mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 725490 - Change XFO sameorigin to check all ancestors for same origin. r=smaug 

MozReview-Commit-ID: 5fPxGpcdVms

--HG--
extra : rebase_source : 48fb23e477a49c71e4f09735efd05dd02c46be8d
This commit is contained in:
Jonathan Kingston 2017-11-03 15:37:10 +00:00
Родитель 51cd1093c5
Коммит 392a4bf408
2 изменённых файлов: 16 добавлений и 14 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

27
dom/security/FramingChecker.cpp
Просмотреть файл

@ -78,6 +78,11 @@ FramingChecker::CheckOneFrameOptionsPolicy(nsIHttpChannel* aHttpChannel,
MOZ_CRASH();
}
// If the X-Frame-Options value is SAMEORIGIN, then the top frame in the
// parent chain must be from the same origin as this document.
bool checkSameOrigin = aPolicy.LowerCaseEqualsLiteral("sameorigin");
nsCOMPtr<nsIURI> topUri;
// Traverse up the parent chain and stop when we see a docshell whose
// parent has a system principal, or a docshell corresponding to
// <iframe mozbrowser>.
@ -98,6 +103,17 @@ FramingChecker::CheckOneFrameOptionsPolicy(nsIHttpChannel* aHttpChannel,
// Found a system-principled doc: last docshell was top.
break;
}
if (checkSameOrigin) {
topDoc->NodePrincipal()->GetURI(getter_AddRefs(topUri));
rv = ssm->CheckSameOriginURI(uri, topUri, true);
// one of the ancestors is not same origin as this document
if (NS_FAILED(rv)) {
ReportXFOViolation(curDocShellItem, uri, eSAMEORIGIN);
return false;
}
}
} else {
return false;
}
@ -119,19 +135,8 @@ FramingChecker::CheckOneFrameOptionsPolicy(nsIHttpChannel* aHttpChannel,
}
topDoc = curDocShellItem->GetDocument();
nsCOMPtr<nsIURI> topUri;
topDoc->NodePrincipal()->GetURI(getter_AddRefs(topUri));
// If the X-Frame-Options value is SAMEORIGIN, then the top frame in the
// parent chain must be from the same origin as this document.
if (aPolicy.LowerCaseEqualsLiteral("sameorigin")) {
rv = ssm->CheckSameOriginURI(uri, topUri, true);
if (NS_FAILED(rv)) {
ReportXFOViolation(curDocShellItem, uri, eSAMEORIGIN);
return false; /* wasn't same-origin */
}
}
// If the X-Frame-Options value is "allow-from [uri]", then the top
// frame in the parent chain must be from that origin
if (isAllowFrom) {

3
testing/web-platform/meta/x-frame-options/sameorigin.sub.html.ini
Просмотреть файл

@ -3,6 +3,3 @@
[`XFO: SAMEORIGIN` blocks cross-origin framing.]
expected: FAIL
[`XFO: SAMEORIGIN` blocks same-origin nested in cross-origin framing.]
expected: FAIL