Bug 1238180 - Avoid unsafe CPOWs when opening Page / Frame / Image Info from the context menu. r=florian, a=sledru
authorMike Conley <mconley@mozilla.com>
Mon, 18 Jan 2016 11:24:47 -0500
changeset 310914 0ce166f4fec610dd1b3a99f348f19811c571b51b
parent 310913 b468f7200bc2978f7ed947de8d7c07bc03af015c
child 310915 b9bbb79d26520cc4bb632b34703fa025a42365ae
push id5513
push userraliiev@mozilla.com
push dateMon, 25 Jan 2016 13:55:34 +0000
treeherdermozilla-beta@5ee97dd05b5c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersflorian, sledru
bugs1238180
milestone45.0a2
Bug 1238180 - Avoid unsafe CPOWs when opening Page / Frame / Image Info from the context menu. r=florian, a=sledru
browser/base/content/browser.js
browser/base/content/nsContextMenu.js
browser/base/content/test/general/browser_bug460146.js
browser/base/content/test/general/browser_bug517902.js
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -2317,26 +2317,32 @@ function BrowserViewSourceOfDocument(aAr
 function BrowserViewSource(browser) {
   BrowserViewSourceOfDocument({
     browser: browser,
     outerWindowID: browser.outerWindowID,
     URL: browser.currentURI.spec,
   });
 }
 
-// doc - document to use for source, or null for this window's document
+// documentURL - URL of the document to view, or null for this window's document
 // initialTab - name of the initial tab to display, or null for the first tab
 // imageElement - image to load in the Media Tab of the Page Info window; can be null/omitted
 // frameOuterWindowID - the id of the frame that the context menu opened in; can be null/omitted
-function BrowserPageInfo(doc, initialTab, imageElement, frameOuterWindowID) {
-  var args = {doc: doc, initialTab: initialTab, imageElement: imageElement,
-              frameOuterWindowID: frameOuterWindowID};
+function BrowserPageInfo(documentURL, initialTab, imageElement, frameOuterWindowID) {
+  if (documentURL instanceof HTMLDocument) {
+    Deprecated.warning("Please pass the location URL instead of the document " +
+                       "to BrowserPageInfo() as the first argument.",
+                       "https://bugzilla.mozilla.org/show_bug.cgi?id=1238180");
+    documentURL = documentURL.location;
+  }
+
+  let args = { initialTab, imageElement, frameOuterWindowID };
   var windows = Services.wm.getEnumerator("Browser:page-info");
 
-  var documentURL = doc ? doc.location : window.gBrowser.selectedBrowser.currentURI.spec;
+  documentURL = documentURL || window.gBrowser.selectedBrowser.currentURI.spec;
 
   // Check for windows matching the url
   while (windows.hasMoreElements()) {
     var currentWindow = windows.getNext();
     if (currentWindow.closed) {
       continue;
     }
     if (currentWindow.document.documentElement.getAttribute("relatedUrl") == documentURL) {
--- a/browser/base/content/nsContextMenu.js
+++ b/browser/base/content/nsContextMenu.js
@@ -1079,34 +1079,33 @@ nsContextMenu.prototype = {
     BrowserViewSourceOfDocument({
       browser: this.browser,
       URL: gContextMenuContentData.docLocation,
       outerWindowID: this.frameOuterWindowID,
     });
   },
 
   viewInfo: function() {
-    BrowserPageInfo(this.target.ownerDocument.defaultView.top.document);
+    BrowserPageInfo();
   },
 
   viewImageInfo: function() {
-    BrowserPageInfo(this.target.ownerDocument.defaultView.top.document,
-                    "mediaTab", this.target);
+    BrowserPageInfo(null, "mediaTab", this.target);
   },
 
   viewImageDesc: function(e) {
     urlSecurityCheck(this.imageDescURL,
                      this.browser.contentPrincipal,
                      Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
     openUILink(this.imageDescURL, e, { disallowInheritPrincipal: true,
                                        referrerURI: gContextMenuContentData.documentURIObject });
   },
 
   viewFrameInfo: function() {
-    BrowserPageInfo(this.target.ownerDocument, null, null,
+    BrowserPageInfo(gContextMenuContentData.docLocation, null, null,
                     this.frameOuterWindowID);
   },
 
   reloadImage: function() {
     urlSecurityCheck(this.mediaURL,
                      this.browser.contentPrincipal,
                      Ci.nsIScriptSecurityManager.DISALLOW_SCRIPT);
 
--- a/browser/base/content/test/general/browser_bug460146.js
+++ b/browser/base/content/test/general/browser_bug460146.js
@@ -4,17 +4,18 @@ function test() {
   waitForExplicitFinish();
 
   gBrowser.selectedTab = gBrowser.addTab();
   
   gBrowser.selectedBrowser.addEventListener("load", function () {
     gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
 
     var doc = gBrowser.contentDocument;
-    var pageInfo = BrowserPageInfo(doc, "mediaTab");
+    var pageInfo = BrowserPageInfo(gBrowser.selectedBrowser.currentURI.spec,
+                                   "mediaTab");
 
     pageInfo.addEventListener("load", function () {
       pageInfo.removeEventListener("load", arguments.callee, true);
       pageInfo.onFinished.push(function () {
         executeSoon(function () {
           var imageTree = pageInfo.document.getElementById("imagetree");
           var imageRowsNum = imageTree.view.rowCount;
 
--- a/browser/base/content/test/general/browser_bug517902.js
+++ b/browser/base/content/test/general/browser_bug517902.js
@@ -5,17 +5,18 @@ function test() {
 
   gBrowser.selectedTab = gBrowser.addTab();
   
   gBrowser.selectedBrowser.addEventListener("load", function () {
     gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true);
 
     var doc = gBrowser.contentDocument;
     var testImg = doc.getElementById("test-image");
-    var pageInfo = BrowserPageInfo(doc, "mediaTab", testImg);
+    var pageInfo = BrowserPageInfo(gBrowser.selectedBrowser.currentURI.spec,
+                                   "mediaTab", testImg);
 
     pageInfo.addEventListener("load", function () {
       pageInfo.removeEventListener("load", arguments.callee, true);
       pageInfo.onFinished.push(function () {
         executeSoon(function () {
           var pageInfoImg = pageInfo.document.getElementById("thepreviewimage");
 
           is(pageInfoImg.src, testImg.src, "selected image has the correct source");