Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-27 12:50:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 870870 - Check message targets for about:healthreport. r=MattN

Browse Source
This commit is contained in:
Georg Fritzsche 2016-03-04 14:59:15 +01:00
parent cf23a40c78
commit 4433b7f3d7
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
browser/base/content/abouthealthreport/abouthealth.js
View File

@ -110,6 +110,15 @@ var healthReportWrapper = {
},
handleRemoteCommand: function (evt) {
// Do an origin check to harden against the frame content being loaded from unexpected locations.
let allowedPrincipal = Services.scriptSecurityManager.getCodebasePrincipal(this._getReportURI());
let targetPrincipal = evt.target.nodePrincipal;
if (!allowedPrincipal.equals(targetPrincipal)) {
Cu.reportError(`Origin check failed for message "${evt.detail.command}": ` +
`target origin is "${targetPrincipal.origin}", expected "${allowedPrincipal.origin}"`);
return;
}
switch (evt.detail.command) {
case "DisableDataSubmission":
this.setDataSubmission(false);