Bug 1019417 - When enumerating the window, make sure to not enumerate frame names that we wouldn't actually expose. r=bholley, a=sledru
authorBoris Zbarsky <bzbarsky@mit.edu>
Tue, 10 Jun 2014 22:50:21 -0400
changeset 208029 04c3fc11907f6a609698d5180ad9bc1f486ab755
parent 208028 6af0d2cc3773873fcb38277575a35219b031a401
child 208030 1d4e44c323837f93f2d03664e5de27a9f1a1fd35
push id494
push userraliiev@mozilla.com
push dateMon, 25 Aug 2014 18:42:16 +0000
treeherdermozilla-release@a3cc3e46b571 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley, sledru
bugs1019417
milestone32.0a2
Bug 1019417 - When enumerating the window, make sure to not enumerate frame names that we wouldn't actually expose. r=bholley, a=sledru
dom/base/WindowNamedPropertiesHandler.cpp
dom/base/test/file_setname.html
dom/base/test/mochitest.ini
dom/base/test/test_window_named_frame_enumeration.html
--- a/dom/base/WindowNamedPropertiesHandler.cpp
+++ b/dom/base/WindowNamedPropertiesHandler.cpp
@@ -171,16 +171,25 @@ WindowNamedPropertiesHandler::ownPropNam
                                            JS::Handle<JSObject*> aProxy,
                                            unsigned flags,
                                            JS::AutoIdVector& aProps)
 {
   // Grab the DOM window.
   nsGlobalWindow* win = GetWindowFromGlobal(JS_GetGlobalForObject(aCx, aProxy));
   nsTArray<nsString> names;
   win->GetSupportedNames(names);
+  // Filter out the ones we wouldn't expose from getOwnPropertyDescriptor.
+  // We iterate backwards so we can remove things from the list easily.
+  for (size_t i = names.Length(); i > 0; ) {
+    --i; // Now we're pointing at the next name we want to look at
+    nsIDOMWindow* childWin = win->GetChildWindow(names[i]);
+    if (!childWin || !ShouldExposeChildWindow(names[i], childWin)) {
+      names.RemoveElementAt(i);
+    }
+  }
   if (!AppendNamedPropertyIds(aCx, aProxy, names, false, aProps)) {
     return false;
   }
 
   names.Clear();
   nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(win->GetExtantDoc());
   if (!htmlDoc) {
     return true;
new file mode 100644
--- /dev/null
+++ b/dom/base/test/file_setname.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script>
+      window.name = location.search.substring(1);
+    </script>
+  </head>
+</html>
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -2,16 +2,17 @@
 support-files =
   audio.ogg
   iframe_messageChannel_cloning.html
   iframe_messageChannel_chrome.html
   iframe_messageChannel_pingpong.html
   iframe_messageChannel_post.html
   file_empty.html
   iframe_postMessage_solidus.html
+  file_setname.html
 
 [test_Image_constructor.html]
 [test_appname_override.html]
 [test_audioWindowUtils.html]
 [test_audioNotification.html]
 [test_bug793311.html]
 [test_bug913761.html]
 [test_bug978522.html]
@@ -64,9 +65,10 @@ skip-if = (buildapp == 'b2g' && toolkit 
 [test_urlExceptions.html]
 [test_urlSearchParams.html]
 [test_urlutils_stringify.html]
 [test_window_constructor.html]
 [test_window_cross_origin_props.html]
 [test_window_enumeration.html]
 [test_window_extensible.html]
 [test_window_indexing.html]
+[test_window_named_frame_enumeration.html]
 [test_writable-replaceable.html]
new file mode 100644
--- /dev/null
+++ b/dom/base/test/test_window_named_frame_enumeration.html
@@ -0,0 +1,96 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1019417
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1019417</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 1019417 **/
+  SimpleTest.waitForExplicitFinish();
+  addLoadEvent(function() {
+    var names1 = Object.getOwnPropertyNames(window);
+    var names2 = [];
+    var gsp = Object.getPrototypeOf(Window.prototype);
+    var names3 = Object.getOwnPropertyNames(gsp);
+    for (var i in window) {
+      names2.push(i);
+    }
+
+    is(names1.indexOf(""), -1,
+       "Frame with no name or empty name should not be in our own prop list");
+    is(names2.indexOf(""), -1,
+       "Frame with no name or empty name should not be in our enumeration list");
+    is(names3.indexOf(""), -1,
+       "Frame with no name or empty name should not be in GSP own prop list");
+    is(names1.indexOf("x"), -1,
+       "Frame with about:blank loaded should not be in our own prop list");
+    isnot(names2.indexOf("x"), -1,
+          "Frame with about:blank loaded should be in our enumeration list");
+    isnot(names3.indexOf("x"), -1,
+          "Frame with about:blank loaded should be in GSP own prop list");
+    is(names1.indexOf("y"), -1,
+       "Frame with same-origin loaded should not be in our own prop list");
+    isnot(names2.indexOf("y"), -1,
+          "Frame with same-origin loaded should be in our enumeration list");
+    isnot(names3.indexOf("y"), -1,
+          "Frame with same-origin loaded should be in GSP own prop list");
+    is(names1.indexOf("z"), -1,
+       "Frame with cross-origin loaded should not be in our own prop list");
+    isnot(names2.indexOf("z"), -1,
+          "Frame with cross-origin loaded should be in our enumeration list");
+    isnot(names3.indexOf("z"), -1,
+          "Frame with cross-origin loaded should be in GSPown prop list");
+    is(names1.indexOf("sameorigin"), -1,
+          "Frame with same-origin changed name should not be in our own prop list");
+    isnot(names2.indexOf("sameorigin"), -1,
+          "Frame with same-origin changed name should be in our enumeration list");
+    isnot(names3.indexOf("sameorigin"), -1,
+          "Frame with same-origin changed name should be in GSP own prop list");
+    is(names1.indexOf("crossorigin"), -1,
+       "Frame with cross-origin changed name should not be in our own prop list");
+    is(names2.indexOf("crossorigin"), -1,
+       "Frame with cross-origin changed name should not be in our enumeration list");
+    is(names3.indexOf("crossorigin"), -1,
+       "Frame with cross-origin changed name should not be in GSP own prop list");
+
+    ise(Object.getOwnPropertyDescriptor(gsp, ""), undefined,
+        "Should not have empty string as a named frame");
+    isnot(Object.getOwnPropertyDescriptor(gsp, "x"), undefined,
+        "Should have about:blank subframe as a named frame");
+    isnot(Object.getOwnPropertyDescriptor(gsp, "y"), undefined,
+        "Should have same-origin subframe as a named frame");
+    isnot(Object.getOwnPropertyDescriptor(gsp, "z"), undefined,
+        "Should have cross-origin subframe as a named frame");
+    isnot(Object.getOwnPropertyDescriptor(gsp, "sameorigin"), undefined,
+          "Should have same-origin changed name as a named frame");
+    ise(Object.getOwnPropertyDescriptor(gsp, "crossorigin"), undefined,
+        "Should not have cross-origin-origin changed name as a named frame");
+    SimpleTest.finish();
+  });
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1019417">Mozilla Bug 1019417</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<iframe></iframe>
+<iframe name=""></iframe>
+<iframe name="x"></iframe>
+<iframe name="y"
+        src="http://mochi.test:8888/tests/dom/base/test/file_empty.html"></iframe>
+<iframe name="z"
+        src="http://example.com/tests/dom/base/test/file_empty.html"></iframe>
+<iframe name="v"
+        src="http://mochi.test:8888/tests/dom/base/test/file_setname.html?sameorigin"></iframe>
+<iframe name="w"
+        src="http://example.com/tests/dom/base/test/file_setname.html?crossorigin"></iframe>
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>