Bug 1609635 - Whitelist about:newtab/home from content sanitization r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D60701 --HG-- extra : moz-landing-system : lando
2024-10-20 08:45:46 +00:00 · 2020-02-04 08:37:57 +00:00 · 2020-02-04 08:37:57 +00:00 · 67476c54d8
commit 67476c54d8
parent fcd2fa44a5
5 changed files with 51 additions and 4 deletions
--- a/browser/components/about/AboutRedirector.cpp
+++ b/browser/components/about/AboutRedirector.cpp
@ -25,7 +25,8 @@ static const uint32_t ACTIVITY_STREAM_FLAGS =
    nsIAboutModule::ALLOW_SCRIPT | nsIAboutModule::ENABLE_INDEXED_DB |
    nsIAboutModule::URI_MUST_LOAD_IN_CHILD |
    nsIAboutModule::URI_CAN_LOAD_IN_PRIVILEGEDABOUT_PROCESS |
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT;
+    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+    nsIAboutModule::ALLOW_UNSANITIZED_CONTENT;

 struct RedirEntry {
  const char* id;
--- a/browser/components/newtab/test/browser/browser_asrouter_snippets.js
+++ b/browser/components/newtab/test/browser/browser_asrouter_snippets.js
@ -46,8 +46,10 @@ test_newtab({
      type: "SET_MESSAGE",
      data,
    });
+
+    return data;
  },
-  test: async function test_simple_snippet() {
+  test: async function test_simple_snippet(msg) {
    // Verify the simple_snippet renders in the footer and the container below
    // searchbox is not rendered.
    await ContentTaskUtils.waitForCondition(
@ -57,6 +59,22 @@ test_newtab({
        ),
      "Should find the snippet inside the footer container"
    );
+    await ContentTaskUtils.waitForCondition(
+      () =>
+        content.document.querySelector(
+          "#footer-asrouter-container .SimpleSnippet .icon"
+        ),
+      "Should render an icon"
+    );
+    await ContentTaskUtils.waitForCondition(
+      () =>
+        content.document.querySelector(
+          `#footer-asrouter-container .SimpleSnippet a[href='${
+            msg.content.links.syncLink.url
+          }']`
+        ),
+      "Should render an anchor with the correct href"
+    );

    ok(
      !content.document.querySelector(".below-search-snippet"),
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@ -4822,6 +4822,17 @@ uint32_t computeSanitizationFlags(nsIPrincipal* aPrincipal, int32_t aFlags) {
  return sanitizationFlags;
 }

+/* static */
+bool AllowsUnsanitizedContentForAboutNewTab(nsIPrincipal* aPrincipal) {
+  if (StaticPrefs::dom_about_newtab_sanitization_enabled() ||
+      !aPrincipal->SchemeIs("about")) {
+    return false;
+  }
+  uint32_t aboutModuleFlags = 0;
+  aPrincipal->GetAboutModuleFlags(&aboutModuleFlags);
+  return aboutModuleFlags & nsIAboutModule::ALLOW_UNSANITIZED_CONTENT;
+}
+
 /* static */
 nsresult nsContentUtils::ParseFragmentHTML(
    const nsAString& aSourceBuffer, nsIContent* aTargetNode,
@ -4864,8 +4875,11 @@ nsresult nsContentUtils::ParseFragmentHTML(
  bool shouldSanitize = nodePrincipal->IsSystemPrincipal() ||
                        nodePrincipal->SchemeIs("about") || aFlags >= 0;
  if (shouldSanitize) {
-    fragment = new DocumentFragment(aTargetNode->OwnerDoc()->NodeInfoManager());
-    target = fragment;
+    if (!AllowsUnsanitizedContentForAboutNewTab(nodePrincipal)) {
+      fragment =
+          new DocumentFragment(aTargetNode->OwnerDoc()->NodeInfoManager());
+      target = fragment;
+    }
  }

  nsresult rv = sHTMLFragmentParser->ParseFragment(
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -2950,6 +2950,14 @@
  value: true
  mirror: always

+# about:home and about:newtab include remote snippets that contain arbitrarily
+# placed anchor tags in their content; we want sanitization to be turned off
+# in order to render them correctly
+- name: dom.about_newtab_sanitization.enabled
+  type: bool
+  value: false
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "editor"
 #---------------------------------------------------------------------------
--- a/netwerk/protocol/about/nsIAboutModule.idl
+++ b/netwerk/protocol/about/nsIAboutModule.idl
@ -86,6 +86,12 @@ interface nsIAboutModule : nsISupports
     */
    const unsigned long URI_MUST_LOAD_IN_EXTENSION_PROCESS = (1 << 9);

+    /**
+     * A flag that indicates that this about: URI needs to allow unsanitized content.
+     * Only to be used by about:home and about:newtab.
+     */
+    const unsigned long ALLOW_UNSANITIZED_CONTENT = (1 << 10);
+
    /**
     * A method to get the flags that apply to a given about: URI.  The URI
     * passed in is guaranteed to be one of the URIs that this module