Bug 1082734 - Disable location.searchParams for cross-origin insecure data access, r=bz
authorAndrea Marchesini <amarchesini@mozilla.com>
Mon, 03 Nov 2014 08:18:22 +0000
changeset 213656 4545e522f4d62d9073da93cf52190fefa716d28d
parent 213655 3b775cfbd87a512885d31519972f8e7d62821a50
child 213657 7d0240d750ee656a560b25119aea16ec49bf7479
push id27758
push userryanvm@gmail.com
push dateMon, 03 Nov 2014 21:18:21 +0000
treeherdermozilla-central@9b03757d6c99 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs1082734
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1082734 - Disable location.searchParams for cross-origin insecure data access, r=bz
dom/base/test/mochitest.ini
dom/base/test/test_location_searchParams.html
dom/webidl/HTMLAnchorElement.webidl
dom/webidl/HTMLAreaElement.webidl
dom/webidl/Location.webidl
dom/webidl/URL.webidl
dom/webidl/URLUtils.webidl
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -276,17 +276,16 @@ skip-if = buildapp == 'mulet' || buildap
 [test_gsp-standards.html]
 [test_getFeature_with_perm.html]
 [test_getFeature_without_perm.html]
 [test_hasFeature.html]
 [test_history_document_open.html]
 [test_history_state_null.html]
 [test_Image_constructor.html]
 [test_innersize_scrollport.html]
-[test_location_searchParams.html]
 [test_messageChannel.html]
 [test_messageChannel_cloning.html]
 [test_messageChannel_pingpong.html]
 [test_messageChannel_post.html]
 [test_messageChannel_pref.html]
 [test_messageChannel_start.html]
 [test_messagemanager_targetchain.html]
 [test_messageChannel_transferable.html]
deleted file mode 100644
--- a/dom/base/test/test_location_searchParams.html
+++ /dev/null
@@ -1,89 +0,0 @@
-
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=1037715
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 1037715</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1037715">Mozilla Bug 1037715</a>
-  <iframe id="a"></iframe>
-  <script type="application/javascript">
-
-var l;
-
-var iframe = document.getElementById('a');
-function onload0() {
-  iframe.removeEventListener('load', onload0);
-
-  l = iframe.contentWindow.location;
-  is(l.searchParams.get('a'), 'test0', 'l.searchParams value is ok');
-
-  info('changing location from JS...');
-  iframe.addEventListener('load', onload1);
-  iframe.contentWindow.location.href = 'file_empty.html?a=test1';
-}
-
-function onload1() {
-  iframe.removeEventListener('load', onload1);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test1', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test1', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing location using l.searchParams...');
-  iframe.addEventListener('load', onload2);
-  l.searchParams.set('a', 'test2');
-}
-
-function onload2() {
-  iframe.removeEventListener('load', onload2);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test2', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test2', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing iframe.src...');
-  iframe.addEventListener('load', onload3);
-  l.search = 'a=test3';
-}
-
-function onload3() {
-  iframe.removeEventListener('load', onload3);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test3', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test3', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing iframe.src...');
-  iframe.addEventListener('load', onload4);
-  iframe.src = 'file_empty.html?a=test4';
-}
-
-function onload4() {
-  iframe.removeEventListener('load', onload4);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test4', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test4', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  SimpleTest.finish();
-}
-
-iframe.addEventListener('load', onload0);
-iframe.src = "file_empty.html?a=test0";
-SimpleTest.waitForExplicitFinish();
-
-  </script>
-
-</body>
-</html>
--- a/dom/webidl/HTMLAnchorElement.webidl
+++ b/dom/webidl/HTMLAnchorElement.webidl
@@ -26,16 +26,17 @@ interface HTMLAnchorElement : HTMLElemen
            attribute DOMString hreflang;
            [SetterThrows]
            attribute DOMString type;
 
            [SetterThrows]
            attribute DOMString text;
 };
 HTMLAnchorElement implements URLUtils;
+HTMLAnchorElement implements URLUtilsSearchParams;
 
 // http://www.whatwg.org/specs/web-apps/current-work/#other-elements,-attributes-and-apis
 partial interface HTMLAnchorElement {
            [SetterThrows]
            attribute DOMString coords;
            [SetterThrows]
            attribute DOMString charset;
            [SetterThrows]
--- a/dom/webidl/HTMLAreaElement.webidl
+++ b/dom/webidl/HTMLAreaElement.webidl
@@ -33,14 +33,15 @@ interface HTMLAreaElement : HTMLElement 
   // not implemented.
   //
   //       [SetterThrows]
   //       attribute DOMString hreflang;
   //       [SetterThrows]
   //       attribute DOMString type;
 };
 HTMLAreaElement implements URLUtils;
+HTMLAreaElement implements URLUtilsSearchParams;
 
 // http://www.whatwg.org/specs/web-apps/current-work/#other-elements,-attributes-and-apis
 partial interface HTMLAreaElement {
            [SetterThrows]
            attribute boolean noHref;
 };
--- a/dom/webidl/Location.webidl
+++ b/dom/webidl/Location.webidl
@@ -16,10 +16,11 @@ interface Location {
   [Throws]
   void assign(DOMString url);
   [Throws, CrossOriginCallable]
   void replace(DOMString url);
   // XXXbz there is no forceget argument in the spec!  See bug 1037721.
   [Throws]
   void reload(optional boolean forceget = false);
 };
-// No support for .searchParams on Location yet.  See bug 1037715.
+// No support for .searchParams on Location yet.  See bug 1082734.
+
 Location implements URLUtils;
--- a/dom/webidl/URL.webidl
+++ b/dom/webidl/URL.webidl
@@ -14,16 +14,17 @@
 
 // [Constructor(DOMString url, optional (URL or DOMString) base = "about:blank")]
 [Constructor(DOMString url, URL base),
  Constructor(DOMString url, optional DOMString base = "about:blank"),
  Exposed=(Window,Worker)]
 interface URL {
 };
 URL implements URLUtils;
+URL implements URLUtilsSearchParams;
 
 partial interface URL {
   [Throws]
   static DOMString? createObjectURL(Blob blob, optional objectURLOptions options);
   [Throws]
   static DOMString? createObjectURL(MediaStream stream, optional objectURLOptions options);
   static void revokeObjectURL(DOMString url);
 };
--- a/dom/webidl/URLUtils.webidl
+++ b/dom/webidl/URLUtils.webidl
@@ -35,17 +35,21 @@ interface URLUtils {
            attribute ScalarValueString hostname;
   [Throws]
            attribute ScalarValueString port;
   [Throws]
            attribute ScalarValueString pathname;
   [Throws]
            attribute ScalarValueString search;
 
-           attribute URLSearchParams searchParams;
-
   [Throws]
            attribute ScalarValueString hash;
 
   // Bug 824857 should remove this.
   [Throws]
   stringifier;
 };
+
+[NoInterfaceObject,
+ Exposed=(Window, Worker)]
+interface URLUtilsSearchParams {
+           attribute URLSearchParams searchParams;
+};