Bug 1234651 - Check view targets for possible unsafe content. r=IanN
authorFrank-Rainer Grahl <frgrahl@gmx.net>
Thu, 13 Jun 2019 21:42:05 +0200
changeset 35856 276536b6d831f5b580a71dfe6d146fafcf509545
parent 35855 eaeb15a4f6831405de12a16581fa22fb30160681
child 35857 c7602463fd80d2f00e012bcbb3c172b3754e0724
push id392
push userclokep@gmail.com
push dateMon, 02 Sep 2019 20:17:19 +0000
reviewersIanN
bugs1234651
Bug 1234651 - Check view targets for possible unsafe content. r=IanN imported patch 1234651-medianoscripts.patch
suite/base/content/nsContextMenu.js
--- a/suite/base/content/nsContextMenu.js
+++ b/suite/base/content/nsContextMenu.js
@@ -919,38 +919,44 @@ nsContextMenu.prototype = {
   },
 
   toggleImageSize: function() {
     content.document.toggleImageSize();
   },
 
   // Reload image
   reloadImage: function() {
-    urlSecurityCheck(this.mediaURL, this.target.nodePrincipal,
-                     Ci.nsIScriptSecurityManager.ALLOW_CHROME);
+    urlSecurityCheck(this.mediaURL,
+                     this.target.nodePrincipal,
+                     Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
     if (this.target instanceof Ci.nsIImageLoadingContent)
       this.target.forceReload();
   },
 
   // Change current window to the URL of the image, video, or audio.
-  viewMedia: function(aEvent) {
-    var viewURL;
-    if (this.onCanvas)
-      viewURL = this.target.toDataURL();
-    else {
-      viewURL = this.mediaURL;
-      urlSecurityCheck(viewURL, this.target.nodePrincipal,
-                       Ci.nsIScriptSecurityManager.ALLOW_CHROME);
+  viewMedia(e) {
+    let doc = this.target.ownerDocument;
+    let where = whereToOpenLink(e);
+    if (this.onCanvas) {
+      let blobUrl = URL.createObjectURL(this.target);
+      let systemPrincipal = Services.scriptSecurityManager
+                                    .getSystemPrincipal();
+      openUILinkIn(blobUrl, where,
+                   { referrerURI: doc.documentURIObject,
+                     triggeringPrincipal: systemPrincipal,
+                   });
+    } else {
+      urlSecurityCheck(this.mediaURL,
+                       this.target.nodePrincipal,
+                       Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
+      openUILinkIn(this.mediaURL, where,
+                   { referrerURI: doc.documentURIObject,
+                     triggeringPrincipal: this.target.nodePrincipal,
+                   });
     }
-    var doc = this.target.ownerDocument;
-    var where = whereToOpenLink(aEvent);
-    if (where == "current")
-      openTopWin(viewURL, doc.defaultView);
-    else
-      openUILinkIn(viewURL, where, null, null, doc.documentURIObject);
   },
 
   saveVideoFrameAsImage: function () {
     urlSecurityCheck(this.mediaURL, this.browser.contentPrincipal,
                      Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
     var name = "snapshot.jpg";
     try {
       let uri = makeURI(this.mediaURL);
@@ -976,25 +982,27 @@ nsContextMenu.prototype = {
     var isPaused = this.target.paused && this.target.currentTime > 0;
     this.target.pause();
 
     openDialog("chrome://communicator/content/fullscreen-video.xhtml",
                "", "chrome,centerscreen,dialog=no", this.target, isPaused);
   },
 
   // Change current window to the URL of the background image.
-  viewBGImage: function(aEvent) {
-    urlSecurityCheck(this.bgImageURL, this.target.nodePrincipal,
-                     Ci.nsIScriptSecurityManager.ALLOW_CHROME);
-    var doc = this.target.ownerDocument;
-    var where = whereToOpenLink(aEvent);
-    if (where == "current")
-      openTopWin(this.bgImageURL, doc.defaultView);
-    else
-      openUILinkIn(this.bgImageURL, where, null, null, doc.documentURIObject);
+  viewBGImage(e) {
+    urlSecurityCheck(this.bgImageURL,
+                     this.target.nodePrincipal,
+                     Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
+
+    let doc = this.target.ownerDocument;
+    let where = whereToOpenLink(e);
+    openUILinkIn(this.bgImageURL, where,
+                 { referrerURI: doc.documentURIObject,
+                   triggeringPrincipal: this.target.nodePrincipal,
+                 });
   },
 
   setDesktopBackground: function() {
     let url = (new URL(this.target.ownerDocument.location.href)).pathname;
     let imageName = url.substr(url.lastIndexOf("/") + 1);
     openDialog("chrome://communicator/content/setDesktopBackground.xul",
                "_blank", "chrome,modal,titlebar,centerscreen", this.target,
                imageName);