Bug 1492607 - Part 1: Making postMessage to be aware of OAs when the targetOrigin is "*." r=arthuredelstein,baku

This patch adds a MOZ_DIAGNOSTIC_ASSERT for assuring the OAs
are matching when the targetOrigin is "*" for the postMessage().
But it ignores the FPD in OA since the FPDs are possible to be
different.

We also add a new pref 'privacy.firstparty.isolate.block_post_message'
for allowing blocking postMessage across different FPDs.

Differential Revision: https://phabricator.services.mozilla.com/D8521

--HG--
extra : moz-landing-system : lando

caps/OriginAttributes.cpp

@@ -19,6 +19,7 @@ using dom::URLParams;
 
 bool OriginAttributes::sFirstPartyIsolation = false;
 bool OriginAttributes::sRestrictedOpenerAccess = false;
+bool OriginAttributes::sBlockPostMessageForFPI = false;
 
 void
 OriginAttributes::InitPrefs()
@@ -31,6 +32,8 @@ OriginAttributes::InitPrefs()
                                  "privacy.firstparty.isolate");
     Preferences::AddBoolVarCache(&sRestrictedOpenerAccess,
                                  "privacy.firstparty.isolate.restrict_opener_access");
+    Preferences::AddBoolVarCache(&sBlockPostMessageForFPI,
+                                 "privacy.firstparty.isolate.block_post_message");
   }
 }
 

caps/OriginAttributes.h

@@ -61,6 +61,14 @@ public:
     return !(*this == aOther);
   }
 
+  MOZ_MUST_USE bool EqualsIgnoringFPD(const OriginAttributes& aOther) const
+  {
+    return mAppId == aOther.mAppId &&
+           mInIsolatedMozBrowser == aOther.mInIsolatedMozBrowser &&
+           mUserContextId == aOther.mUserContextId &&
+           mPrivateBrowsingId == aOther.mPrivateBrowsingId;
+  }
+
   // Serializes/Deserializes non-default values into the suffix format, i.e.
   // |!key1=value1&key2=value2|. If there are no non-default attributes, this
   // returns an empty string.
@@ -96,6 +104,13 @@ public:
     return !sFirstPartyIsolation || sRestrictedOpenerAccess;
   }
 
+  // Check whether we block the postMessage across different FPDs when the
+  // targetOrigin is '*'.
+  static inline MOZ_MUST_USE bool IsBlockPostMessageForFPI()
+  {
+    return sFirstPartyIsolation && sBlockPostMessageForFPI;
+  }
+
   // returns true if the originAttributes suffix has mPrivateBrowsingId value
   // different than 0.
   static bool IsPrivateBrowsing(const nsACString& aOrigin);
@@ -105,6 +120,7 @@ public:
 private:
   static bool sFirstPartyIsolation;
   static bool sRestrictedOpenerAccess;
+  static bool sBlockPostMessageForFPI;
 };
 
 class OriginAttributesPattern : public dom::OriginAttributesPatternDictionary

dom/base/nsGlobalWindowOuter.cpp

@@ -5784,6 +5784,22 @@ nsGlobalWindowOuter::PostMessageMozOuter(JSContext* aCx, JS::Handle<JS::Value> a
     if (NS_WARN_IF(!providedPrincipal)) {
       return;
     }
+  } else {
+    // We still need to check the originAttributes if the target origin is '*'.
+    // But we will ingore the FPD here since the FPDs are possible to be different.
+    auto principal = BasePrincipal::Cast(GetPrincipal());
+    NS_ENSURE_TRUE_VOID(principal);
+
+    OriginAttributes targetAttrs = principal->OriginAttributesRef();
+    OriginAttributes sourceAttrs = aSubjectPrincipal.OriginAttributesRef();
+    MOZ_DIAGNOSTIC_ASSERT(sourceAttrs.EqualsIgnoringFPD(targetAttrs));
+
+    // If 'privacy.firstparty.isolate.block_post_message' is true, we will block
+    // postMessage across different first party domains.
+    if (OriginAttributes::IsBlockPostMessageForFPI() &&
+        sourceAttrs.mFirstPartyDomain != targetAttrs.mFirstPartyDomain) {
+      return;
+    }
   }
 
   // Create and asynchronously dispatch a runnable which will handle actual DOM