Bug 803870 - Compare the subject with the outer window for History. r=bz, a=lsblakk
authorBobby Holley <bobbyholley@gmail.com>
Wed, 20 Feb 2013 08:37:21 -0800
changeset 127596 98579b64434a77fd7f131f39819e3a5821bc51b3
parent 127595 43474580e1da1414a64b0a36711af2d0a66f24f7
child 127597 d548d3afbaf5f8e7b460eac4afd1c47b0573ffd9
push id2185
push userryanvm@gmail.com
push dateMon, 25 Feb 2013 16:59:57 +0000
treeherdermozilla-beta@4e196e32e74d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, lsblakk
bugs803870
milestone20.0
Bug 803870 - Compare the subject with the outer window for History. r=bz, a=lsblakk
dom/base/nsHistory.cpp
--- a/dom/base/nsHistory.cpp
+++ b/dom/base/nsHistory.cpp
@@ -60,16 +60,20 @@ NS_INTERFACE_MAP_END
 
 NS_IMPL_ADDREF(nsHistory)
 NS_IMPL_RELEASE(nsHistory)
 
 
 NS_IMETHODIMP
 nsHistory::GetLength(int32_t* aLength)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>   sHistory;
 
   // Get session History from docshell
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
   return sHistory->GetCount(aLength);
 }
 
@@ -167,48 +171,60 @@ nsHistory::GetNext(nsAString& aNext)
   CopyUTF8toUTF16(nextURL, aNext);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Back()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoBack();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Forward()
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   nsCOMPtr<nsISHistory>  sHistory;
 
   GetSessionHistoryFromDocShell(GetDocShell(), getter_AddRefs(sHistory));
   NS_ENSURE_TRUE(sHistory, NS_ERROR_FAILURE);
 
   //QI SHistory to WebNavigation
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(sHistory));
   NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
   webNav->GoForward();
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsHistory::Go(int32_t aDelta)
 {
+  nsCOMPtr<nsPIDOMWindow> win(do_QueryReferent(mInnerWindow));
+  if (!win || !nsContentUtils::CanCallerAccess(win->GetOuterWindow()))
+    return NS_ERROR_DOM_SECURITY_ERR;
+
   if (aDelta == 0) {
     nsCOMPtr<nsPIDOMWindow> window(do_GetInterface(GetDocShell()));
 
     if (window && window->IsHandlingResizeEvent()) {
       // history.go(0) (aka location.reload()) was called on a window
       // that is handling a resize event. Sites do this since Netscape
       // 4.x needed it, but we don't, and it's a horrible experience
       // for nothing.  In stead of reloading the page, just clear