Bug 1570243 - Make WindowContext CanSet functions check if the WindowContext is owned by the setting process, not the BrowsingContext. r=nika

Differential Revision: https://phabricator.services.mozilla.com/D73997
2024-10-21 17:25:36 +00:00 · 2020-05-08 01:38:02 +00:00 · 2020-05-08 01:38:02 +00:00 · ab7bcd098f
commit ab7bcd098f
parent 3799bf96ea
4 changed files with 42 additions and 23 deletions
--- a/docshell/base/WindowContext.cpp
+++ b/docshell/base/WindowContext.cpp
@ -108,22 +108,41 @@ void WindowContext::SendCommitTransaction(ContentChild* aChild,
  aChild->SendCommitWindowContextTransaction(this, aTxn, aEpoch);
 }

+bool WindowContext::CheckOnlyOwningProcessCanSet(ContentParent* aSource) {
+  if (mInProcess) {
+    return true;
+  }
+
+  if (XRE_IsParentProcess() && aSource) {
+    return Canonical()->GetContentParent() == aSource;
+  }
+
+  return false;
+}
+
 bool WindowContext::CanSet(FieldIndex<IDX_AllowMixedContent>,
                           const bool& aAllowMixedContent,
                           ContentParent* aSource) {
-  return mBrowsingContext->CheckOnlyOwningProcessCanSet(aSource);
+  return CheckOnlyOwningProcessCanSet(aSource);
+}
+
+bool WindowContext::CanSet(
+    FieldIndex<IDX_CookieJarSettings>,
+    const Maybe<mozilla::net::CookieJarSettingsArgs>& aValue,
+    ContentParent* aSource) {
+  return CheckOnlyOwningProcessCanSet(aSource);
 }

 bool WindowContext::CanSet(FieldIndex<IDX_IsThirdPartyWindow>,
                           const bool& IsThirdPartyWindow,
                           ContentParent* aSource) {
-  return mBrowsingContext->CheckOnlyOwningProcessCanSet(aSource);
+  return CheckOnlyOwningProcessCanSet(aSource);
 }

 bool WindowContext::CanSet(FieldIndex<IDX_IsThirdPartyTrackingResourceWindow>,
                           const bool& aIsThirdPartyTrackingResourceWindow,
                           ContentParent* aSource) {
-  return mBrowsingContext->CheckOnlyOwningProcessCanSet(aSource);
+  return CheckOnlyOwningProcessCanSet(aSource);
 }

 already_AddRefed<WindowContext> WindowContext::Create(
@ -133,8 +152,9 @@ already_AddRefed<WindowContext> WindowContext::Create(

  FieldTuple init;
  mozilla::Get<IDX_OuterWindowId>(init) = aWindow->OuterWindowId();
-  RefPtr<WindowContext> context = new WindowContext(
-      aWindow->BrowsingContext(), aWindow->InnerWindowId(), std::move(init));
+  RefPtr<WindowContext> context =
+      new WindowContext(aWindow->BrowsingContext(), aWindow->InnerWindowId(),
+                        /* aInProcess */ true, std::move(init));
  context->Init();
  return context.forget();
 }
@ -154,7 +174,8 @@ void WindowContext::CreateFromIPC(IPCInitializer&& aInit) {
  }

  RefPtr<WindowContext> context =
-      new WindowContext(bc, aInit.mInnerWindowId, std::move(aInit.mFields));
+      new WindowContext(bc, aInit.mInnerWindowId, /* aInProcess */ false,
+                        std::move(aInit.mFields));
  context->Init();
 }

@ -192,10 +213,12 @@ void WindowContext::Discard() {
 }

 WindowContext::WindowContext(BrowsingContext* aBrowsingContext,
-                             uint64_t aInnerWindowId, FieldTuple&& aFields)
+                             uint64_t aInnerWindowId, bool aInProcess,
+                             FieldTuple&& aFields)
    : mFields(std::move(aFields)),
      mInnerWindowId(aInnerWindowId),
-      mBrowsingContext(aBrowsingContext) {
+      mBrowsingContext(aBrowsingContext),
+      mInProcess(aInProcess) {
  MOZ_ASSERT(mBrowsingContext);
  MOZ_ASSERT(mInnerWindowId);
 }
--- a/docshell/base/WindowContext.h
+++ b/docshell/base/WindowContext.h
@ -49,6 +49,8 @@ class WindowContext : public nsISupports, public nsWrapperCache {

  bool IsCached() const;

+  bool IsInProcess() { return mInProcess; }
+
  // Get the parent WindowContext of this WindowContext, taking the BFCache into
  // account. This will not cross chrome/content <browser> boundaries.
  WindowContext* GetParentWindowContext();
@ -86,7 +88,7 @@ class WindowContext : public nsISupports, public nsWrapperCache {

 protected:
  WindowContext(BrowsingContext* aBrowsingContext, uint64_t aInnerWindowId,
-                FieldTuple&& aFields);
+                bool aInProcess, FieldTuple&& aFields);
  virtual ~WindowContext();

  void Init();
@ -103,6 +105,8 @@ class WindowContext : public nsISupports, public nsWrapperCache {
  void SendCommitTransaction(ContentChild* aChild, const BaseTransaction& aTxn,
                             uint64_t aEpoch);

+  bool CheckOnlyOwningProcessCanSet(ContentParent* aSource);
+
  // Overload `CanSet` to get notifications for a particular field being set.
  bool CanSet(FieldIndex<IDX_OuterWindowId>, const uint64_t& aValue,
              ContentParent* aSource) {
@ -114,10 +118,7 @@ class WindowContext : public nsISupports, public nsWrapperCache {

  bool CanSet(FieldIndex<IDX_CookieJarSettings>,
              const Maybe<mozilla::net::CookieJarSettingsArgs>& aValue,
-              ContentParent* aSource) {
-    return true;
-  }
-
+              ContentParent* aSource);
  bool CanSet(FieldIndex<IDX_IsThirdPartyWindow>,
              const bool& IsThirdPartyWindow, ContentParent* aSource);
  bool CanSet(FieldIndex<IDX_IsThirdPartyTrackingResourceWindow>,
@ -142,6 +143,7 @@ class WindowContext : public nsISupports, public nsWrapperCache {
  nsTArray<RefPtr<BrowsingContext>> mChildren;

  bool mIsDiscarded = false;
+  bool mInProcess = false;
 };

 using WindowContextTransaction = WindowContext::BaseTransaction;
--- a/dom/ipc/WindowGlobalParent.cpp
+++ b/dom/ipc/WindowGlobalParent.cpp
@ -54,10 +54,9 @@ namespace dom {
 WindowGlobalParent::WindowGlobalParent(const WindowGlobalInit& aInit,
                                       bool aInProcess)
    : WindowContext(aInit.browsingContext().GetMaybeDiscarded(),
-                    aInit.innerWindowId(), {}),
+                    aInit.innerWindowId(), aInProcess, {}),
      mDocumentPrincipal(aInit.principal()),
      mDocumentURI(aInit.documentURI()),
-      mInProcess(aInProcess),
      mIsInitialDocument(false),
      mHasBeforeUnload(false),
      mSandboxFlags(0),
@ -85,7 +84,7 @@ void WindowGlobalParent::Init(const WindowGlobalInit& aInit) {
  // Determine which content process the window global is coming from.
  dom::ContentParentId processId(0);
  ContentParent* cp = nullptr;
-  if (!mInProcess) {
+  if (!IsInProcess()) {
    cp = static_cast<ContentParent*>(Manager()->Manager());
    processId = cp->ChildID();

@ -644,7 +643,7 @@ void WindowGlobalParent::ActorDestroy(ActorDestroyReason aWhy) {
  WindowContext::Discard();

  ContentParent* cp = nullptr;
-  if (!mInProcess) {
+  if (!IsInProcess()) {
    cp = static_cast<ContentParent*>(Manager()->Manager());
  }

@ -661,7 +660,7 @@ void WindowGlobalParent::ActorDestroy(ActorDestroyReason aWhy) {
  // There shouldn't have any content blocking log when a documnet is loaded in
  // the parent process(See NotifyContentBlockingeEvent), so we could skip
  // reporting log when it is in-process.
-  if (!mInProcess) {
+  if (!IsInProcess()) {
    RefPtr<BrowserParent> browserParent =
        static_cast<BrowserParent*>(Manager());
    if (browserParent) {
--- a/dom/ipc/WindowGlobalParent.h
+++ b/dom/ipc/WindowGlobalParent.h
@ -79,10 +79,6 @@ class WindowGlobalParent final : public WindowContext,
  // Has this actor been shut down
  bool IsClosed() { return !CanSend(); }

-  // Check if this actor is managed by PInProcess, as-in the document is loaded
-  // in-process.
-  bool IsInProcess() { return mInProcess; }
-
  // Get the other side of this actor if it is an in-process actor. Returns
  // |nullptr| if the actor has been torn down, or is not in-process.
  already_AddRefed<WindowGlobalChild> GetChildActor();
@ -248,7 +244,6 @@ class WindowGlobalParent final : public WindowContext,
  nsString mDocumentTitle;

  nsRefPtrHashtable<nsCStringHashKey, JSWindowActorParent> mWindowActors;
-  bool mInProcess;
  bool mIsInitialDocument;

  // True if this window has a "beforeunload" event listener.