Bug 1793534 - part 1: Make `IMEStateManager` stop exposing some private things in URL to native IME r=smaug

Non-malicious IME (and text services) must not require private things in URL, such as username and password, query data and reference in the document. Therefore, we should omit them from URI exposed from our native IME handlers in any platforms. Differential Revision: https://phabricator.services.mozilla.com/D158734
2022-10-06 10:04:44 +00:00 · 2022-10-06 10:04:44 +00:00 · 31375f07bd
--- a/dom/events/IMEStateManager.cpp
+++ b/dom/events/IMEStateManager.cpp
@ -42,6 +42,7 @@
 #include "nsINode.h"
 #include "nsISupports.h"
 #include "nsIURI.h"
+#include "nsIURIMutator.h"
 #include "nsPresContext.h"

 namespace mozilla {
@ -1539,7 +1540,17 @@ void IMEStateManager::SetIMEState(const IMEState& aState,
      //       malicious text services may like files which are explicitly used
      //       by the user better.
      if (uri->SchemeIs("http") || uri->SchemeIs("https")) {
-        context.mURI = uri;
+        // Note that we don't need to expose UserPass, Query and Reference to
+        // IME since they may contain sensitive data, but non-malicious text
+        // services must not require these data.
+        nsCOMPtr<nsIURI> exposableURL;
+        if (NS_SUCCEEDED(NS_MutateURI(uri)
+                             .SetQuery(""_ns)
+                             .SetRef(""_ns)
+                             .SetUserPass(""_ns)
+                             .Finalize(exposableURL))) {
+          context.mURI = std::move(exposableURL);
+        }
      }
    }
  }
--- a/widget/tests/browser/browser_test_InputContextURI.js
+++ b/widget/tests/browser/browser_test_InputContextURI.js
@ -116,3 +116,44 @@ add_task(async function test_input_in_data() {
    );
  });
 });
+
+add_task(async function test_omit_private_things_in_URL() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["network.auth.confirmAuth.enabled", false]],
+  });
+  await promiseURLBarFocus();
+
+  await BrowserTestUtils.withNewTab(
+    "https://username:password@example.com/browser/toolkit/content/tests/browser/file_empty.html?query=some#ref",
+    async browser => {
+      ok(browser.isRemoteBrowser, "This test passes only in e10s mode");
+
+      await SpecialPowers.spawn(browser, [], async () => {
+        content.document.body.innerHTML = "<input>";
+        const input = content.document.querySelector("input");
+        input.focus();
+
+        // Wait for a tick for flushing IMEContentObserver's pending notifications.
+        await new Promise(resolve =>
+          content.requestAnimationFrame(() =>
+            content.requestAnimationFrame(resolve)
+          )
+        );
+      });
+
+      await promiseIMEStateEnabledByRemote();
+      if (!gDOMWindowUtils.inputContextURI) {
+        ok(
+          false,
+          `Input context should have valid URI even when the URL contains some private things`
+        );
+        return;
+      }
+      is(
+        gDOMWindowUtils.inputContextURI.spec,
+        "https://example.com/browser/toolkit/content/tests/browser/file_empty.html",
+        `Input context should have the document URI which omit some private things in the URL`
+      );
+    }
+  );
+});