Bug 1190641 part 2. Add the sandboxed modals flag to iframe sandboxing. r=ckerschb
☠☠ backed out by b7be22142cf4 ☠ ☠
authorBoris Zbarsky <bzbarsky@mit.edu>
Fri, 06 May 2016 13:56:36 -0400
changeset 296433 b037f264208284688c059587db7e45158596c256
parent 296432 733eacd2ed13b581e03868160b8a68f42dabf63b
child 296434 ef1d1a4334157c6e26a6006ae6e949222e4f6c89
push id76327
push userbzbarsky@mozilla.com
push dateFri, 06 May 2016 18:04:36 +0000
treeherdermozilla-inbound@ef1d1a433415 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1190641
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1190641 part 2. Add the sandboxed modals flag to iframe sandboxing. r=ckerschb Automated testing for this seems rather difficult; I've done manual testing.
dom/base/IframeSandboxKeywordList.h
dom/base/nsContentUtils.cpp
dom/base/nsGkAtomList.h
dom/base/nsGlobalWindow.cpp
dom/base/nsSandboxFlags.h
layout/base/nsDocumentViewer.cpp
--- a/dom/base/IframeSandboxKeywordList.h
+++ b/dom/base/IframeSandboxKeywordList.h
@@ -17,9 +17,10 @@ SANDBOX_KEYWORD("allow-forms", allowform
 SANDBOX_KEYWORD("allow-scripts", allowscripts,
 		SANDBOXED_SCRIPTS | SANDBOXED_AUTOMATIC_FEATURES)
 SANDBOX_KEYWORD("allow-top-navigation", allowtopnavigation,
 		SANDBOXED_TOPLEVEL_NAVIGATION)
 SANDBOX_KEYWORD("allow-pointer-lock", allowpointerlock, SANDBOXED_POINTER_LOCK)
 SANDBOX_KEYWORD("allow-orientation-lock", alloworientationlock,
 		SANDBOXED_ORIENTATION_LOCK)
 SANDBOX_KEYWORD("allow-popups", allowpopups, SANDBOXED_AUXILIARY_NAVIGATION)
+SANDBOX_KEYWORD("allow-modals", allowmodals, SANDBOXED_MODALS)
 
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -1355,27 +1355,17 @@ nsContentUtils::GetParserService()
  */
 uint32_t
 nsContentUtils::ParseSandboxAttributeToFlags(const nsAttrValue* sandboxAttr)
 {
   // No sandbox attribute, no sandbox flags.
   if (!sandboxAttr) { return 0; }
 
   //  Start off by setting all the restriction flags.
-  uint32_t out = SANDBOXED_NAVIGATION
-               | SANDBOXED_AUXILIARY_NAVIGATION
-               | SANDBOXED_TOPLEVEL_NAVIGATION
-               | SANDBOXED_PLUGINS
-               | SANDBOXED_ORIGIN
-               | SANDBOXED_FORMS
-               | SANDBOXED_SCRIPTS
-               | SANDBOXED_AUTOMATIC_FEATURES
-               | SANDBOXED_POINTER_LOCK
-               | SANDBOXED_ORIENTATION_LOCK
-               | SANDBOXED_DOMAIN;
+  uint32_t out = SANDBOX_ALL_FLAGS;
 
 // Macro for updating the flag according to the keywords
 #define SANDBOX_KEYWORD(string, atom, flags)                             \
   if (sandboxAttr->Contains(nsGkAtoms::atom, eIgnoreCase)) { out &= ~(flags); }
 
 #include "IframeSandboxKeywordList.h"
 
   return out;
--- a/dom/base/nsGkAtomList.h
+++ b/dom/base/nsGkAtomList.h
@@ -74,16 +74,17 @@ GK_ATOM(after_end, "after_end")
 GK_ATOM(after_start, "after_start")
 GK_ATOM(align, "align")
 GK_ATOM(alink, "alink")
 GK_ATOM(all, "all")
 GK_ATOM(allowevents, "allowevents")
 GK_ATOM(allownegativeassertions, "allownegativeassertions")
 GK_ATOM(allowforms,"allow-forms")
 GK_ATOM(allowfullscreen, "allowfullscreen")
+GK_ATOM(allowmodals, "allow-modals")
 GK_ATOM(alloworientationlock,"allow-orientation-lock")
 GK_ATOM(allowpointerlock,"allow-pointer-lock")
 GK_ATOM(allowpopups,"allow-popups")
 GK_ATOM(allowsameorigin,"allow-same-origin")
 GK_ATOM(allowscripts,"allow-scripts")
 GK_ATOM(allowtopnavigation,"allow-top-navigation")
 GK_ATOM(allowuntrusted, "allowuntrusted")
 GK_ATOM(alt, "alt")
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -3415,16 +3415,26 @@ nsGlobalWindow::AreDialogsEnabled()
 
     bool isHidden;
     cv->GetIsHidden(&isHidden);
     if (isHidden) {
       return false;
     }
   }
 
+  // Dialogs are also blocked if the document is sandboxed with SANDBOXED_MODALS
+  // (or if we have no document, of course).  Which document?  Who knows; the
+  // spec is daft.  See <https://github.com/whatwg/html/issues/1206>.  For now
+  // just go ahead and check mDoc, since in everything except edge cases in
+  // which a frame is allow-same-origin but not allow-scripts and is being poked
+  // at by some other window this should be the right thing anyway.
+  if (!mDoc || (mDoc->GetSandboxFlags() & SANDBOXED_MODALS)) {
+    return false;
+  }
+
   return topWindow->mAreDialogsEnabled;
 }
 
 bool
 nsGlobalWindow::DialogsAreBeingAbused()
 {
   MOZ_ASSERT(IsInnerWindow());
   NS_ASSERTION(GetScriptableTopInternal() &&
--- a/dom/base/nsSandboxFlags.h
+++ b/dom/base/nsSandboxFlags.h
@@ -90,12 +90,21 @@ const unsigned long SANDBOXED_AUTOMATIC_
 // const unsigned long SANDBOXED_FULLSCREEN = 0x400;
 
 /**
  * This flag blocks the document from changing document.domain.
  */
 const unsigned long SANDBOXED_DOMAIN = 0x800;
 
 /**
+ * This flag prevents content from using window.alert(), window.confirm(),
+ * window.print(), window.prompt() and the beforeunload event from putting up
+ * dialogs.
+ */
+const unsigned long SANDBOXED_MODALS = 0x1000;
+
+/**
  * This flag prevents locking screen orientation.
  */
-const unsigned long SANDBOXED_ORIENTATION_LOCK = 0x1000;
+const unsigned long SANDBOXED_ORIENTATION_LOCK = 0x2000;
+
+const unsigned long SANDBOX_ALL_FLAGS = 0x3FFF;
 #endif
--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@@ -81,16 +81,18 @@
 #include "nsIScrollableFrame.h"
 #include "nsStyleSheetService.h"
 #include "nsRenderingContext.h"
 #include "nsILoadContext.h"
 
 #include "nsIPrompt.h"
 #include "imgIContainer.h" // image animation mode constants
 
+#include "nsSandboxFlags.h"
+
 #include "mozilla/DocLoadingTimelineMarker.h"
 
 //--------------------------
 // Printing Include
 //---------------------------
 #ifdef NS_PRINTING
 
 #include "nsIWebBrowserPrint.h"
@@ -1145,17 +1147,18 @@ nsDocumentViewer::PermitUnloadInternal(b
   }
 
   nsCOMPtr<nsIDocShell> docShell(mContainer);
   nsAutoString text;
   beforeUnload->GetReturnValue(text);
 
   // NB: we nullcheck mDocument because it might now be dead as a result of
   // the event being dispatched.
-  if (!sIsBeforeUnloadDisabled && *aShouldPrompt && dialogsAreEnabled && mDocument &&
+  if (!sIsBeforeUnloadDisabled && *aShouldPrompt && dialogsAreEnabled &&
+      mDocument && !(mDocument->GetSandboxFlags() & SANDBOXED_MODALS) &&
       (!sBeforeUnloadRequiresInteraction || mDocument->UserHasInteracted()) &&
       (event->WidgetEventPtr()->DefaultPrevented() || !text.IsEmpty())) {
     // Ask the user if it's ok to unload the current page
 
     nsCOMPtr<nsIPrompt> prompt = do_GetInterface(docShell);
 
     if (prompt) {
       nsCOMPtr<nsIWritablePropertyBag2> promptBag = do_QueryInterface(prompt);