Bug 1174950 - Nuke wrappers from compartments with expanded principals to non-system windows. r=bholley

This extends the hueyfix to the case where a sandbox with expanded principals is leaked, for instance by an addon, and ends up entraining a content window. This fix prevents the leak of the content window, but not the sandbox.
2024-09-13 09:24:08 -07:00 · 2015-07-13 12:59:00 +02:00 · 2015-07-13 12:59:00 +02:00 · d7875d32d5
commit d7875d32d5
parent 9386518350
1 changed files with 13 additions and 1 deletions
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@ -8790,6 +8790,18 @@ nsGlobalWindow::NotifyDOMWindowDestroyed(nsGlobalWindow* aWindow) {
  }
 }

+// Try to match compartments that are not web content by matching compartments
+// with principals that are either the system principal or an expanded principal.
+// This may not return true for all non-web-content compartments.
+struct BrowserCompartmentMatcher : public js::CompartmentFilter {
+  virtual bool match(JSCompartment* c) const override
+  {
+    nsCOMPtr<nsIPrincipal> pc = nsJSPrincipals::get(JS_GetCompartmentPrincipals(c));
+    return nsContentUtils::IsSystemOrExpandedPrincipal(pc);
+  }
+};
+
+
 class WindowDestroyedEvent : public nsRunnable
 {
 public:
@ -8835,7 +8847,7 @@ public:
      // We only want to nuke wrappers for the chrome->content case
      if (obj && !js::IsSystemCompartment(js::GetObjectCompartment(obj))) {
        js::NukeCrossCompartmentWrappers(cx,
-                                         js::ChromeCompartmentsOnly(),
+                                         BrowserCompartmentMatcher(),
                                         js::SingleCompartment(js::GetObjectCompartment(obj)),
                                         window->IsInnerWindow() ? js::DontNukeWindowReferences :
                                                                   js::NukeWindowReferences);