Bug 708176 - Part 2: Add {i,}frame.queryInnerState(), which allows privileged pages to peer into an iframe's state. r=smaug

--HG--
extra : rebase_source : dfd89eb7d451bac9ae4e4eb05d090c767f42ab8e

content/base/src/nsGkAtomList.h

@@ -168,6 +168,7 @@ GK_ATOM(broadcast, "broadcast")
 GK_ATOM(broadcaster, "broadcaster")
 GK_ATOM(broadcasterset, "broadcasterset")
 GK_ATOM(browser, "browser")
+GK_ATOM(mozbrowser, "mozbrowser")
 GK_ATOM(bulletinboard, "bulletinboard")
 GK_ATOM(button, "button")
 GK_ATOM(callTemplate, "call-template")

content/html/content/src/nsGenericHTMLElement.cpp

@@ -2559,6 +2559,7 @@ nsGenericHTMLElement::GetContextMenu(nsIDOMHTMLMenuElement** aContextMenu)
 //----------------------------------------------------------------------
 
 NS_IMPL_INT_ATTR(nsGenericHTMLFrameElement, TabIndex, tabindex)
+NS_IMPL_BOOL_ATTR(nsGenericHTMLFrameElement, MozBrowser, mozbrowser)
 
 nsGenericHTMLFormElement::nsGenericHTMLFormElement(already_AddRefed<nsINodeInfo> aNodeInfo)
   : nsGenericHTMLElement(aNodeInfo)
@@ -3227,8 +3228,9 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(nsGenericHTMLFrameElement,
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
 
 NS_INTERFACE_TABLE_HEAD(nsGenericHTMLFrameElement)
-  NS_INTERFACE_TABLE_INHERITED1(nsGenericHTMLFrameElement,
+  NS_INTERFACE_TABLE_INHERITED2(nsGenericHTMLFrameElement,
-                                nsIFrameLoaderOwner)
+                                nsIFrameLoaderOwner,
+                                nsIDOMMozBrowserFrameElement)
   NS_INTERFACE_TABLE_TO_MAP_SEGUE_CYCLE_COLLECTION(nsGenericHTMLFrameElement)
 NS_INTERFACE_MAP_END_INHERITING(nsGenericHTMLElement)
 
@@ -3435,6 +3437,108 @@ nsGenericHTMLFrameElement::SizeOf() const
   return size;
 }
 
+namespace {
+
+// GetContentStateCallbackRunnable is used by MozGetContentState to fire its callback
+// asynchronously.
+class GetContentStateCallbackRunnable : public nsRunnable
+{
+public:
+  GetContentStateCallbackRunnable(nsIDOMMozGetContentStateCallback *aCallback,
+                             nsIDOMEventTarget *aEventTarget,
+                             const nsAString &aResult)
+    : mCallback(aCallback)
+    , mEventTarget(aEventTarget)
+    , mResult(aResult)
+  {
+  }
+
+  NS_IMETHOD Run()
+  {
+    FireCallback();
+
+    // Break cycles.
+    mCallback = NULL;
+    mEventTarget = NULL;
+    return NS_OK;
+  }
+
+private:
+  void FireCallback()
+  {
+    nsCxPusher pusher;
+    if (!pusher.Push(mEventTarget)) {
+      return;
+    }
+
+    mCallback->Callback(mResult);
+  }
+
+  nsCOMPtr<nsIDOMMozGetContentStateCallback> mCallback;
+  nsCOMPtr<nsIDOMEventTarget> mEventTarget;
+  const nsString mResult;
+};
+
+} // anonymous namespace
+
+nsresult
+nsGenericHTMLFrameElement::BrowserFrameSecurityCheck()
+{
+  if (!Preferences::GetBool("dom.mozBrowserFramesEnabled")) {
+    return NS_ERROR_FAILURE;
+  }
+
+  bool browser;
+  GetMozBrowser(&browser);
+  if (!browser) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsIPrincipal *principal = NodePrincipal();
+  nsCOMPtr<nsIURI> principalURI;
+  principal->GetURI(getter_AddRefs(principalURI));
+  if (!nsContentUtils::URIIsChromeOrInPref(principalURI,
+                                           "dom.mozBrowserFramesWhitelist")) {
+    return NS_ERROR_DOM_SECURITY_ERR;
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsGenericHTMLFrameElement::MozGetContentState(const nsAString &aProperty,
+                                              nsIDOMMozGetContentStateCallback *aCallback)
+{
+  nsresult rv = BrowserFrameSecurityCheck();
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (!aProperty.EqualsLiteral("location")) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsCOMPtr<nsIDOMWindow> contentWindow;
+  GetContentWindow(getter_AddRefs(contentWindow));
+  NS_ENSURE_TRUE(contentWindow, NS_ERROR_FAILURE);
+
+  nsCOMPtr<nsIDOMLocation> location;
+  rv = contentWindow->GetLocation(getter_AddRefs(location));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsAutoString href;
+  rv = location->ToString(href);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIDOMEventTarget> eventTarget =
+    do_QueryInterface(nsContentUtils::GetWindowFromCaller());
+  NS_ENSURE_TRUE(eventTarget, NS_ERROR_FAILURE);
+
+  // Asynchronously fire the callback.
+  nsRefPtr<GetContentStateCallbackRunnable> runnable =
+    new GetContentStateCallbackRunnable(aCallback, eventTarget, href);
+  NS_DispatchToMainThread(runnable);
+  return NS_OK;
+}
+
 //----------------------------------------------------------------------
 
 nsresult

content/html/content/src/nsGenericHTMLElement.h

@@ -47,6 +47,7 @@
 #include "nsGkAtoms.h"
 #include "nsContentCreatorFunctions.h"
 #include "nsDOMMemoryReporter.h"
+#include "nsIDOMMozBrowserFrameElement.h"
 
 class nsIDOMAttr;
 class nsIDOMEventListener;
@@ -1019,7 +1020,8 @@ PR_STATIC_ASSERT(ELEMENT_TYPE_SPECIFIC_BITS_OFFSET + 1 < 32);
  */
 
 class nsGenericHTMLFrameElement : public nsGenericHTMLElement,
-                                  public nsIFrameLoaderOwner
+                                  public nsIFrameLoaderOwner,
+                                  public nsIDOMMozBrowserFrameElement
 {
 public:
   nsGenericHTMLFrameElement(already_AddRefed<nsINodeInfo> aNodeInfo,
@@ -1064,6 +1066,9 @@ public:
   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED_NO_UNLINK(nsGenericHTMLFrameElement,
                                                      nsGenericHTMLElement)
 
+  // nsIDOMMozBrowserFrameElement
+  NS_DECL_NSIDOMMOZBROWSERFRAMEELEMENT
+
 protected:
   // This doesn't really ensure a frame loade in all cases, only when
   // it makes sense.
@@ -1072,6 +1077,8 @@ protected:
   nsresult GetContentDocument(nsIDOMDocument** aContentDocument);
   nsresult GetContentWindow(nsIDOMWindow** aContentWindow);
 
+  nsresult BrowserFrameSecurityCheck();
+
   nsRefPtr<nsFrameLoader> mFrameLoader;
   // True when the element is created by the parser
   // using NS_FROM_PARSER_NETWORK flag.

dom/base/nsDOMClassInfo.cpp

@@ -140,6 +140,7 @@
 #include "nsIDOMDOMStringList.h"
 #include "nsIDOMDOMTokenList.h"
 #include "nsIDOMDOMSettableTokenList.h"
+#include "nsIDOMMozBrowserFrameElement.h"
 
 #include "nsDOMStringMap.h"
 
@@ -2671,6 +2672,7 @@ nsDOMClassInfo::Init()
 
   DOM_CLASSINFO_MAP_BEGIN(HTMLFrameElement, nsIDOMHTMLFrameElement)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMHTMLFrameElement)
+    DOM_CLASSINFO_MAP_ENTRY(nsIDOMMozBrowserFrameElement)
     DOM_CLASSINFO_GENERIC_HTML_MAP_ENTRIES
   DOM_CLASSINFO_MAP_END
 
@@ -2702,6 +2704,7 @@ nsDOMClassInfo::Init()
   DOM_CLASSINFO_MAP_BEGIN(HTMLIFrameElement, nsIDOMHTMLIFrameElement)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMHTMLIFrameElement)
     DOM_CLASSINFO_MAP_ENTRY(nsIDOMGetSVGDocument)
+    DOM_CLASSINFO_MAP_ENTRY(nsIDOMMozBrowserFrameElement)
     DOM_CLASSINFO_GENERIC_HTML_MAP_ENTRIES
   DOM_CLASSINFO_MAP_END
 

dom/interfaces/html/Makefile.in

@@ -116,6 +116,7 @@ SDK_XPIDLSRCS =					\
 	nsIDOMHTMLAudioElement.idl		\
 	nsIDOMValidityState.idl		\
 	nsIDOMDOMStringMap.idl		\
+	nsIDOMMozBrowserFrameElement.idl	\
 	$(NULL)
 
 XPIDLSRCS = 					\

dom/interfaces/html/nsIDOMMozBrowserFrameElement.idl

@@ -0,0 +1,68 @@
+/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla code.
+ *
+ * The Initial Developer of the Original Code is the Mozilla Foundation.
+ *
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Justin Lebar <justin.lebar@gmail.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either of the GNU General Public License Version 2 or later (the "GPL"),
+ * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+[scriptable, function, uuid(37687881-1801-489f-ad03-7af651a93448)]
+interface nsIDOMMozGetContentStateCallback : nsISupports
+{
+  void callback(in DOMString value);
+};
+
+[scriptable, uuid(2ff0f421-64e4-4186-b0dd-619629f46048)]
+interface nsIDOMMozBrowserFrameElement : nsISupports
+{
+  /**
+   * If true, a privileged page can call mozGetContentState on this element.
+   * If false, mozGetContentState will fail.
+   */
+  attribute boolean mozBrowser;
+
+  /**
+   * Get a piece of state from this element's content window, returning its
+   * value via |callback|.
+   *
+   * At the moment, the only valid property is "location", which returns the
+   * content window's location.  Passing any other property causes an error.
+   *
+   * If the iframe's mozBrowser is false, or if the calling window is not
+   * privileged, this function fails.
+   */
+  void mozGetContentState(in DOMString property,
+                          in nsIDOMMozGetContentStateCallback callback);
+};

dom/tests/mochitest/general/Makefile.in

@@ -74,6 +74,7 @@ _TEST_FILES = \
 		test_focusrings.xul \
 		file_moving_xhr.html \
 		test_vibrator.html \
+		test_getContentState.html \
 		$(NULL)
 
 _CHROME_FILES = \

dom/tests/mochitest/general/test_getContentState.html

@@ -0,0 +1,144 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=708963
+-->
+<head>
+  <title>Test for Bug 708963</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=708963">Mozilla Bug 708963</a>
+
+<script type="application/javascript;version=1.7">
+"use strict";
+
+function getEnabledPref() {
+  try {
+    return SpecialPowers.getBoolPref('dom.mozBrowserFramesEnabled');
+  }
+  catch(e) {
+    return undefined;
+  }
+}
+
+function getWhitelistPref() {
+  try {
+    return SpecialPowers.getCharPref('dom.mozBrowserFramesWhitelist');
+  }
+  catch(e) {
+    return undefined;
+  }
+}
+
+function setPrefs(enabled, whitelist) {
+  if (enabled !== undefined) {
+    SpecialPowers.setBoolPref('dom.mozBrowserFramesEnabled', enabled);
+  }
+  else {
+    SpecialPowers.clearUserPref('dom.mozBrowserFramesEnabled');
+  }
+
+  if (whitelist !== undefined) {
+    SpecialPowers.setCharPref('dom.mozBrowserFramesWhitelist', whitelist);
+  }
+  else {
+    SpecialPowers.clearUserPref('dom.mozBrowserFramesWhitelist');
+  }
+}
+
+function getPrePath() {
+  return 'http://' + window.location.host;
+}
+
+function checkCannotQueryIframe(id) {
+  let iframe = document.getElementById(id);
+  try {
+    iframe.mozGetContentState('location', function() {
+      ok(false, 'Got callback, but should have failed.');
+    });
+    ok(false, 'Should have thrown exception.');
+  }
+  catch(e) {
+    ok(true, 'Got expected exception.');
+  }
+}
+
+function checkCannotQuery() {
+  checkCannotQueryIframe('queryable');
+  checkCannotQueryIframe('not-queryable');
+}
+
+let numCallbacksExpected = 0;
+let numCallbacksSeen = 0;
+function checkCanQuery() {
+  checkCannotQueryIframe('not-queryable');
+
+  let iframe = document.getElementById('queryable');
+  iframe.mozGetContentState('location', function(href) {
+    ok(true, 'Got callback, as expected.');
+    is(href, 'http://example.com/', "Callback value.");
+    numCallbacksSeen++;
+  });
+  numCallbacksExpected++;
+}
+
+const oldEnabled = getEnabledPref();
+const oldWhitelist = getWhitelistPref();
+
+function runTest() {
+  setPrefs(false, getPrePath());
+  checkCannotQuery();
+
+  setPrefs(true, '');
+  checkCannotQuery();
+
+  setPrefs(true, getPrePath());
+  checkCanQuery();
+
+  setPrefs(true, 'http://example.com  , ' +
+                 getPrePath().toUpperCase() + ',  ');
+  checkCanQuery();
+
+  // Spin if we haven't seen all the expected callbacks.
+  waitForAllExpectedCallbacks();
+}
+
+function waitForAllExpectedCallbacks() {
+  if (numCallbacksSeen < numCallbacksExpected) {
+    SimpleTest.executeSoon(waitForAllExpectedCallbacks);
+    return;
+  }
+
+  // Spin the event loop a few times to let any remaining pending callbacks
+  // fire.  (If we get any callbacks here, the test should fail.)
+  SimpleTest.executeSoon(function() {
+    SimpleTest.executeSoon(function() {
+      SimpleTest.executeSoon(function() {
+        setPrefs(oldEnabled, oldWhitelist);
+        SimpleTest.finish();
+      });
+    });
+  });
+}
+
+SimpleTest.waitForExplicitFinish();
+
+var numLoaded = 0;
+function iframeLoaded() {
+  numLoaded++;
+  if (numLoaded == 2) {
+    runTest();
+  }
+}
+
+</script>
+
+<iframe onload='iframeLoaded()' id='not-queryable' src='http://example.net'></iframe>
+<iframe onload='iframeLoaded()' mozbrowser id='queryable' src='http://example.com'></iframe>
+
+</body>
+</html>
+
+