Bug 1462077 - Part 2: Add a release assert in ClientHandle::Control() that enforces same-origin policy. r=asuth, a=RyanVM
authorBen Kelly <ben@wanderview.com>
Wed, 16 May 2018 14:18:36 -0700
changeset 470831 39f739efe104
parent 470830 d5c088330e6b
child 470832 0315d341f73f
push id9235
push userryanvm@gmail.com
push date2018-05-17 13:49 +0000
treeherdermozilla-beta@39f739efe104 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersasuth, RyanVM
bugs1462077
milestone61.0
Bug 1462077 - Part 2: Add a release assert in ClientHandle::Control() that enforces same-origin policy. r=asuth, a=RyanVM
dom/clients/manager/ClientHandle.cpp
--- a/dom/clients/manager/ClientHandle.cpp
+++ b/dom/clients/manager/ClientHandle.cpp
@@ -4,16 +4,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ClientHandle.h"
 
 #include "ClientHandleChild.h"
 #include "ClientHandleOpChild.h"
 #include "ClientManager.h"
+#include "ClientPrincipalUtils.h"
 #include "ClientState.h"
 #include "mozilla/dom/PClientManagerChild.h"
 #include "mozilla/dom/ServiceWorkerDescriptor.h"
 #include "mozilla/dom/ipc/StructuredCloneData.h"
 
 namespace mozilla {
 namespace dom {
 
@@ -117,16 +118,21 @@ ClientHandle::Info() const
 }
 
 RefPtr<GenericPromise>
 ClientHandle::Control(const ServiceWorkerDescriptor& aServiceWorker)
 {
   RefPtr<GenericPromise::Private> outerPromise =
     new GenericPromise::Private(__func__);
 
+  // We should never have a cross-origin controller.  Since this would be
+  // same-origin policy violation we do a full release assertion here.
+  MOZ_RELEASE_ASSERT(ClientMatchPrincipalInfo(mClientInfo.PrincipalInfo(),
+                                              aServiceWorker.PrincipalInfo()));
+
   StartOp(ClientControlledArgs(aServiceWorker.ToIPC()),
     [outerPromise](const ClientOpResult& aResult) {
       outerPromise->Resolve(true, __func__);
     },
     [outerPromise](const ClientOpResult& aResult) {
       outerPromise->Reject(aResult.get_nsresult(), __func__);
     });