Bug 870870 - Check message targets for about:healthreport. r=MattN, a=lizzard
authorGeorg Fritzsche <georg.fritzsche@googlemail.com>
Fri, 04 Mar 2016 14:59:15 +0100
changeset 337979 0ab8ea0c78f0aa6ba5277161e000368ed44f7afe
parent 337978 3ac92b42152fc8e895fe8e62d1b86471a6966dc3
child 337980 d1a286ad2ae64c2de6a77d4a7ee5be7cd04bcd4c
push id12404
push userjlund@mozilla.com
push dateTue, 08 Mar 2016 02:54:16 +0000
reviewersMattN, lizzard
bugs870870
milestone46.0a2
Bug 870870 - Check message targets for about:healthreport. r=MattN, a=lizzard
browser/base/content/abouthealthreport/abouthealth.js
--- a/browser/base/content/abouthealthreport/abouthealth.js
+++ b/browser/base/content/abouthealthreport/abouthealth.js
@@ -111,16 +111,25 @@ var healthReportWrapper = {
       content: content
     }
 
     let iframe = document.getElementById("remote-report");
     iframe.contentWindow.postMessage(data, reportUrl);
   },
 
   handleRemoteCommand: function (evt) {
+    // Do an origin check to harden against the frame content being loaded from unexpected locations.
+    let allowedPrincipal = Services.scriptSecurityManager.getCodebasePrincipal(this._getReportURI());
+    let targetPrincipal = evt.target.nodePrincipal;
+    if (!allowedPrincipal.equals(targetPrincipal)) {
+      Cu.reportError(`Origin check failed for message "${evt.detail.command}": ` +
+                     `target origin is "${targetPrincipal.origin}", expected "${allowedPrincipal.origin}"`);
+      return;
+    }
+
     switch (evt.detail.command) {
       case "DisableDataSubmission":
         this.setDataSubmission(false);
         break;
       case "EnableDataSubmission":
         this.setDataSubmission(true);
         break;
       case "RequestCurrentPrefs":