Bug 801576 - Forbid cross-origin access to the History object. r=mrbkap, a=lsblakk

2012-10-24 12:04:18 +02:00 · 2012-10-24 12:04:18 +02:00 · 4e39894ecb
--- a/content/html/content/test/file_iframe_sandbox_d_if13.html
+++ b/content/html/content/test/file_iframe_sandbox_d_if13.html
@ -25,7 +25,8 @@ function ok_wrapper(result, msg) {
 function doIf11TestPart2() {
  var if_11 = document.getElementById('if_11');
  if_11.sandbox = 'allow-scripts allow-same-origin';
-  if_11.contentWindow.history.back();
+  // window.history is no longer cross-origin accessible in gecko.
+  SpecialPowers.wrap(if_11).contentWindow.history.back();
 } 
 </script>
 <body>
--- a/dom/tests/mochitest/whatwg/test_bug500328.html
+++ b/dom/tests/mochitest/whatwg/test_bug500328.html
@ -400,14 +400,9 @@ function runTest() {
   * TEST 2 tests that pushstate's same-origin checks are correct.
   */
  var filename = 'file_bug500328_2.html';
-  // Get the directory we're currently in
  var dirname = document.location.pathname.replace(/[^\/]*$/, '');
  statusMsg("Dirname is: " + dirname);
-  var loc = 'http://example.com' + dirname + filename;
-  statusMsg("About to transfer iframe to " + loc);
-  iframeCw.location = loc;
-  // We have to register a listener like this because this file is hosted on a
-  // different domain and can't notify us on load.
+  iframeCw.location = filename;
  iframe.onload = onChildLoad;
  enableChildLoadCallback();
  yield;
@ -434,13 +429,13 @@ function runTest() {
  }

  // We're currently at http://example.com/[dirname]/[filename]
-  tryBadPushAndReplaceState("https://example.com");
-  tryBadPushAndReplaceState("http://foo.example.com");
-  tryBadPushAndReplaceState("http://example.com:1234");
-  tryBadPushAndReplaceState("http://example.com.a");
-  tryBadPushAndReplaceState("http://example.con");
-  tryBadPushAndReplaceState("http://eexample.com");
-  tryBadPushAndReplaceState("http://me@example.com");
+  tryBadPushAndReplaceState("https://mochi.test:8888");
+  tryBadPushAndReplaceState("http://foo.mochitest:8888");
+  tryBadPushAndReplaceState("http://mochi.test:1234");
+  tryBadPushAndReplaceState("http://mochi.test.a:8888");
+  tryBadPushAndReplaceState("http://mochi.tes:8888");
+  tryBadPushAndReplaceState("http://mmochi.test:8888");
+  tryBadPushAndReplaceState("http://me@mochi.test:8888");

  /**
   * TEST 3 tests that the session history entries' titles are properly sync'ed
--- a/js/xpconnect/tests/mochitest/Makefile.in
+++ b/js/xpconnect/tests/mochitest/Makefile.in
@ -19,6 +19,7 @@ MOCHITEST_FILES =	bug500931_helper.html \
 		chrome_wrappers_helper.html \
 		file_doublewrappedcompartments.html \
 		file_evalInSandbox.html \
+		test_sameOriginPolicy.html \
 		file_wrappers-2.html \
 		test_bug92773.html \
 		test_bug384632.html \
--- a/js/xpconnect/tests/mochitest/test_sameOriginPolicy.html
+++ b/js/xpconnect/tests/mochitest/test_sameOriginPolicy.html
@ -0,0 +1,97 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=801576
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 801576</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=801576">Mozilla Bug 801576</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<iframe id="ifr" onload="go();" src="file_empty.html"></iframe>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for the same-origin policy. **/
+SimpleTest.waitForExplicitFinish();
+
+function check(obj, prop, allowed, write) {
+  var accessed = false;
+  try {
+    if (write) {
+      try {
+        obj[prop] = 2;
+        accessed = true;
+      } catch (e) {}
+      Object.defineProperty(obj, 'prop', {getter: function() {}, setter: null});
+    }
+    else
+      obj[prop];
+    accessed = true;
+  } catch (e) {}
+  is(accessed, allowed, prop + " is correctly (in)accessible for " + (write ? 'write' : 'read'));
+}
+
+var crossOriginReadableWindowProps = ['blur', 'close', 'closed', 'focus',
+                                      'frames', 'location', 'length',
+                                      'opener', 'parent', 'postMessage',
+                                      'self', 'top', 'window'];
+
+function isCrossOriginReadable(obj, prop) {
+  if (obj == "Window")
+    return crossOriginReadableWindowProps.indexOf(prop) != -1;
+  if (obj == "Location")
+    return prop == 'replace';
+  return false;
+}
+
+function isCrossOriginWritable(obj, prop) {
+  if (obj == "Window")
+    return prop == 'location';
+  if (obj == "Location")
+    return prop == 'hash' || prop == 'href';
+}
+
+// NB: we don't want to succeed with writes, so we only check them when it should be denied.
+function testAll(sameOrigin) {
+  var win = document.getElementById('ifr').contentWindow;
+  for (var prop in window) {
+    // On android, this appears to be on the window but not on the iframe. It's
+    // not really relevant to this test, so just skip it.
+    if (prop === 'crypto')
+      continue;
+    check(win, prop, sameOrigin || isCrossOriginReadable('Window', prop), /* write = */ false);
+    if (!sameOrigin && !isCrossOriginWritable('Window', prop))
+      check(win, prop, false, /* write = */ true);
+  }
+  for (var prop in window.location) {
+    check(win.location, prop, sameOrigin || isCrossOriginReadable('Location', prop));
+    if (!sameOrigin && !isCrossOriginWritable('Location', prop))
+      check(win, prop, false, /* write = */ true);
+  }
+}
+
+var loadCount = 0;
+function go() {
+  ++loadCount;
+  if (loadCount == 1) {
+    testAll(true);
+    document.getElementById('ifr').contentWindow.location = 'http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html';
+  }
+  else {
+    is(loadCount, 2);
+    testAll(false);
+    SimpleTest.finish();
+  }
+}
+
+</script>
+</pre>
+</body>
+</html>
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@ -166,10 +166,6 @@ IsPermitted(const char *name, JSFlatString *prop, bool set)
    if (!propLength)
        return false;
    switch (name[0]) {
-        NAME('H', "History",
-             PROP('b', R("back"))
-             PROP('f', R("forward"))
-             PROP('g', R("go")))
        NAME('L', "Location",
             PROP('h', W("hash") W("href"))
             PROP('r', R("replace")))
@ -177,7 +173,6 @@ IsPermitted(const char *name, JSFlatString *prop, bool set)
             PROP('b', R("blur"))
             PROP('c', R("close") R("closed"))
             PROP('f', R("focus") R("frames"))
-             PROP('h', R("history"))
             PROP('l', RW("location") R("length"))
             PROP('o', R("opener"))
             PROP('p', R("parent") R("postMessage"))