This patch adds support for a "private" window flag which can be used to
open new chrome windows in private browsing mode. It also tests to make
sure that the flag is not accessible from content. A test in the next
part makes sure that the flag is accessible from chrome.
WouldReuseInnerWindow also returns true if the new window is same-origin with
the old one about:blank document.
This condition exists in order to handle some sloppiness with respect to the
principals on initial about:blank documents. Chrome callers sometimes parent
chrome windows (with XUL document) to content windows. But this parenting causes
us to push the cx of the content window during window creation, meaning that
the subsequent load of chrome://foo.xul blows away the old inner window and any
expandos on it. We can handle this case more precisely by skipping the cx push
for type="chrome" windows.
Furthermore, this was also necessary to prevent the inner window from being
blown away in the call to SetOpenerScriptPrincipal once nsWindowWatcher gets
the window back from the window creator (and after it's already told consumers
about the window via "domwindowcreated"). But we fixed this nastiness in the
previous patches.
So we can remove this case. By doing so, we can prevent inner windows from ever
changing origins, which is very important for compartment security invariants.
We can remove the fallback to the principal of aParent because we already push the
cx for aParent (callerContextGuard) whenever we're concerned about using its principal.
This doesn't change any functionality in the code. Note that the name is currently
a bit of a misnomer, but we change that in the next patch when we rip out the
arguments.
WouldReuseInnerWindow also returns true if the new window is same-origin with
the old one about:blank document.
This condition exists in order to handle some sloppiness with respect to the
principals on initial about:blank documents. Chrome callers sometimes parent
chrome windows (with XUL document) to content windows. But this parenting causes
us to push the cx of the content window during window creation, meaning that
the subsequent load of chrome://foo.xul blows away the old inner window and any
expandos on it. We can handle this case more precisely by skipping the cx push
for type="chrome" windows.
Furthermore, this was also necessary to prevent the inner window from being
blown away in the call to SetOpenerScriptPrincipal once nsWindowWatcher gets
the window back from the window creator (and after it's already told consumers
about the window via "domwindowcreated"). But we fixed this nastiness in the
previous patches.
So we can remove this case. By doing so, we can prevent inner windows from ever
changing origins, which is very important for compartment security invariants.
