wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1139849 - postMessage to incorrect target domain should print a console security error r=bz

Browse Source
This commit is contained in:
James Burke 2016-01-29 13:32:01 -08:00
parent a6fdbeb4aa
commit 23f3449b1c
4 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
dom/base/PostMessageEvent.cpp
View File

@ -28,6 +28,7 @@ PostMessageEvent::PostMessageEvent(nsGlobalWindow* aSource,
const nsAString& aCallerOrigin,
nsGlobalWindow* aTargetWindow,
nsIPrincipal* aProvidedPrincipal,
nsIDocument* aSourceDocument,
bool aTrustedCaller)
: StructuredCloneHolder(CloningSupported, TransferringSupported,
SameProcessSameThread),
@ -35,6 +36,7 @@ PostMessageEvent::PostMessageEvent(nsGlobalWindow* aSource,
mCallerOrigin(aCallerOrigin),
mTargetWindow(aTargetWindow),
mProvidedPrincipal(aProvidedPrincipal),
mSourceDocument(aSourceDocument),
mTrustedCaller(aTrustedCaller)
{
MOZ_COUNT_CTOR(PostMessageEvent);
@ -57,6 +59,12 @@ PostMessageEvent::Run()
jsapi.Init();
JSContext* cx = jsapi.cx();
// The document is just used for the principal mismatch error message below.
// Use a stack variable so mSourceDocument is not held onto after this method
// finishes, regardless of the method outcome.
nsCOMPtr<nsIDocument> sourceDocument;
sourceDocument.swap(mSourceDocument);
// If we bailed before this point we're going to leak mMessage, but
// that's probably better than crashing.
@ -92,6 +100,20 @@ PostMessageEvent::Run()
// now. Long-term, we want HTML5 to address this so that we can
// be compliant while being safer.
if (!targetPrin->Equals(mProvidedPrincipal)) {
nsAutoString providedOrigin, targetOrigin;
nsresult rv = nsContentUtils::GetUTFOrigin(targetPrin, targetOrigin);
NS_ENSURE_SUCCESS(rv, rv);
rv = nsContentUtils::GetUTFOrigin(mProvidedPrincipal, providedOrigin);
NS_ENSURE_SUCCESS(rv, rv);
const char16_t* params[] = { providedOrigin.get(), targetOrigin.get() };
nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
NS_LITERAL_CSTRING("DOM Window"), sourceDocument,
nsContentUtils::eDOM_PROPERTIES,
"TargetPrincipalDoesNotMatch",
params, ArrayLength(params));
return NS_OK;
}
}

2
dom/base/PostMessageEvent.h
View File

@ -34,6 +34,7 @@ public:
const nsAString& aCallerOrigin,
nsGlobalWindow* aTargetWindow,
nsIPrincipal* aProvidedPrincipal,
nsIDocument* aSourceDocument,
bool aTrustedCaller);
private:
@ -43,6 +44,7 @@ private:
nsString mCallerOrigin;
RefPtr<nsGlobalWindow> mTargetWindow;
nsCOMPtr<nsIPrincipal> mProvidedPrincipal;
nsCOMPtr<nsIDocument> mSourceDocument;
bool mTrustedCaller;
};

3
dom/base/nsGlobalWindow.cpp
View File

@ -7969,6 +7969,9 @@ nsGlobalWindow::PostMessageMozOuter(JSContext* aCx, JS::Handle<JS::Value> aMessa
origin,
this,
providedPrincipal,
callerInnerWin
? callerInnerWin->GetDoc()
: nullptr,
nsContentUtils::IsCallerChrome());
JS::Rooted<JS::Value> message(aCx, aMessage);

2
dom/locales/en-US/chrome/dom/dom.properties
View File

@ -190,3 +190,5 @@ InterceptionRejectedResponseWithURL=Failed to load '%1$S'. A ServiceWorker passe
InterceptedNonResponseWithURL=Failed to load '%1$S'. A ServiceWorker passed a promise to FetchEvent.respondWith() that resolved with non-Response value '%2$S'.
ExecCommandCutCopyDeniedNotInputDriven=document.execCommand('cut'/'copy') was denied because it was not called from inside a short running user-generated event handler.
PatternAttributeCompileFailure=Unable to check <input pattern='%S'> because the pattern is not a valid regexp: %S
# LOCALIZATION NOTE: Do not translate "postMessage" or DOMWindow. %S values are origins, like https://domain.com:port
TargetPrincipalDoesNotMatch=Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('%S') does not match the recipient window's origin ('%S').