Bug 1092388 - Check the entry window before using it. r=bz, a=2.0+
authorBobby Holley <bobbyholley@gmail.com>
Mon, 08 Dec 2014 09:12:02 -0500
changeset 204293 2d0860bd0225
parent 204292 e40fe21e37f1
child 204294 34f9d6d2a5ac
child 204680 45722ba5fbd5
push id530
push userryanvm@gmail.com
push dateMon, 08 Dec 2014 14:12:07 +0000
treeherdermozilla-b2g32_v2_0@2d0860bd0225 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, 2
bugs1092388
milestone32.0
Bug 1092388 - Check the entry window before using it. r=bz, a=2.0+
dom/base/nsGlobalWindow.cpp
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -12649,18 +12649,28 @@ nsGlobalWindow::GetScrollFrame()
 }
 
 nsresult
 nsGlobalWindow::SecurityCheckURL(const char *aURL)
 {
   nsCOMPtr<nsPIDOMWindow> sourceWindow;
   JSContext* topCx = nsContentUtils::GetCurrentJSContext();
   if (topCx) {
-    sourceWindow = do_QueryInterface(nsJSUtils::GetDynamicScriptGlobal(topCx));
-  }
+    nsCOMPtr<nsPIDOMWindow> entryWindow =
+      do_QueryInterface(nsJSUtils::GetDynamicScriptGlobal(topCx));
+    if (entryWindow) {
+      nsIPrincipal* entryPrin =
+        static_cast<nsGlobalWindow*>(entryWindow.get())->GetPrincipal();
+      nsIPrincipal* subjectPrin = nsContentUtils::SubjectPrincipal();
+      if (subjectPrin->SubsumesConsideringDomain(entryPrin)) {
+        sourceWindow = entryWindow;
+      }
+    }
+  }
+
   if (!sourceWindow) {
     sourceWindow = this;
   }
   AutoJSContext cx;
   nsGlobalWindow* sourceWin = static_cast<nsGlobalWindow*>(sourceWindow.get());
   JSAutoCompartment ac(cx, sourceWin->GetGlobalJSObject());
 
   // Resolve the baseURI, which could be relative to the calling window.