Bug 907892. Disallow setting document.domain in sandboxed iframes. r=smaug

content/base/src/nsContentUtils.cpp

@@ -927,7 +927,8 @@ nsContentUtils::ParseSandboxAttributeToFlags(const nsAString& aSandboxAttrValue)
                  SANDBOXED_FORMS |
                  SANDBOXED_SCRIPTS |
                  SANDBOXED_AUTOMATIC_FEATURES |
-                 SANDBOXED_POINTER_LOCK;
+                 SANDBOXED_POINTER_LOCK |
+                 SANDBOXED_DOMAIN;
 
   if (!aSandboxAttrValue.IsEmpty()) {
     // The separator optional flag is used because the HTML5 spec says any

content/base/src/nsSandboxFlags.h

@@ -60,4 +60,9 @@ const unsigned long SANDBOXED_AUTOMATIC_FEATURES = 0x40;
  * This flag blocks the document from acquiring pointerlock.
  */
 const unsigned long SANDBOXED_POINTER_LOCK = 0x80;
+
+/**
+ * This flag blocks the document from changing document.domain.
+ */
+const unsigned long SANDBOXED_DOMAIN = 0x100;
 #endif

content/base/test/Makefile.in

@@ -664,6 +664,8 @@ MOCHITEST_FILES_C= \
 		file_CSP_bug802872.html^headers^ \
 		file_CSP_bug802872.js \
 		file_CSP_bug802872.sjs \
+		test_bug907892.html \
+		file_bug907892.html \
 		$(NULL)
 
 # OOP tests don't work on Windows (bug 763081) or native-fennec

content/base/test/file_bug907892.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<script>
+  var threw;
+  try {
+    document.domain = "example.org";
+    threw = false;
+  } catch (e) {
+    threw = true;
+  }
+  var sandboxed = (location.search == "?sandboxed");
+  parent.postMessage({ threw: threw, sandboxed: sandboxed }, "*");
+</script>

content/base/test/test_bug907892.html

@@ -0,0 +1,49 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=907892
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 907892</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 907892 **/
+  SimpleTest.waitForExplicitFinish();
+
+  var expectedMessages = 2;
+  window.onmessage = function (ev) {
+    if (ev.data.sandboxed) {
+      ok(ev.data.threw,
+         "Should have thrown when setting document.domain in sandboxed iframe");
+    } else {
+      ok(!ev.data.threw,
+         "Should not have thrown when setting document.domain in iframe");
+    }
+
+    --expectedMessages;
+    if (expectedMessages == 0) {
+      SimpleTest.finish();
+    }
+  };
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=907892">Mozilla Bug 907892</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+<!-- Set all the sandbox flags to "allow" to make sure we cover that case -->
+<iframe
+   sandbox="allow-same-origin allow-scripts allow-forms allow-top-navigation alllow-pointer-lock"
+   src="http://test1.example.org/tests/content/base/test/file_bug907892.html?sandboxed">
+</iframe>
+<iframe
+   src="http://test1.example.org/tests/content/base/test/file_bug907892.html?normal">
+</iframe>
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>

content/html/document/src/nsHTMLDocument.cpp

@@ -1006,6 +1006,12 @@ nsHTMLDocument::SetDomain(const nsAString& aDomain)
 void
 nsHTMLDocument::SetDomain(const nsAString& aDomain, ErrorResult& rv)
 {
+  if (mSandboxFlags & SANDBOXED_DOMAIN) {
+    // We're sandboxed; disallow setting domain
+    rv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   if (aDomain.IsEmpty()) {
     rv.Throw(NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN);
     return;