Bug 1370630 - Untrusted submit event shouldn't trigger form submission; r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D28070

dom/events/test/mochitest.ini

@@ -243,6 +243,7 @@ skip-if = toolkit == 'android' # Bug 1312791
 [test_slotted_mouse_event.html]
 [test_slotted_text_click.html]
 [test_unbound_before_in_active_chain.html]
+[test_submitevent_on_form.html]
 [test_wheel_zoom_on_form_controls.html]
 skip-if = verify
 [test_focus_blur_on_click_in_cross_origin_iframe.html]

dom/events/test/test_submitevent_on_form.html

@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test submit event on form</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+  <form action="javascript:doDefault()" id="form">
+    <input type="submit" value="Do Default Action">
+  </form>
+  <pre id="test">
+  <script type="application/javascript">
+SimpleTest.waitForExplicitFinish();
+SimpleTest.waitForFocus(runTests);
+
+var doDefaultAction = false;
+
+function doDefault()
+{
+  doDefaultAction = true;
+}
+
+async function runTests()
+{
+  await SpecialPowers.pushPrefEnv({
+    set: [["dom.forms.submit.trusted_event_only", true]],
+  });
+
+  let form = document.getElementById("form");
+  form.dispatchEvent(new Event('submit'));
+  setTimeout(() => {
+    ok(!doDefaultAction, "untrusted submit event shouldn't trigger form default action");
+    SimpleTest.finish();
+  });
+}
+  </script>
+  </pre>
+</body>
+</html>

dom/html/HTMLFormElement.cpp

@@ -46,6 +46,7 @@
 #include "mozilla/dom/FormDataEvent.h"
 #include "mozilla/dom/SubmitEvent.h"
 #include "mozilla/Telemetry.h"
+#include "mozilla/StaticPrefs_dom.h"
 #include "mozilla/StaticPrefs_prompts.h"
 #include "nsIFormSubmitObserver.h"
 #include "nsIObserverService.h"
@@ -505,9 +506,19 @@ void HTMLFormElement::UnbindFromTree(bool aNullParent) {
   ForgetCurrentSubmission();
 }
 
+static bool CanSubmit(WidgetEvent& aEvent) {
+  // According to the UI events spec section "Trusted events", we shouldn't
+  // trigger UA default action with an untrusted event except click.
+  // However, there are still some sites depending on sending untrusted event
+  // to submit form, see Bug 1370630.
+  return !StaticPrefs::dom_forms_submit_trusted_event_only() ||
+         aEvent.IsTrusted();
+}
+
 void HTMLFormElement::GetEventTargetParent(EventChainPreVisitor& aVisitor) {
   aVisitor.mWantsWillHandleEvent = true;
-  if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this)) {
+  if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this) &&
+      CanSubmit(*aVisitor.mEvent)) {
     uint32_t msg = aVisitor.mEvent->mMessage;
     if (msg == eFormSubmit) {
       if (mGeneratingSubmit) {
@@ -544,7 +555,8 @@ void HTMLFormElement::WillHandleEvent(EventChainPostVisitor& aVisitor) {
 }
 
 nsresult HTMLFormElement::PostHandleEvent(EventChainPostVisitor& aVisitor) {
-  if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this)) {
+  if (aVisitor.mEvent->mOriginalTarget == static_cast<nsIContent*>(this) &&
+      CanSubmit(*aVisitor.mEvent)) {
     EventMessage msg = aVisitor.mEvent->mMessage;
     if (msg == eFormSubmit) {
       // let the form know not to defer subsequent submissions

modules/libpref/init/StaticPrefList.yaml

@@ -1870,6 +1870,12 @@
   value: false
   mirror: always
 
+# Only trusted submit event could trigger form submission.
+- name: dom.forms.submit.trusted_event_only
+  type: bool
+  value: false
+  mirror: always
+
 # This pref just controls whether we format the number with grouping separator
 # characters when the internal value is set or updated. It does not stop the
 # user from typing in a number and using grouping separators.