Bug 803870 - Compare the subject with the outer window for History. r=bz
authorBobby Holley <bobbyholley@gmail.com>
Wed, 20 Feb 2013 08:37:21 -0800
changeset 122447 bd115faef0ee263a00dfd17dfc91c0acd17d8f57
parent 122446 8ab6e6416d6772db2980191850c4274e6ebb0c32
child 122448 dcfa5af2b72ae61c9a443e7fb08b26698c6ce849
push id23303
push userbobbyholley@gmail.com
push dateWed, 20 Feb 2013 16:37:35 +0000
treeherdermozilla-inbound@bd115faef0ee [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs803870
milestone22.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 803870 - Compare the subject with the outer window for History. r=bz
dom/base/nsHistory.cpp
--- a/dom/base/nsHistory.cpp
+++ b/dom/base/nsHistory.cpp
@@ -59,16 +59,20 @@ NS_INTERFACE_MAP_END
 
 NS_IMPL_ADDREF(nsHistory)
 NS_IMPL_RELEASE(nsHistory)
 
 
 NS_IMETHODIMP
 nsHistory::GetLength(int32_t* aLength)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>   sHistory;
 
   // Get session History from docshell
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
   return sHistory->GetCount(aLength);
 }
 
@@ -166,48 +170,60 @@ nsHistory::GetNext(nsAString& aNext)
   CopyUTF8toUTF16(nextURL, aNext);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Back()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoBack();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Forward()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoForward();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Go(int32_t aDelta)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   if (aDelta == 0) {
     nsCOMPtr<nsPIDOMWindow> window(do_GetInterface(GetDocShell()));
 
     if (window && window->IsHandlingResizeEvent()) {
       // history.go(0) (aka location.reload()) was called on a window
       // that is handling a resize event. Sites do this since Netscape
       // 4.x needed it, but we don't, and it's a horrible experience
       // for nothing.  In stead of reloading the page, just clear