Bug 870870 - Check message targets for about:healthreport. r=MattN
authorGeorg Fritzsche <georg.fritzsche@googlemail.com>
Fri, 04 Mar 2016 14:59:15 +0100
changeset 323243 99715b34b2da77b852af02c88582ead186ef6d24
parent 323242 7ea58667c988dd692454325361aea810a3792f00
child 323244 04a5b3cbda15f468ac1372c0f1e953a15fe1d88f
push id5913
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 16:57:49 +0000
treeherdermozilla-beta@dcaf0a6fa115 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersMattN
bugs870870
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 870870 - Check message targets for about:healthreport. r=MattN
browser/base/content/abouthealthreport/abouthealth.js
--- a/browser/base/content/abouthealthreport/abouthealth.js
+++ b/browser/base/content/abouthealthreport/abouthealth.js
@@ -105,16 +105,25 @@ var healthReportWrapper = {
       content: content
     }
 
     let iframe = document.getElementById("remote-report");
     iframe.contentWindow.postMessage(data, reportUrl);
   },
 
   handleRemoteCommand: function (evt) {
+    // Do an origin check to harden against the frame content being loaded from unexpected locations.
+    let allowedPrincipal = Services.scriptSecurityManager.getCodebasePrincipal(this._getReportURI());
+    let targetPrincipal = evt.target.nodePrincipal;
+    if (!allowedPrincipal.equals(targetPrincipal)) {
+      Cu.reportError(`Origin check failed for message "${evt.detail.command}": ` +
+                     `target origin is "${targetPrincipal.origin}", expected "${allowedPrincipal.origin}"`);
+      return;
+    }
+
     switch (evt.detail.command) {
       case "DisableDataSubmission":
         this.setDataSubmission(false);
         break;
       case "EnableDataSubmission":
         this.setDataSubmission(true);
         break;
       case "RequestCurrentPrefs":