Closed Bug 1586926 Opened 5 years ago Closed 5 years ago

Add caller access checks for cross-process Location-based navigation

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Project Flags:
Fission Milestone M4
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: kmag, Assigned: kmag)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1586926 - Add necessary caller access checks for cross-process Location navigations. r=nika
47 bytes, text/x-phabricator-request
Details | Review

We attempt to enforce the same (approximate) access checks to Location-based navigation that we use for loads that use named targeting (e.g., via window.open), so that a frame that can't be navigated via, e.g., window.open, also can't be navigated via, e.g., window.parent[1].location = url. For the in-process case, this is handled by a somewhat hidden call to CheckLoadingPermissions() in nsDocShell::InternalLoad, where the former checks whether the principal of whatever JS context happens to be on the stack subsumes the principal of the target DocShell or any of its ancestors, and blocks the load if it doesn't.

Since there is no JS context on the stack when we call into the DocShell loading code in the cross-process case, the check is simply ignored.

So we need to instead do the check in BrowsingContext::LoadURI, where we already have an explicit accessor, and can simply use the standard access checks that we use elsewhere.

We attempt to enforce the same (approximate) access checks to Location-based
navigation that we use for loads that use named targeting (e.g., via
window.open), so that a frame that can't be navigated via, e.g., window.open,
also can't be navigated via, e.g., window.parent[1].location = url. For the
in-process case, this is handled by a somewhat hidden call to
CheckLoadingPermissions() in nsDocShell::InternalLoad, where the former checks
whether the principal of whatever JS context happens to be on the stack
subsumes the principal of the target DocShell or any of its ancestors, and
blocks the load if it doesn't.

Since there is no JS context on the stack when we call into the DocShell
loading code in the cross-process case, the check is simply ignored.

So we need to instead do the check in BrowsingContext::LoadURI, where we
already have an explicit accessor, and can simply use the standard access
checks that we use elsewhere.

Status: NEW → ASSIGNED
Fission Milestone: --- → M4
Priority: -- → P2
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/a3d7e24bd090
Add necessary caller access checks for cross-process Location navigations. r=nika

https://hg.mozilla.org/mozilla-central/rev/a3d7e24bd090

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: