Bug 1543694 - Prevent content from adding place flavors to a DataTransfer. r=NeilDeakin a=pascalc
authorMarco Bonardo <mbonardo@mozilla.com>
Thu, 11 Apr 2019 17:12:06 +0000
changeset 526171 3c781347296418c3bf05f3aef1946bad319026e2
parent 526170 a6f8f9268f44f2cf8bce93ed2b5719f09a0cb7df
child 526172 3445cafb3544d9415a9151f1e0234f547f23ccb4
push id2032
push userffxbld-merge
push dateMon, 13 May 2019 09:36:57 +0000
treeherdermozilla-release@455c1065dcbe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersNeilDeakin, pascalc
bugs1543694
milestone67.0
Bug 1543694 - Prevent content from adding place flavors to a DataTransfer. r=NeilDeakin a=pascalc Differential Revision: https://phabricator.services.mozilla.com/D27121
dom/events/DataTransfer.cpp
dom/tests/mochitest/general/test_clipboard_disallowed.html
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -34,16 +34,17 @@
 #include "mozilla/dom/DataTransferItemList.h"
 #include "mozilla/dom/Directory.h"
 #include "mozilla/dom/Element.h"
 #include "mozilla/dom/FileList.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/OSFileSystem.h"
 #include "mozilla/dom/Promise.h"
 #include "nsNetUtil.h"
+#include "nsReadableUtils.h"
 
 #define MOZ_CALLS_ENABLED_PREF "dom.datatransfer.mozAtAPIs"
 
 namespace mozilla {
 namespace dom {
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(DataTransfer)
 
@@ -615,17 +616,28 @@ bool DataTransfer::PrincipalMaySetData(c
     }
 
     if (aType.EqualsASCII(kFileMime) || aType.EqualsASCII(kFilePromiseMime)) {
       NS_WARNING(
           "Disallowing adding x-moz-file or x-moz-file-promize types to "
           "DataTransfer");
       return false;
     }
+
+    // Disallow content from creating x-moz-place flavors, so that it cannot
+    // create fake Places smart queries exposing user data, but give a free
+    // pass to WebExtensions.
+    auto principal = BasePrincipal::Cast(aPrincipal);
+    if (!principal->AddonPolicy() &&
+        StringBeginsWith(aType, NS_LITERAL_STRING("text/x-moz-place"))) {
+      NS_WARNING("Disallowing adding moz-place types to DataTransfer");
+      return false;
+    }
   }
+
   return true;
 }
 
 void DataTransfer::TypesListMayHaveChanged() {
   DataTransfer_Binding::ClearCachedTypesValue(this);
 }
 
 already_AddRefed<DataTransfer> DataTransfer::MozCloneForEvent(
--- a/dom/tests/mochitest/general/test_clipboard_disallowed.html
+++ b/dom/tests/mochitest/general/test_clipboard_disallowed.html
@@ -35,16 +35,31 @@ function checkAllowed(event)
     clipboardData.setData("application/x-moz-file-promise", "Test");
   } catch(ex) {
     exception = ex;
   }
   is(String(exception).indexOf("SecurityError"), 0, "Cannot set file promise");
 
   exception = null;
   try {
+    clipboardData.setData("text/x-moz-place", "Test");
+  } catch(ex) {
+    exception = ex;
+  }
+  is(String(exception).indexOf("SecurityError"), 0, "Cannot set place");
+  exception = null;
+  try {
+    clipboardData.setData("text/x-moz-place-container", "Test");
+  } catch(ex) {
+    exception = ex;
+  }
+  is(String(exception).indexOf("SecurityError"), 0, "Cannot set place container");
+
+  exception = null;
+  try {
     clipboardData.setData("application/something", "This is data");
   } catch(ex) {
     exception = ex;
   }
   is(exception, null, "Can set custom data to a string");
   SimpleTest.finish();
 }