diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index ed749844121b..ada63fb23430 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -10342,12 +10342,17 @@ nsContentUtils::UserInteractionObserver::Observe(nsISupports* aSubject, Atomic nsContentUtils::UserInteractionObserver::sUserActive(false); NS_IMPL_ISUPPORTS(nsContentUtils::UserInteractionObserver, nsIObserver) +/* static */ +bool nsContentUtils::IsSpecialName(const nsAString& aName) { + return aName.LowerCaseEqualsLiteral("_blank") || + aName.LowerCaseEqualsLiteral("_top") || + aName.LowerCaseEqualsLiteral("_parent") || + aName.LowerCaseEqualsLiteral("_self"); +} + /* static */ bool nsContentUtils::IsOverridingWindowName(const nsAString& aName) { - return !aName.IsEmpty() && !aName.LowerCaseEqualsLiteral("_blank") && - !aName.LowerCaseEqualsLiteral("_top") && - !aName.LowerCaseEqualsLiteral("_parent") && - !aName.LowerCaseEqualsLiteral("_self"); + return !aName.IsEmpty() && !IsSpecialName(aName); } // Unfortunately, we can't unwrap an IDL object using only a concrete type. diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index f77dcf34bea1..0067a72b3c38 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -3287,6 +3287,12 @@ class nsContentUtils { // bytecode out of the nsCacheInfoChannel. static nsCString& JSBytecodeMimeType() { return *sJSBytecodeMimeType; } + /** + * Checks if the passed-in name is one of the special names: "_blank", "_top", + * "_parent" or "_self". + */ + static bool IsSpecialName(const nsAString& aName); + /** * Checks if the passed-in name should override an existing name on the * window. Values which should not override include: "", "_blank", "_top", diff --git a/dom/ipc/ContentChild.cpp b/dom/ipc/ContentChild.cpp index b21d5d3b2a5b..d5700ef1781c 100644 --- a/dom/ipc/ContentChild.cpp +++ b/dom/ipc/ContentChild.cpp @@ -897,6 +897,13 @@ nsresult ContentChild::ProvideWindowCommon( Maybe uriToLoad; SerializeURI(aURI, uriToLoad); + + if (name.LowerCaseEqualsLiteral("_blank")) { + name = EmptyString(); + } + + MOZ_DIAGNOSTIC_ASSERT(!nsContentUtils::IsSpecialName(name)); + Unused << SendCreateWindowInDifferentProcess( aTabOpener, aChromeFlags, aCalledFromJS, aPositionSpecified, aSizeSpecified, uriToLoad, features, fullZoom, name, diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp index 240316839793..6f82f8e8a38d 100644 --- a/dom/ipc/ContentParent.cpp +++ b/dom/ipc/ContentParent.cpp @@ -4988,6 +4988,8 @@ mozilla::ipc::IPCResult ContentParent::RecvCreateWindowInDifferentProcess( const nsCString& aFeatures, const float& aFullZoom, const nsString& aName, const IPC::Principal& aTriggeringPrincipal, nsIContentSecurityPolicy* aCsp, nsIReferrerInfo* aReferrerInfo) { + MOZ_DIAGNOSTIC_ASSERT(!nsContentUtils::IsSpecialName(aName)); + nsCOMPtr newRemoteTab; bool windowIsNew; nsCOMPtr uriToLoad = DeserializeURI(aURIToLoad);