mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1069719 - Abort the execution of scripts when a prerendered page calls an IDL blacklisted function; r=bzbarsky

This commit is contained in:
Ehsan Akhgari 2015-01-08 18:06:33 -05:00
Родитель c8b93bb67a
Коммит 866d758e54
7 изменённых файлов: 235 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

46
dom/bindings/BindingUtils.cpp
Просмотреть файл

@ -20,6 +20,7 @@
#include "jsfriendapi.h"
#include "nsContentUtils.h"
#include "nsGlobalWindow.h"
#include "nsIDocShell.h"
#include "nsIDOMGlobalPropertyInitializer.h"
#include "nsIPermissionManager.h"
#include "nsIPrincipal.h"
@ -2381,12 +2382,47 @@ CheckPermissions(JSContext* aCx, JSObject* aObj, const char* const aPermissions[
return false;
}
bool
CheckSafetyInPrerendering(JSContext* aCx, JSObject* aObj)
void
HandlePrerenderingViolation(nsPIDOMWindow* aWindow)
{
//TODO: Check if page is being prerendered.
//Returning false for now.
return false;
// Suspend the window and its workers, and its children too.
aWindow->SuspendTimeouts();
// Suspend event handling on the document
nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
if (doc) {
doc->SuppressEventHandling(nsIDocument::eEvents);
}
}
bool
EnforceNotInPrerendering(JSContext* aCx, JSObject* aObj)
{
JS::Rooted<JSObject*> thisObj(aCx, js::CheckedUnwrap(aObj));
if (!thisObj) {
// Without a this object, we cannot check the safety.
return true;
}
nsGlobalWindow* window = xpc::WindowGlobalOrNull(thisObj);
if (!window) {
// Without a window, we cannot check the safety.
return true;
}
nsIDocShell* docShell = window->GetDocShell();
if (!docShell) {
// Without a docshell, we cannot check the safety.
return true;
}
if (docShell->GetIsPrerendered()) {
HandlePrerenderingViolation(window);
// When the bindings layer sees a false return value, it returns false form
// the JSNative in order to trigger an uncatchable exception.
return false;
}
return true;
}
bool

15
dom/bindings/BindingUtils.h
Просмотреть файл

@ -3142,9 +3142,20 @@ AssertReturnTypeMatchesJitinfo(const JSJitInfo* aJitinfo,
bool
CheckPermissions(JSContext* aCx, JSObject* aObj, const char* const aPermissions[]);
//Returns true if page is being prerendered.
// This function is called by the bindings layer for methods/getters/setters
// that are not safe to be called in prerendering mode. It checks to make sure
// that the |this| object is not running in a global that is in prerendering
// mode. Otherwise, it aborts execution of timers and event handlers, and
// returns false which gets converted to an uncatchable exception by the
// bindings layer.
bool
CheckSafetyInPrerendering(JSContext* aCx, JSObject* aObj);
EnforceNotInPrerendering(JSContext* aCx, JSObject* aObj);
// Handles the violation of a blacklisted action in prerendering mode by
// aborting the scripts, and preventing timers and event handlers from running
// in the window in the future.
void
HandlePrerenderingViolation(nsPIDOMWindow* aWindow);
bool
CallerSubsumes(JSObject* aObject);

6
dom/bindings/Codegen.py
Просмотреть файл

@ -6506,8 +6506,10 @@ class CGPerSignatureCall(CGThing):
for i in descriptor.interface.getInheritedInterfaces())):
cgThings.append(CGGeneric(dedent(
"""
if (mozilla::dom::CheckSafetyInPrerendering(cx, obj)) {
//TODO: Handle call into unsafe API during Prerendering (Bug 730101)
if (!mozilla::dom::EnforceNotInPrerendering(cx, obj)) {
// Return false from the JSNative in order to trigger
// an uncatchable exception.
MOZ_ASSERT(!JS_IsExceptionPending(cx));
return false;
}
""")))

5
dom/bindings/test/chrome.ini
Просмотреть файл

@ -6,3 +6,8 @@
[test_dom_xrays.html]
[test_proxies_via_xray.html]
[test_document_location_via_xray_cached.html]
[test_blacklisted_prerendering_function.xul]
support-files =
file_focuser.html
file_fullScreenPropertyAccessor.html
skip-if = e10s # prerendering doesn't work in e10s yet

24
dom/bindings/test/file_focuser.html Normal file
Просмотреть файл

@ -0,0 +1,24 @@
<!DOCTYPE HTML>
<div id="stage"></div>
<script>
function stage(str) {
var s = document.getElementById("stage");
s.textContent = str;
}
stage("before");
setTimeout(function() {
stage("in timeout");
});
setInterval(function() {
stage("in interval");
});
addEventListener("keydown", function() {
stage("keydown");
}, false);
try {
focus();
stage("after");
} catch(e) {
stage("exception raised");
}
</script>

24
dom/bindings/test/file_fullScreenPropertyAccessor.html Normal file
Просмотреть файл

@ -0,0 +1,24 @@
<!DOCTYPE HTML>
<div id="stage"></div>
<script>
function stage(str) {
var s = document.getElementById("stage");
s.textContent = str;
}
stage("before");
setTimeout(function() {
stage("in timeout");
});
setInterval(function() {
stage("in interval");
});
addEventListener("keydown", function() {
stage("keydown");
}, false);
try {
window.fullScreen;
stage("after");
} catch(e) {
stage("exception raised");
}
</script>

124
dom/bindings/test/test_blacklisted_prerendering_function.xul Normal file
Просмотреть файл

@ -0,0 +1,124 @@
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<?xml-stylesheet href="chrome://mochikit/content/tests/SimpleTest/test.css" type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
xmlns:html="http://www.w3.org/1999/xhtml"
onload="runTest();">
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/EventUtils.js"></script>
<script class="testbody" type="application/javascript">
<![CDATA[
SimpleTest.waitForExplicitFinish();
function Listener(aBrowser, aPrerendered, aCallback) {
this.init(aBrowser, aPrerendered, aCallback);
}
Listener.prototype = {
init: function(aBrowser, aPrerendered, aCallback) {
this.mBrowser = aBrowser;
this.mPrerendered = aPrerendered;
this.mCallback = aCallback;
},
QueryInterface: function(aIID) {
if (aIID.equals(Components.interfaces.nsIWebProgressListener) ||
aIID.equals(Components.interfaces.nsISupportsWeakReference) ||
aIID.equals(Components.interfaces.nsISupports))
return this;
throw Components.results.NS_NOINTERFACE;
},
onStateChange : function(aWebProgress, aRequest, aStateFlags, aStatus) {
if ((aStateFlags & Components.interfaces.nsIWebProgressListener.STATE_STOP) &&
(aStateFlags & Components.interfaces.nsIWebProgressListener.STATE_IS_DOCUMENT)) {
var doc = this.mBrowser.contentDocument;
var stage = doc.getElementById("stage");
if (this.mPrerendered) {
is(stage.textContent, "before", "The blacklisted call should properly be intercepted in prerendering mode");
} else {
// In normal mode, we may or may not have run the timeout and/or the interval.
switch (stage.textContent) {
case "after":
case "in timeout":
case "in interval":
ok(true, "The blacklisted call should work fine in normal mode");
break;
default:
ok(false, "The blacklisted call should work fine in normal mode");
break;
}
}
progress.removeProgressListener(progressListener);
// Set three timeouts to see if the interval triggered
var self = this;
function checkInterval() {
var expected = self.mPrerendered ? "before" : "in interval";
var desc = self.mPrerendered ? "No timer should be running" : "Timers should run as normal";
is(stage.textContent, expected, desc);
// Now, dispatch a key event to the window and see if the keydown handler runs
synthesizeKey("a", {}, self.mBrowser.contentWindow);
expected = self.mPrerendered ? "before" : "keydown";
desc = self.mPrerendered ? "No event handler should be running" : "Event handlers should run as normal";
is(stage.textContent, expected, desc);
self.mCallback();
}
setTimeout(function() {
setTimeout(function() {
setTimeout(function() {
checkInterval();
}, 0);
}, 0);
}, 0);
}
},
onProgressChange : function(aWebProgress, aRequest,
aCurSelfProgress, aMaxSelfProgress,
aCurTotalProgress, aMaxTotalProgress) {},
onLocationChange : function(aWebProgress, aRequest, aLocation, aFlags) {},
onStatusChange : function(aWebProgress, aRequest, aStatus, aMessage) {},
onSecurityChange : function(aWebProgress, aRequest, aState) {},
mBrowser: null,
mPrerendered: false,
mCallback: null
};
var progress, progressListener;
function runTest() {
testStep(false, "file_focuser.html", function() {
testStep(true, "file_focuser.html", function() {
testStep(false, "file_fullScreenPropertyAccessor.html", function() {
testStep(true, "file_fullScreenPropertyAccessor.html", function() {
SimpleTest.finish();
});
});
});
});
}
function testStep(aPrerendered, aFileName, aCallback) {
var browser = document.getElementById(aPrerendered ? "prerendered" : "normal");;
progressListener = new Listener(browser, aPrerendered, aCallback);
var docShell = browser.docShell;
progress = docShell.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
.getInterface(Components.interfaces.nsIWebProgress);
progress.addProgressListener(progressListener,
Components.interfaces.nsIWebProgress.NOTIFY_ALL);
browser.loadURI("chrome://mochitests/content/chrome/dom/bindings/test/" + aFileName);
}
]]>
</script>
<body id="html_body" xmlns="http://www.w3.org/1999/xhtml">
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1069719">Mozilla Bug 1069719</a>
<p id="display"></p>
<pre id="test">
</pre>
</body>
<browser prerendered="true" id="prerendered"/>
<browser id="normal"/>
</window>