mozilla-central: changeset 122468:bd115faef0ee263a00dfd17dfc91c0acd17d8f57

author	Bobby Holley <bobbyholley@gmail.com>
	Wed, 20 Feb 2013 08:37:21 -0800
changeset 122468	bd115faef0ee263a00dfd17dfc91c0acd17d8f57
parent 122467	8ab6e6416d6772db2980191850c4274e6ebb0c32
child 122469	dcfa5af2b72ae61c9a443e7fb08b26698c6ce849
push id	24342
push user	ryanvm@gmail.com
push date	Thu, 21 Feb 2013 13:05:06 +0000
treeherder	mozilla-central@702d2814efbf [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	bz
bugs	803870
milestone	22.0a1
first release with	nightly linux32 702d2814efbf / 22.0a1 / 20130221072044 / files nightly linux64 702d2814efbf / 22.0a1 / 20130221072044 / files nightly mac 702d2814efbf / 22.0a1 / 20130221072044 / files nightly win32 702d2814efbf / 22.0a1 / 20130221072044 / files nightly win64 702d2814efbf / 22.0a1 / 20130221072044 / files
last release without	nightly linux32 401b967b2dfc / 22.0a1 / 20130220031126 / files nightly linux64 401b967b2dfc / 22.0a1 / 20130220031126 / files nightly mac 401b967b2dfc / 22.0a1 / 20130220031126 / files nightly win32 401b967b2dfc / 22.0a1 / 20130220031126 / files nightly win64 401b967b2dfc / 22.0a1 / 20130220031126 / files

--- a/dom/base/nsHistory.cpp
+++ b/dom/base/nsHistory.cpp
@@ -59,16 +59,20 @@ NS_INTERFACE_MAP_END
 
 NS_IMPL_ADDREF(nsHistory)
 NS_IMPL_RELEASE(nsHistory)
 
 
 NS_IMETHODIMP
 nsHistory::GetLength(int32_t* aLength)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>   sHistory;
 
   // Get session History from docshell
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
   return sHistory->GetCount(aLength);
 }
 
@@ -166,48 +170,60 @@ nsHistory::GetNext(nsAString& aNext)
   CopyUTF8toUTF16(nextURL, aNext);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Back()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoBack();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Forward()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoForward();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Go(int32_t aDelta)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   if (aDelta == 0) {
     nsCOMPtr<nsPIDOMWindow> window(do_GetInterface(GetDocShell()));
 
     if (window && window->IsHandlingResizeEvent()) {
       // history.go(0) (aka location.reload()) was called on a window
       // that is handling a resize event. Sites do this since Netscape
       // 4.x needed it, but we don't, and it's a horrible experience
       // for nothing.  In stead of reloading the page, just clear