origin, but that will come automatically.
+    opener.postMessage(undefined, "*");
+    self.close();
+  } else {
+    // We're the child.  Start listening for messages and open ourselves as the
+    // popup.
+    onmessage = function (e) {
+      parent.postMessage({ data: e.data, origin: e.origin }, "*");
+    };
+    popupWin = window.open(location.href);
+  }
+</script>
--- a/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping.html
+++ b/testing/web-platform/tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping.html
@ -0,0 +1,15 @@
+<!doctype html>
+<meta charset=utf-8>
+<title>Check that popups from a sandboxed iframe do not escape the sandbox</title>
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script>
+  var t = async_test();
+  onmessage = t.step_func_done(function(e) {
+    assert_equals(e.origin, "null", "It came from a sandboxed iframe");
+    assert_equals(e.data.data, undefined, "Should have the right message");
+    assert_equals(e.data.origin, "null", "Should not have escaped the sandbox");
+  });
+</script>
+<iframe sandbox="allow-scripts allow-popups"
+        src="iframe_sandbox_popups_helper.html"></iframe>