Bug 1517368 - Allow just the first external protocol URL in <iframe>, r=smaug
authorAndrea Marchesini <amarchesini@mozilla.com>
Fri, 04 Jan 2019 16:16:58 +0100
changeset 452590 ebee49cf02703325eaec9f769c60bd74bc6894ae
parent 452589 a925aa11dd43eeddf065ec9f795ef4ab17050ea4
child 452591 9dfb6ebdf897d8bab0ddefb460ece64786cbe8f6
push id35316
push usershindli@mozilla.com
push dateSat, 05 Jan 2019 04:03:40 +0000
treeherdermozilla-central@e0a4fe89a7b0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1517368
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1517368 - Allow just the first external protocol URL in <iframe>, r=smaug
docshell/base/nsDocShell.cpp
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -9747,17 +9747,34 @@ nsresult nsDocShell::DoURILoad(nsDocShel
                "DoURILoad thinks this is a frame and InternalLoad does not");
 
     // Only allow URLs able to return data in iframes.
     bool doesNotReturnData = false;
     NS_URIChainHasFlags(aLoadState->URI(),
                         nsIProtocolHandler::URI_DOES_NOT_RETURN_DATA,
                         &doesNotReturnData);
     if (doesNotReturnData) {
-      return NS_ERROR_UNKNOWN_PROTOCOL;
+      bool popupBlocked = true;
+
+      // Let's consider external protocols as popups and let's check if the page
+      // is allowed to open them without abuse regardless of allowed events
+      if (PopupBlocker::GetPopupControlState() <= PopupBlocker::openBlocked) {
+        popupBlocked = !PopupBlocker::TryUsePopupOpeningToken();
+      } else {
+        nsCOMPtr<nsINode> loadingNode =
+            mScriptGlobal->AsOuter()->GetFrameElementInternal();
+        if (loadingNode) {
+          popupBlocked = !PopupBlocker::CanShowPopupByPermission(
+              loadingNode->NodePrincipal());
+        }
+      }
+
+      if (popupBlocked) {
+        return NS_ERROR_UNKNOWN_PROTOCOL;
+      }
     }
 
     // Only allow view-source scheme in top-level docshells. view-source is
     // the only scheme to which this applies at the moment due to potential
     // timing attacks to read data from cross-origin iframes. If this widens
     // we should add a protocol flag for whether the scheme is allowed in
     // frames and use something like nsNetUtil::NS_URIChainHasFlags.
     nsCOMPtr<nsIURI> tempURI = aLoadState->URI();