Bug 1677899 - Trust the process where where focus() is called for focusability. r=nika

Differential Revision: https://phabricator.services.mozilla.com/D104393

browser/base/content/test/fullscreen/browser.ini

@@ -16,8 +16,6 @@ skip-if = (os == 'mac') || (os == 'linux') #Bug 1648649
 skip-if = debug && os == 'mac' # Bug 1568570
 [browser_fullscreen_window_focus.js]
 skip-if =
-  os == 'linux' && fission # Bug 1677899
   os == 'mac' # Bug 1568570
-  os == 'win' && fission # Bug 1677899
 [browser_fullscreen_api_fission.js]
 support-files = fullscreen.html FullscreenFrame.jsm

dom/base/nsGlobalWindowInner.cpp

@@ -3723,9 +3723,10 @@ void nsGlobalWindowInner::Prompt(const nsAString& aMessage,
 }
 
 void nsGlobalWindowInner::Focus(CallerType aCallerType, ErrorResult& aError) {
-  FORWARD_TO_OUTER_OR_THROW(
-      FocusOuter, (aCallerType, nsFocusManager::GenerateFocusActionId()),
-      aError, );
+  FORWARD_TO_OUTER_OR_THROW(FocusOuter,
+                            (aCallerType, /* aFromOtherProcess */ false,
+                             nsFocusManager::GenerateFocusActionId()),
+                            aError, );
 }
 
 nsresult nsGlobalWindowInner::Focus(CallerType aCallerType) {

dom/base/nsGlobalWindowOuter.cpp

@@ -5040,6 +5040,7 @@ void nsGlobalWindowOuter::PromptOuter(const nsAString& aMessage,
 }
 
 void nsGlobalWindowOuter::FocusOuter(CallerType aCallerType,
+                                     bool aFromOtherProcess,
                                      uint64_t aActionId) {
   nsFocusManager* fm = nsFocusManager::GetFocusManager();
   if (!fm) {
@@ -5047,6 +5048,16 @@ void nsGlobalWindowOuter::FocusOuter(CallerType aCallerType,
   }
 
   auto [canFocus, isActive] = GetBrowsingContext()->CanFocusCheck(aCallerType);
+  if (aFromOtherProcess) {
+    // We trust that the check passed in a process that's, in principle,
+    // untrusted, because we don't have the required caller context available
+    // here. Also, the worst that the other process can do in this case is to
+    // raise a window it's not supposed to be allowed to raise.
+    // https://bugzilla.mozilla.org/show_bug.cgi?id=1677899
+    MOZ_ASSERT(XRE_IsContentProcess(),
+               "Parent should not trust other processes.");
+    canFocus = true;
+  }
 
   nsCOMPtr<nsIBaseWindow> treeOwnerAsWin = GetTreeOwnerWindow();
   if (treeOwnerAsWin && (canFocus || isActive)) {

dom/base/nsGlobalWindowOuter.h

@@ -532,7 +532,8 @@ class nsGlobalWindowOuter final : public mozilla::dom::EventTarget,
   bool GetClosedOuter();
   bool Closed() override;
   void StopOuter(mozilla::ErrorResult& aError);
-  void FocusOuter(mozilla::dom::CallerType aCallerType, uint64_t aActionId);
+  void FocusOuter(mozilla::dom::CallerType aCallerType, bool aFromOtherProcess,
+                  uint64_t aActionId);
   nsresult Focus(mozilla::dom::CallerType aCallerType) override;
   void BlurOuter();
   mozilla::dom::WindowProxyHolder GetFramesOuter();

dom/ipc/ContentChild.cpp

@@ -3728,7 +3728,8 @@ mozilla::ipc::IPCResult ContentChild::RecvWindowFocus(
         ("ChildIPC: Trying to send a message to a context without a window"));
     return IPC_OK();
   }
-  nsGlobalWindowOuter::Cast(window)->FocusOuter(aCallerType, aActionId);
+  nsGlobalWindowOuter::Cast(window)->FocusOuter(
+      aCallerType, /* aFromOtherProcess */ true, aActionId);
   return IPC_OK();
 }