Bug 996069 - Part 3: Stop inheriting nsEP when window.open is called. r=bz, a=lsblakk
authorGabor Krizsanits <gkrizsanits@mozilla.com>
Wed, 16 Apr 2014 22:29:57 +0200
changeset 192994 78ec8ab4d775095197cb2053d8c41ec610491d7e
parent 192993 0a1aff2920b108d845c1f6358c2c27ef49ef0146
child 192995 a184fee9caad11cacd0df4280406f19411a7a05e
push id474
push userasasaki@mozilla.com
push dateMon, 02 Jun 2014 21:01:02 +0000
treeherdermozilla-release@967f4cf1b31c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz, lsblakk
bugs996069
milestone30.0a2
Bug 996069 - Part 3: Stop inheriting nsEP when window.open is called. r=bz, a=lsblakk
dom/base/nsGlobalWindow.cpp
js/xpconnect/tests/chrome/chrome.ini
js/xpconnect/tests/chrome/file_bug996069.html
js/xpconnect/tests/chrome/test_bug996069.xul
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -1977,28 +1977,25 @@ nsGlobalWindow::WouldReuseInnerWindow(ns
   return false;
 }
 
 void
 nsGlobalWindow::SetInitialPrincipalToSubject()
 {
   FORWARD_TO_OUTER_VOID(SetInitialPrincipalToSubject, ());
 
-  // First, grab the subject principal. These methods never fail.
-  nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-  nsCOMPtr<nsIPrincipal> newWindowPrincipal, systemPrincipal;
-  ssm->GetSubjectPrincipal(getter_AddRefs(newWindowPrincipal));
-  ssm->GetSystemPrincipal(getter_AddRefs(systemPrincipal));
+  // First, grab the subject principal.
+  nsCOMPtr<nsIPrincipal> newWindowPrincipal = nsContentUtils::GetSubjectPrincipal();
   if (!newWindowPrincipal) {
-    newWindowPrincipal = systemPrincipal;
-  }
-
-  // Now, if we're about to use the system principal, make sure we're not using
-  // it for a content docshell.
-  if (newWindowPrincipal == systemPrincipal &&
+    newWindowPrincipal = nsContentUtils::GetSystemPrincipal();
+  }
+
+  // Now, if we're about to use the system principal or an nsExpandedPrincipal,
+  // make sure we're not using it for a content docshell.
+  if (nsContentUtils::IsSystemOrExpandedPrincipal(newWindowPrincipal) &&
       GetDocShell()->ItemType() != nsIDocShellTreeItem::typeChrome) {
     newWindowPrincipal = nullptr;
   }
 
   // If there's an existing document, bail if it either:
   if (mDoc) {
     // (a) is not an initial about:blank document, or
     if (!mDoc->IsInitialDocument())
--- a/js/xpconnect/tests/chrome/chrome.ini
+++ b/js/xpconnect/tests/chrome/chrome.ini
@@ -1,12 +1,13 @@
 [DEFAULT]
 support-files =
   bug503926.xul
   file_bug618176.xul
+  file_bug996069.html
   file_evalInSandbox.html
   file_expandosharing.jsm
   outoflinexulscript.js
   subscript.js
   utf8_subscript.js
 
 [test_APIExposer.xul]
 [test_bug361111.xul]
@@ -46,16 +47,17 @@ support-files =
 [test_bug812415.xul]
 [test_bug853283.xul]
 [test_bug853571.xul]
 [test_bug858101.xul]
 [test_bug860494.xul]
 [test_bug866823.xul]
 [test_bug895340.xul]
 [test_bug932906.xul]
+[test_bug996069.xul]
 [test_xrayToJS.xul]
 [test_chrometoSource.xul]
 [test_cloneInto.xul]
 [test_cows.xul]
 [test_documentdomain.xul]
 [test_doublewrappedcompartments.xul]
 [test_evalInSandbox.xul]
 [test_evalInWindow.xul]
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/chrome/file_bug996069.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head></head>
+<body>
+  <script>
+    if (window.opener && window.opener.finishTest) {
+      window.opener.finishTest();
+    }
+  </script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/chrome/test_bug996069.xul
@@ -0,0 +1,53 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/css" href="chrome://global/skin"?>
+<?xml-stylesheet type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"?>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=996069
+-->
+<window title="Mozilla Bug 996069"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+
+  <!-- test results are displayed in the html:body -->
+  <body xmlns="http://www.w3.org/1999/xhtml">
+  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=996069"
+     target="_blank">Mozilla Bug 996069</a>
+  </body>
+
+  <!-- test code goes here -->
+  <script type="application/javascript">
+  <![CDATA[
+  const Cu = Components.utils;
+  /** Test for Bug 996069 **/
+  SimpleTest.waitForExplicitFinish();
+
+  function loaded() {
+    var ifr = document.getElementById("ifr").contentWindow;
+    var sb = new Cu.Sandbox([ifr],
+                            { sandboxPrototype: ifr });
+
+    ifr.wrappedJSObject.finishTest = function() {
+      // If we got here we did not hit the NS_ReleaseAssert...
+      ok(true, "nsExpandedPrincipal should not be inherited by content windows");
+
+      // But let's be sure that the new window does not have nsEP
+      newWin.wrappedJSObject.obj = Cu.evalInSandbox("var obj = { foo: 'bar' }; obj", sb);
+      try {
+        newWin.eval("obj.foo");
+        ok(false, "newWin should not have access to object from a scope with nsExpandedPrincipal");
+      } catch (e) {
+        ok(/Permission denied/.exec(e.message), "newWin should not have access to object from a scope with nsExpandedPrincipal");
+      }
+      newWin.close();
+      SimpleTest.finish();
+    };
+
+    var newWin = Cu.evalInSandbox(
+      "window.open('http://example.org/chrome/js/xpconnect/tests/chrome/file_bug996069.html');",
+      sb);
+  }
+
+  ]]>
+  </script>
+  <iframe id="ifr" onload="loaded();" type="content" src="http://example.org/chrome/js/xpconnect/tests/chrome/file_bug996069.html" />
+</window>