Bug 987003. Be more careful sandboxing javascript: URLs. r=bholley
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 26 Mar 2014 21:44:25 -0400
changeset 175586 ee9b3f32f16abda2e37e528582dd818ff31b0fee
parent 175585 e4eb3489b8ab0ce0fbb3b10fc23b226da69dd923
child 175587 475ee7cda2d116efd30a88aa21665a0c4bb980d2
push id26494
push usercbook@mozilla.com
push dateThu, 27 Mar 2014 13:09:48 +0000
treeherdermozilla-central@d2ecc6d31622 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs987003
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 987003. Be more careful sandboxing javascript: URLs. r=bholley
dom/src/jsurl/nsJSProtocolHandler.cpp
--- a/dom/src/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/src/jsurl/nsJSProtocolHandler.cpp
@@ -275,17 +275,18 @@ nsresult nsJSThunk::EvaluateScript(nsICh
             // Treat this as returning undefined from the script.  That's what
             // nsJSContext does.
             return NS_ERROR_DOM_RETVAL_UNDEFINED;
         }
 
         nsIXPConnect *xpc = nsContentUtils::XPConnect();
 
         nsCOMPtr<nsIXPConnectJSObjectHolder> sandbox;
-        rv = xpc->CreateSandbox(cx, principal, getter_AddRefs(sandbox));
+        // Important: Use a null principal here
+        rv = xpc->CreateSandbox(cx, nullptr, getter_AddRefs(sandbox));
         NS_ENSURE_SUCCESS(rv, rv);
 
         // The nsXPConnect sandbox API gives us a wrapper to the sandbox for
         // our current compartment. Because our current context doesn't necessarily
         // subsume that of the sandbox, we want to unwrap and enter the sandbox's
         // compartment. It's a shame that the APIs here are so clunkly. :-(
         JS::Rooted<JSObject*> sandboxObj(cx, sandbox->GetJSObject());
         NS_ENSURE_STATE(sandboxObj);