Bug 1227462 - tabs.create and tabs.update should check URLs using checkLoadURL. r=kmag
authorLuca Greco <lgreco@mozilla.com>
Thu, 25 Feb 2016 18:13:59 +0100
changeset 322079 cc5fbcbece9418293f6dcbd8c4a20a76cb1799fc
parent 322078 47b157eeda54049a18218b9e64e768e56014d5b0
child 322080 5efb021d57d9b1dcd8a922eff2dbea4d886b8bb3
push id5913
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 16:57:49 +0000
treeherdermozilla-beta@dcaf0a6fa115 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskmag
bugs1227462
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1227462 - tabs.create and tabs.update should check URLs using checkLoadURL. r=kmag MozReview-Commit-ID: EKFRpoSuXrF
browser/components/extensions/ext-tabs.js
toolkit/components/extensions/ExtensionUtils.jsm
--- a/browser/components/extensions/ext-tabs.js
+++ b/browser/components/extensions/ext-tabs.js
@@ -392,26 +392,30 @@ extensions.registerSchemaAPI("tabs", nul
           AllWindowEvents.removeListener("progress", progressListener);
           AllWindowEvents.removeListener("TabAttrModified", listener);
           AllWindowEvents.removeListener("TabPinned", listener);
           AllWindowEvents.removeListener("TabUnpinned", listener);
         };
       }).api(),
 
       create: function(createProperties) {
-        return new Promise(resolve => {
+        return new Promise((resolve, reject) => {
           function createInWindow(window) {
             let url;
+
             if (createProperties.url !== null) {
               url = context.uri.resolve(createProperties.url);
-            } else {
-              url = window.BROWSER_NEW_TAB_URL;
+
+              if (!context.checkLoadURL(url, {dontReportErrors: true})) {
+                reject({message: `URL not allowed: ${url}`});
+                return;
+              }
             }
 
-            let tab = window.gBrowser.addTab(url);
+            let tab = window.gBrowser.addTab(url || window.BROWSER_NEW_TAB_URL);
 
             let active = true;
             if (createProperties.active !== null) {
               active = createProperties.active;
             }
             if (active) {
               window.gBrowser.selectedTab = tab;
             }
@@ -455,20 +459,33 @@ extensions.registerSchemaAPI("tabs", nul
           tab.ownerDocument.defaultView.gBrowser.removeTab(tab);
         }
 
         return Promise.resolve();
       },
 
       update: function(tabId, updateProperties) {
         let tab = tabId !== null ? TabManager.getTab(tabId) : TabManager.activeTab;
+
+        if (!tab) {
+          return Promise.reject({message: `No tab found with tabId: ${tabId}`});
+        }
+
         let tabbrowser = tab.ownerDocument.defaultView.gBrowser;
+
         if (updateProperties.url !== null) {
-          tab.linkedBrowser.loadURI(updateProperties.url);
+          let url = context.uri.resolve(updateProperties.url);
+
+          if (!context.checkLoadURL(url, {dontReportErrors: true})) {
+            return Promise.reject({message: `URL not allowed: ${url}`});
+          }
+
+          tab.linkedBrowser.loadURI(url);
         }
+
         if (updateProperties.active !== null) {
           if (updateProperties.active) {
             tabbrowser.selectedTab = tab;
           } else {
             // Not sure what to do here? Which tab should we select?
           }
         }
         if (updateProperties.muted !== null) {
--- a/toolkit/components/extensions/ExtensionUtils.jsm
+++ b/toolkit/components/extensions/ExtensionUtils.jsm
@@ -145,16 +145,19 @@ class BaseContext {
 
     let flags = ssm.STANDARD;
     if (!options.allowScript) {
       flags |= ssm.DISALLOW_SCRIPT;
     }
     if (!options.allowInheritsPrincipal) {
       flags |= ssm.DISALLOW_INHERIT_PRINCIPAL;
     }
+    if (options.dontReportErrors) {
+      flags |= ssm.DONT_REPORT_ERRORS;
+    }
 
     try {
       ssm.checkLoadURIStrWithPrincipal(this.principal, url, flags);
     } catch (e) {
       return false;
     }
     return true;
   }