Bug 764718 - Part 1: Set the initial principal of in-process <iframe mozbrowser> correctly. r=bz

2024-11-29 07:42:04 +00:00 · 2012-06-21 21:17:52 -04:00 · 2012-06-21 21:17:52 -04:00 · 41afb9dce4
commit 41afb9dce4
parent b5919daf01
6 changed files with 95 additions and 5 deletions
--- a/content/base/src/nsFrameLoader.cpp
+++ b/content/base/src/nsFrameLoader.cpp
@ -444,10 +444,15 @@ nsFrameLoader::ReallyStartLoadingInternal()
  mDocShell->CreateLoadInfo(getter_AddRefs(loadInfo));
  NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);

-  // We'll use our principal, not that of the document loaded inside us.  This
-  // is very important; needed to prevent XSS attacks on documents loaded in
-  // subframes!
-  loadInfo->SetOwner(mOwnerContent->NodePrincipal());
+  if (!OwnerIsBrowserFrame()) {
+    // We'll use our principal, not that of the document loaded inside us.
+    // This is very important; needed to prevent XSS attacks on documents
+    // loaded in subframes!
+    //
+    // (For <iframe mozbrowser>, don't set an owner; it's as though the iframe
+    // is a top-level window.)
+    loadInfo->SetOwner(mOwnerContent->NodePrincipal());
+  }

  nsCOMPtr<nsIURI> referrer;
  rv = mOwnerContent->NodePrincipal()->GetURI(getter_AddRefs(referrer));
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -8810,7 +8810,9 @@ nsDocShell::GetInheritedPrincipal(bool aConsiderCurrentDocument)
        inheritedFromCurrent = true;
    }

-    if (!document) {
+    // Browser frames don't inherit their principal from their parent.  This
+    // makes them more like top-level windows.
+    if (!document && !mIsBrowserFrame) {
        nsCOMPtr<nsIDocShellTreeItem> parentItem;
        GetSameTypeParent(getter_AddRefs(parentItem));
        if (parentItem) {
--- a/dom/browser-element/mochitest/Makefile.in
+++ b/dom/browser-element/mochitest/Makefile.in
@ -59,6 +59,8 @@ _TEST_FILES = \
 		test_browserElement_inproc_SecurityChange.html \
 		file_browserElement_SecurityChange.html \
 		browserElement_BackForward.js \
+		browserElement_Principal.js \
+		test_browserElement_inproc_Principal.html \
 		$(NULL)

 # OOP tests don't work on Windows (bug 763081).
@ -82,6 +84,7 @@ _TEST_FILES += \
 		test_browserElement_oop_OpenWindowRejected.html \
 		test_browserElement_oop_SecurityChange.html \
 		test_browserElement_oop_BackForward.html \
+		test_browserElement_oop_Principal.html \
 		$(NULL)
 endif

--- a/dom/browser-element/mochitest/browserElement_Principal.js
+++ b/dom/browser-element/mochitest/browserElement_Principal.js
@ -0,0 +1,44 @@
+/* Any copyright is dedicated to the public domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Bug 764718 - Test that <iframe mozbrowser>'s have a different principal than
+// their creator.
+"use strict";
+
+function runTest() {
+  browserElementTestHelpers.setEnabledPref(true);
+  browserElementTestHelpers.addToWhitelist();
+
+  var iframe = document.createElement('iframe');
+  iframe.mozbrowser = true;
+  document.body.appendChild(iframe);
+
+  if (!iframe.contentWindow) {
+    ok(true, "OOP, can't access contentWindow.");
+    return;
+  }
+
+  SimpleTest.waitForExplicitFinish();
+
+  // Try reading iframe.contentWindow.location now, and then from a timeout.
+  // They both should throw exceptions.
+  checkCantReadLocation(iframe);
+  SimpleTest.executeSoon(function() {
+    checkCantReadLocation(iframe);
+    SimpleTest.finish();
+  });
+}
+
+function checkCantReadLocation(iframe) {
+  try {
+    if (iframe.contentWindow.location == 'foo') {
+      ok(false, 'not reached');
+    }
+    ok(false, 'should have gotten exception');
+  }
+  catch(e) {
+    ok(true, 'got exception reading contentWindow.location');
+  }
+}
+
+runTest();
--- a/dom/browser-element/mochitest/test_browserElement_inproc_Principal.html
+++ b/dom/browser-element/mochitest/test_browserElement_inproc_Principal.html
@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=757182
+-->
+<head>
+  <title>Test for Bug 757182</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="browserElementTestHelpers.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=757182">Mozilla Bug 757182</a>
+
+<script type="application/javascript;version=1.7" src="browserElement_Principal.js">
+</script>
+</body>
+</html>
--- a/dom/browser-element/mochitest/test_browserElement_oop_Principal.html
+++ b/dom/browser-element/mochitest/test_browserElement_oop_Principal.html
@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=757182
+-->
+<head>
+  <title>Test for Bug 757182</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="browserElementTestHelpers.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=757182">Mozilla Bug 757182</a>
+
+<script type="application/javascript;version=1.7" src="browserElement_Principal.js">
+</script>
+</body>
+</html>