From 88746d57d7cd98497d3ed73f8c6b85edad59252b Mon Sep 17 00:00:00 2001 From: Gijs Kruitbosch Date: Thu, 24 Nov 2016 11:21:05 +0000 Subject: [PATCH] Bug 1320039, r=kmag,wladimir MozReview-Commit-ID: Fsj4bG5e2gT --HG-- extra : rebase_source : c0c3f41c945e041ebee0b1c0ca10066d43c356d5 --- browser/extensions/pocket/content/main.js | 49 +++++++++++------------ 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/browser/extensions/pocket/content/main.js b/browser/extensions/pocket/content/main.js index 53f23f822b02..ff3b5eccaff2 100644 --- a/browser/extensions/pocket/content/main.js +++ b/browser/extensions/pocket/content/main.js @@ -356,14 +356,19 @@ var pktUI = (function() { // send our own "show" event to the panel's script, so the // script can prepare the panel for display. var _showMessageId = "show"; - pktUIMessaging.addMessageListener(_showMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _showMessageId, function(panelId, data) { // Let panel know that it is ready pktUIMessaging.sendMessageToPanel(panelId, _showMessageId); }); // Open a new tab with a given url and activate if var _openTabWithUrlMessageId = "openTabWithUrl"; - pktUIMessaging.addMessageListener(_openTabWithUrlMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _openTabWithUrlMessageId, function(panelId, data, contentPrincipal) { + try { + urlSecurityCheck(data.url, contentPrincipal, Services.scriptSecurityManager.DISALLOW_INHERIT_PRINCIPAL); + } catch (ex) { + return; + } // Check if the tab should become active after opening var activate = true; @@ -378,39 +383,39 @@ var pktUI = (function() { // Close the panel var _closeMessageId = "close"; - pktUIMessaging.addMessageListener(_closeMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _closeMessageId, function(panelId, data) { getPanel().hidePopup(); }); // Send the current url to the panel var _getCurrentURLMessageId = "getCurrentURL"; - pktUIMessaging.addMessageListener(_getCurrentURLMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _getCurrentURLMessageId, function(panelId, data) { pktUIMessaging.sendResponseMessageToPanel(panelId, _getCurrentURLMessageId, getCurrentUrl()); }); var _resizePanelMessageId = "resizePanel"; - pktUIMessaging.addMessageListener(_resizePanelMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _resizePanelMessageId, function(panelId, data) { resizePanel(data); }); // Callback post initialization to tell background script that panel is "ready" for communication. - pktUIMessaging.addMessageListener("listenerReady", function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, "listenerReady", function(panelId, data) { }); - pktUIMessaging.addMessageListener("collapseSavePanel", function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, "collapseSavePanel", function(panelId, data) { if (!pktApi.isPremiumUser() && !isInOverflowMenu()) resizePanel({width:savePanelWidth, height:savePanelHeights.collapsed}); }); - pktUIMessaging.addMessageListener("expandSavePanel", function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, "expandSavePanel", function(panelId, data) { if (!isInOverflowMenu()) resizePanel({width:savePanelWidth, height:savePanelHeights.expanded}); }); // Ask for recently accessed/used tags for auto complete var _getTagsMessageId = "getTags"; - pktUIMessaging.addMessageListener(_getTagsMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _getTagsMessageId, function(panelId, data) { pktApi.getTags(function(tags, usedTags) { pktUIMessaging.sendResponseMessageToPanel(panelId, _getTagsMessageId, { tags: tags, @@ -421,7 +426,7 @@ var pktUI = (function() { // Ask for suggested tags based on passed url var _getSuggestedTagsMessageId = "getSuggestedTags"; - pktUIMessaging.addMessageListener(_getSuggestedTagsMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _getSuggestedTagsMessageId, function(panelId, data) { pktApi.getSuggestedTagsForURL(data.url, { success: function(data, response) { var suggestedTags = data.suggested_tags; @@ -441,7 +446,7 @@ var pktUI = (function() { // Pass url and array list of tags, add to existing save item accordingly var _addTagsMessageId = "addTags"; - pktUIMessaging.addMessageListener(_addTagsMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _addTagsMessageId, function(panelId, data) { pktApi.addTagsToURL(data.url, data.tags, { success: function(data, response) { var successResponse = {status: "success"}; @@ -455,7 +460,7 @@ var pktUI = (function() { // Based on clicking "remove page" CTA, and passed unique item id, remove the item var _deleteItemMessageId = "deleteItem"; - pktUIMessaging.addMessageListener(_deleteItemMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _deleteItemMessageId, function(panelId, data) { pktApi.deleteItem(data.itemId, { success: function(data, response) { var successResponse = {status: "success"}; @@ -468,7 +473,7 @@ var pktUI = (function() { }); var _initL10NMessageId = "initL10N"; - pktUIMessaging.addMessageListener(_initL10NMessageId, function(panelId, data) { + pktUIMessaging.addMessageListener(iframe, _initL10NMessageId, function(panelId, data) { var strings = {}; var bundle = Services.strings.createBundle("chrome://pocket/locale/pocket.properties"); var e = bundle.getSimpleEnumeration(); @@ -609,10 +614,11 @@ var pktUIMessaging = (function() { /** * Register a listener and callback for a specific messageId */ - function addMessageListener(messageId, callback) { - document.addEventListener(prefixedMessageId(messageId), function(e) { + function addMessageListener(iframe, messageId, callback) { + iframe.addEventListener(prefixedMessageId(messageId), function(e) { + var nodePrincipal = e.target.nodePrincipal; // ignore to ensure we do not pick up other events in the browser - if (e.target.tagName !== 'PKTMESSAGEFROMPANELELEMENT') { + if (!nodePrincipal || !nodePrincipal.URI || !nodePrincipal.URI.spec.startsWith("about:pocket")) { return; } @@ -620,7 +626,7 @@ var pktUIMessaging = (function() { var payload = JSON.parse(e.target.getAttribute("payload"))[0]; var panelId = payload.panelId; var data = payload.data; - callback(panelId, data); + callback(panelId, data, nodePrincipal); // Cleanup the element e.target.parentNode.removeChild(e.target); @@ -628,14 +634,6 @@ var pktUIMessaging = (function() { }, false, true); } - /** - * Remove a message listener - */ - function removeMessageListener(messageId, callback) { - document.removeEventListener(prefixedMessageId(messageId), callback); - } - - /** * Send a message to the panel's iframe */ @@ -733,7 +731,6 @@ var pktUIMessaging = (function() { */ return { addMessageListener: addMessageListener, - removeMessageListener: removeMessageListener, sendMessageToPanel: sendMessageToPanel, sendResponseMessageToPanel: sendResponseMessageToPanel, sendErrorMessageToPanel: sendErrorMessageToPanel,