From 15c3ab7c9ce0b7332ebf6610dc8f69087d754d22 Mon Sep 17 00:00:00 2001 From: Tim Huang Date: Thu, 25 Oct 2018 06:47:08 +0000 Subject: [PATCH] Bug 1492607 - Part 1: Making postMessage to be aware of OAs when the targetOrigin is "*." r=arthuredelstein,baku This patch adds a MOZ_DIAGNOSTIC_ASSERT for assuring the OAs are matching when the targetOrigin is "*" for the postMessage(). But it ignores the FPD in OA since the FPDs are possible to be different. We also add a new pref 'privacy.firstparty.isolate.block_post_message' for allowing blocking postMessage across different FPDs. Differential Revision: https://phabricator.services.mozilla.com/D8521 --HG-- extra : moz-landing-system : lando --- caps/OriginAttributes.cpp | 3 +++ caps/OriginAttributes.h | 16 ++++++++++++++++ dom/base/nsGlobalWindowOuter.cpp | 16 ++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/caps/OriginAttributes.cpp b/caps/OriginAttributes.cpp index 7ec9bc66b925..8590b407d2f7 100644 --- a/caps/OriginAttributes.cpp +++ b/caps/OriginAttributes.cpp @@ -19,6 +19,7 @@ using dom::URLParams; bool OriginAttributes::sFirstPartyIsolation = false; bool OriginAttributes::sRestrictedOpenerAccess = false; +bool OriginAttributes::sBlockPostMessageForFPI = false; void OriginAttributes::InitPrefs() @@ -31,6 +32,8 @@ OriginAttributes::InitPrefs() "privacy.firstparty.isolate"); Preferences::AddBoolVarCache(&sRestrictedOpenerAccess, "privacy.firstparty.isolate.restrict_opener_access"); + Preferences::AddBoolVarCache(&sBlockPostMessageForFPI, + "privacy.firstparty.isolate.block_post_message"); } } diff --git a/caps/OriginAttributes.h b/caps/OriginAttributes.h index b0ca8bf2fa19..be257cf919e9 100644 --- a/caps/OriginAttributes.h +++ b/caps/OriginAttributes.h @@ -61,6 +61,14 @@ public: return !(*this == aOther); } + MOZ_MUST_USE bool EqualsIgnoringFPD(const OriginAttributes& aOther) const + { + return mAppId == aOther.mAppId && + mInIsolatedMozBrowser == aOther.mInIsolatedMozBrowser && + mUserContextId == aOther.mUserContextId && + mPrivateBrowsingId == aOther.mPrivateBrowsingId; + } + // Serializes/Deserializes non-default values into the suffix format, i.e. // |!key1=value1&key2=value2|. If there are no non-default attributes, this // returns an empty string. @@ -96,6 +104,13 @@ public: return !sFirstPartyIsolation || sRestrictedOpenerAccess; } + // Check whether we block the postMessage across different FPDs when the + // targetOrigin is '*'. + static inline MOZ_MUST_USE bool IsBlockPostMessageForFPI() + { + return sFirstPartyIsolation && sBlockPostMessageForFPI; + } + // returns true if the originAttributes suffix has mPrivateBrowsingId value // different than 0. static bool IsPrivateBrowsing(const nsACString& aOrigin); @@ -105,6 +120,7 @@ public: private: static bool sFirstPartyIsolation; static bool sRestrictedOpenerAccess; + static bool sBlockPostMessageForFPI; }; class OriginAttributesPattern : public dom::OriginAttributesPatternDictionary diff --git a/dom/base/nsGlobalWindowOuter.cpp b/dom/base/nsGlobalWindowOuter.cpp index 1f11a7930153..4ec1349b1d8b 100644 --- a/dom/base/nsGlobalWindowOuter.cpp +++ b/dom/base/nsGlobalWindowOuter.cpp @@ -5784,6 +5784,22 @@ nsGlobalWindowOuter::PostMessageMozOuter(JSContext* aCx, JS::Handle a if (NS_WARN_IF(!providedPrincipal)) { return; } + } else { + // We still need to check the originAttributes if the target origin is '*'. + // But we will ingore the FPD here since the FPDs are possible to be different. + auto principal = BasePrincipal::Cast(GetPrincipal()); + NS_ENSURE_TRUE_VOID(principal); + + OriginAttributes targetAttrs = principal->OriginAttributesRef(); + OriginAttributes sourceAttrs = aSubjectPrincipal.OriginAttributesRef(); + MOZ_DIAGNOSTIC_ASSERT(sourceAttrs.EqualsIgnoringFPD(targetAttrs)); + + // If 'privacy.firstparty.isolate.block_post_message' is true, we will block + // postMessage across different first party domains. + if (OriginAttributes::IsBlockPostMessageForFPI() && + sourceAttrs.mFirstPartyDomain != targetAttrs.mFirstPartyDomain) { + return; + } } // Create and asynchronously dispatch a runnable which will handle actual DOM