Add caller access checks for cross-process Location-based navigation
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox71 | --- | fixed |
People
(Reporter: kmag, Assigned: kmag)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
We attempt to enforce the same (approximate) access checks to Location-based navigation that we use for loads that use named targeting (e.g., via window.open
), so that a frame that can't be navigated via, e.g., window.open
, also can't be navigated via, e.g., window.parent[1].location = url
. For the in-process case, this is handled by a somewhat hidden call to CheckLoadingPermissions()
in nsDocShell::InternalLoad
, where the former checks whether the principal of whatever JS context happens to be on the stack subsumes the principal of the target DocShell or any of its ancestors, and blocks the load if it doesn't.
Since there is no JS context on the stack when we call into the DocShell loading code in the cross-process case, the check is simply ignored.
So we need to instead do the check in BrowsingContext::LoadURI
, where we already have an explicit accessor, and can simply use the standard access checks that we use elsewhere.
Assignee | ||
Comment 1•5 years ago
|
||
We attempt to enforce the same (approximate) access checks to Location-based
navigation that we use for loads that use named targeting (e.g., via
window.open), so that a frame that can't be navigated via, e.g., window.open,
also can't be navigated via, e.g., window.parent[1].location = url. For the
in-process case, this is handled by a somewhat hidden call to
CheckLoadingPermissions() in nsDocShell::InternalLoad, where the former checks
whether the principal of whatever JS context happens to be on the stack
subsumes the principal of the target DocShell or any of its ancestors, and
blocks the load if it doesn't.
Since there is no JS context on the stack when we call into the DocShell
loading code in the cross-process case, the check is simply ignored.
So we need to instead do the check in BrowsingContext::LoadURI, where we
already have an explicit accessor, and can simply use the standard access
checks that we use elsewhere.
Updated•5 years ago
|
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/a3d7e24bd090 Add necessary caller access checks for cross-process Location navigations. r=nika
Comment 3•5 years ago
|
||
bugherder |
Description
•