Bug 1082734 - Disable location.searchParams for cross-origin insecure data access. r=bz, a=lmandel
authorAndrea Marchesini <amarchesini@mozilla.com>
Wed, 05 Nov 2014 17:10:59 -0500
changeset 225954 d8080081d33a
parent 225953 decaff6b28c7
child 225955 c8d99c0a36d9
push id4082
push userryanvm@gmail.com
push date2014-11-05 22:11 +0000
treeherdermozilla-beta@d8080081d33a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, lmandel
bugs1082734
milestone34.0
Bug 1082734 - Disable location.searchParams for cross-origin insecure data access. r=bz, a=lmandel
dom/base/test/mochitest.ini
dom/base/test/test_location_searchParams.html
dom/webidl/HTMLAnchorElement.webidl
dom/webidl/HTMLAreaElement.webidl
dom/webidl/Location.webidl
dom/webidl/URL.webidl
dom/webidl/URLUtils.webidl
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -45,17 +45,16 @@ skip-if = buildapp == 'mulet' || buildap
 [test_gsp-standards.html]
 [test_getFeature_with_perm.html]
 [test_getFeature_without_perm.html]
 [test_hasFeature.html]
 [test_history_document_open.html]
 [test_history_state_null.html]
 [test_Image_constructor.html]
 [test_innersize_scrollport.html]
-[test_location_searchParams.html]
 [test_messageChannel.html]
 [test_messageChannel_cloning.html]
 [test_messageChannel_pingpong.html]
 [test_messageChannel_post.html]
 [test_messageChannel_pref.html]
 [test_messageChannel_start.html]
 [test_messagemanager_targetchain.html]
 [test_messageChannel_transferable.html]
deleted file mode 100644
--- a/dom/base/test/test_location_searchParams.html
+++ /dev/null
@@ -1,89 +0,0 @@
-
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=1037715
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 1037715</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1037715">Mozilla Bug 1037715</a>
-  <iframe id="a"></iframe>
-  <script type="application/javascript">
-
-var l;
-
-var iframe = document.getElementById('a');
-function onload0() {
-  iframe.removeEventListener('load', onload0);
-
-  l = iframe.contentWindow.location;
-  is(l.searchParams.get('a'), 'test0', 'l.searchParams value is ok');
-
-  info('changing location from JS...');
-  iframe.addEventListener('load', onload1);
-  iframe.contentWindow.location.href = 'file_empty.html?a=test1';
-}
-
-function onload1() {
-  iframe.removeEventListener('load', onload1);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test1', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test1', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing location using l.searchParams...');
-  iframe.addEventListener('load', onload2);
-  l.searchParams.set('a', 'test2');
-}
-
-function onload2() {
-  iframe.removeEventListener('load', onload2);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test2', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test2', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing iframe.src...');
-  iframe.addEventListener('load', onload3);
-  l.search = 'a=test3';
-}
-
-function onload3() {
-  iframe.removeEventListener('load', onload3);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test3', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test3', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  info('changing iframe.src...');
-  iframe.addEventListener('load', onload4);
-  iframe.src = 'file_empty.html?a=test4';
-}
-
-function onload4() {
-  iframe.removeEventListener('load', onload4);
-
-  var ll = iframe.contentWindow.location;
-  is(ll.searchParams.get('a'), 'test4', 'location.searchParams value is ok');
-  is(l.searchParams.get('a'), 'test4', 'l.searchParams value is ok');
-  isnot(ll.searchParams, l.searchParams, '2 different objects.');
-
-  SimpleTest.finish();
-}
-
-iframe.addEventListener('load', onload0);
-iframe.src = "file_empty.html?a=test0";
-SimpleTest.waitForExplicitFinish();
-
-  </script>
-
-</body>
-</html>
--- a/dom/webidl/HTMLAnchorElement.webidl
+++ b/dom/webidl/HTMLAnchorElement.webidl
@@ -26,16 +26,17 @@ interface HTMLAnchorElement : HTMLElemen
            attribute DOMString hreflang;
            [SetterThrows]
            attribute DOMString type;
 
            [SetterThrows]
            attribute DOMString text;
 };
 HTMLAnchorElement implements URLUtils;
+HTMLAnchorElement implements URLUtilsSearchParams;
 
 // http://www.whatwg.org/specs/web-apps/current-work/#other-elements,-attributes-and-apis
 partial interface HTMLAnchorElement {
            [SetterThrows]
            attribute DOMString coords;
            [SetterThrows]
            attribute DOMString charset;
            [SetterThrows]
--- a/dom/webidl/HTMLAreaElement.webidl
+++ b/dom/webidl/HTMLAreaElement.webidl
@@ -33,14 +33,15 @@ interface HTMLAreaElement : HTMLElement 
   // not implemented.
   //
   //       [SetterThrows]
   //       attribute DOMString hreflang;
   //       [SetterThrows]
   //       attribute DOMString type;
 };
 HTMLAreaElement implements URLUtils;
+HTMLAreaElement implements URLUtilsSearchParams;
 
 // http://www.whatwg.org/specs/web-apps/current-work/#other-elements,-attributes-and-apis
 partial interface HTMLAreaElement {
            [SetterThrows]
            attribute boolean noHref;
 };
--- a/dom/webidl/Location.webidl
+++ b/dom/webidl/Location.webidl
@@ -16,10 +16,11 @@ interface Location {
   [Throws]
   void assign(DOMString url);
   [Throws, CrossOriginCallable]
   void replace(DOMString url);
   // XXXbz there is no forceget argument in the spec!  See bug 1037721.
   [Throws]
   void reload(optional boolean forceget = false);
 };
-// No support for .searchParams on Location yet.  See bug 1037715.
+// No support for .searchParams on Location yet.  See bug 1082734.
+
 Location implements URLUtils;
--- a/dom/webidl/URL.webidl
+++ b/dom/webidl/URL.webidl
@@ -14,16 +14,17 @@
 
 // [Constructor(DOMString url, optional (URL or DOMString) base = "about:blank")]
 [Constructor(DOMString url, URL base),
  Constructor(DOMString url, optional DOMString base = "about:blank"),
  Exposed=(Window,Worker)]
 interface URL {
 };
 URL implements URLUtils;
+URL implements URLUtilsSearchParams;
 
 partial interface URL {
   [Throws]
   static DOMString? createObjectURL(Blob blob, optional objectURLOptions options);
   [Throws]
   static DOMString? createObjectURL(MediaStream stream, optional objectURLOptions options);
   static void revokeObjectURL(DOMString url);
 };
--- a/dom/webidl/URLUtils.webidl
+++ b/dom/webidl/URLUtils.webidl
@@ -35,17 +35,21 @@ interface URLUtils {
            attribute DOMString hostname;
   [Throws]
            attribute DOMString port;
   [Throws]
            attribute DOMString pathname;
   [Throws]
            attribute DOMString search;
 
-           attribute URLSearchParams searchParams;
-
   [Throws]
            attribute DOMString hash;
 
   // Bug 824857 should remove this.
   [Throws]
   stringifier;
 };
+
+[NoInterfaceObject,
+ Exposed=(Window, Worker)]
+interface URLUtilsSearchParams {
+           attribute URLSearchParams searchParams;
+};