Bug 1562292: Part 1d - Move OnePermittedSandboxedNavigator to BrowsingContext. r=nika

We need to be able to check the one-permitted-sandboxed-navigator from potentially-cross-process access checks in DocShell, which means it needs to live on BrowsingContext rather than DocShell. Differential Revision: https://phabricator.services.mozilla.com/D40495 --HG-- extra : rebase_source : 6f635ae549c89fee9773a9661289bad7a84aeb38 extra : histedit_source : 5a8a33c6463ae6231dfcfc7ca646ea47eada84bb
2019-08-01 16:22:52 -07:00 · 2019-08-01 16:22:52 -07:00 · a33e880ee6
--- a/docshell/base/BrowsingContext.h
+++ b/docshell/base/BrowsingContext.h
@ -209,6 +209,23 @@ class BrowsingContext : public nsWrapperCache, public BrowsingContextBase {
  bool HasOpener() const;
  /**
   * When a new browsing context is opened by a sandboxed document, it needs to
   * keep track of the browsing context that opened it, so that it can be
   * navigated by it.  This is the "one permitted sandboxed navigator".
   */
  already_AddRefed<BrowsingContext> GetOnePermittedSandboxedNavigator() const {
    return Get(mOnePermittedSandboxedNavigatorId);
  }
  void SetOnePermittedSandboxedNavigator(BrowsingContext* aNavigator) {
    if (mOnePermittedSandboxedNavigatorId) {
      MOZ_ASSERT(false,
                 "One Permitted Sandboxed Navigator should only be set once.");
    } else {
      SetOnePermittedSandboxedNavigatorId(aNavigator ? aNavigator->Id() : 0);
    }
  }
  void GetChildren(Children& aChildren);
  BrowsingContextGroup* Group() { return mGroup; }
--- a/docshell/base/BrowsingContextFieldList.h
+++ b/docshell/base/BrowsingContextFieldList.h
@ -19,6 +19,8 @@ MOZ_BC_FIELD(OpenerPolicy, nsILoadInfo::CrossOriginOpenerPolicy)
 // stored as the opener ID.
 MOZ_BC_FIELD(OpenerId, uint64_t)
 MOZ_BC_FIELD(OnePermittedSandboxedNavigatorId, uint64_t)
 // Toplevel browsing contexts only. This field controls whether the browsing
 // context is currently considered to be activated by a gesture.
 MOZ_BC_FIELD(IsActivatedByUserGesture, bool)
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -3054,10 +3054,10 @@ bool nsDocShell::IsSandboxedFrom(nsIDocShell* aTargetDocShell) {
  // aTargetDocShell is top level, are we the "one permitted sandboxed
  // navigator", i.e. did we open aTargetDocShell?
-  nsCOMPtr<nsIDocShell> permittedNavigator;
+  RefPtr<BrowsingContext> permittedNavigator(
-  aTargetDocShell->GetOnePermittedSandboxedNavigator(
+      aTargetDocShell->GetBrowsingContext()
-      getter_AddRefs(permittedNavigator));
+          ->GetOnePermittedSandboxedNavigator());
-  if (permittedNavigator == this) {
+  if (permittedNavigator == mBrowsingContext) {
    return false;
  }
@ -4967,8 +4967,6 @@ nsDocShell::Destroy() {
  mChromeEventHandler = nullptr;
  mOnePermittedSandboxedNavigator = nullptr;
  // required to break ref cycle
  mSecurityUI = nullptr;
@ -5367,34 +5365,6 @@ nsDocShell::GetSandboxFlags(uint32_t* aSandboxFlags) {
  return NS_OK;
 }
 NS_IMETHODIMP
 nsDocShell::SetOnePermittedSandboxedNavigator(
    nsIDocShell* aSandboxedNavigator) {
  if (mOnePermittedSandboxedNavigator) {
    NS_ERROR("One Permitted Sandboxed Navigator should only be set once.");
    return NS_OK;
  }
  MOZ_ASSERT(!mIsBeingDestroyed);
  mOnePermittedSandboxedNavigator = do_GetWeakReference(aSandboxedNavigator);
  NS_ASSERTION(
      mOnePermittedSandboxedNavigator,
      "One Permitted Sandboxed Navigator must support weak references.");
  return NS_OK;
 }
 NS_IMETHODIMP
 nsDocShell::GetOnePermittedSandboxedNavigator(
    nsIDocShell** aSandboxedNavigator) {
  NS_ENSURE_ARG_POINTER(aSandboxedNavigator);
  nsCOMPtr<nsIDocShell> permittedNavigator =
      do_QueryReferent(mOnePermittedSandboxedNavigator);
  permittedNavigator.forget(aSandboxedNavigator);
  return NS_OK;
 }
 NS_IMETHODIMP
 nsDocShell::SetDefaultLoadFlags(uint32_t aDefaultLoadFlags) {
  mDefaultLoadFlags = aDefaultLoadFlags;
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@ -1066,7 +1066,6 @@ class nsDocShell final : public nsDocLoader,
  nsString mTitle;
  nsString mCustomUserAgent;
  nsCString mOriginalUriString;
  nsWeakPtr mOnePermittedSandboxedNavigator;
  nsWeakPtr mOpener;
  nsTObserverArray<nsWeakPtr> mPrivacyObservers;
  nsTObserverArray<nsWeakPtr> mReflowObservers;
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@ -784,13 +784,6 @@ interface nsIDocShell : nsIDocShellTreeItem
   */
  attribute unsigned long sandboxFlags;
  /**
   * When a new browsing context is opened by a sandboxed document, it needs to
   * keep track of the browsing context that opened it, so that it can be
   * navigated by it.  This is the "one permitted sandboxed navigator".
   */
  attribute nsIDocShell onePermittedSandboxedNavigator;
  /**
   * Returns true if we are sandboxed from aTargetDocShell.
   * aTargetDocShell - the browsing context we are attempting to navigate.
--- a/toolkit/components/windowwatcher/nsWindowWatcher.cpp
+++ b/toolkit/components/windowwatcher/nsWindowWatcher.cpp
@ -922,7 +922,8 @@ nsresult nsWindowWatcher::OpenWindowInternal(
  // If our parent is sandboxed, set it as the one permitted sandboxed navigator
  // on the new window we're opening.
  if (activeDocsSandboxFlags && parentWindow) {
-    newDocShell->SetOnePermittedSandboxedNavigator(parentWindow->GetDocShell());
+    newDocShell->GetBrowsingContext()->SetOnePermittedSandboxedNavigator(
        parentWindow->GetBrowsingContext());
  }
  // Copy sandbox flags to the new window if activeDocsSandboxFlags says to do