Bug 1226977, non-string types are only needed for chrome contexts, r=smaug

dom/events/DataTransfer.cpp

@@ -710,12 +710,20 @@ DataTransfer::SetDataAtInternal(const nsAString& aFormat, nsIVariant* aData,
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
-  // don't allow non-chrome to add file data
-  // XXX perhaps this should also limit any non-string type as well
-  if ((aFormat.EqualsLiteral("application/x-moz-file-promise") ||
-       aFormat.EqualsLiteral("application/x-moz-file")) &&
-       !nsContentUtils::IsSystemPrincipal(aSubjectPrincipal)) {
-    return NS_ERROR_DOM_SECURITY_ERR;
+  // Don't allow non-chrome to add non-string or file data. We'll block file
+  // promises as well which are used internally for drags to the desktop.
+  if (!nsContentUtils::IsSystemPrincipal(aSubjectPrincipal)) {
+    if (aFormat.EqualsLiteral("application/x-moz-file-promise") ||
+        aFormat.EqualsLiteral("application/x-moz-file")) {
+      return NS_ERROR_DOM_SECURITY_ERR;
+    }
+
+    uint16_t type;
+    aData->GetDataType(&type);
+    if (type == nsIDataType::VTYPE_INTERFACE ||
+        type == nsIDataType::VTYPE_INTERFACE_IS) {
+      return NS_ERROR_DOM_SECURITY_ERR;
+    }
   }
 
   return SetDataWithPrincipal(aFormat, aData, aIndex, aSubjectPrincipal);

dom/events/test/test_dragstart.html

@@ -313,9 +313,9 @@ function test_DataTransfer(dt)
   checkOneDataItem(dt, ["text/plain", "text/html"],
                    ["Changed Second Item", "<em>Second Item</em>"], 1, "changed with setData item at index 1");
 
-  dt.mozSetDataAt("application/-moz-node", draggable, 2);
+  dt.mozSetDataAt("application/-moz-node", "draggable", 2);
   is(dt.mozItemCount, 3, "setDataAt node itemCount");
-  checkOneDataItem(dt, ["application/-moz-node"], [draggable], 2, "setDataAt node item at index 2");
+  checkOneDataItem(dt, ["application/-moz-node"], ["draggable"], 2, "setDataAt node item at index 2");
 
   dt.mozClearDataAt("text/html", 1);
   is(dt.mozItemCount, 3, "clearDataAt itemCount");
@@ -327,7 +327,7 @@ function test_DataTransfer(dt)
   is(dt.mozItemCount, 2, "clearDataAt last type itemCount");
   checkOneDataItem(dt, ["text/plain", "text/html"],
                    ["First Item", "Changed with setData"], 0, "clearDataAt last type at index 0");
-  checkOneDataItem(dt, ["application/-moz-node"], [draggable], 1, "clearDataAt last type item at index 2");
+  checkOneDataItem(dt, ["application/-moz-node"], ["draggable"], 1, "clearDataAt last type item at index 2");
   expectError(() => dt.mozGetDataAt("text/plain", 2),
               "IndexSizeError", "getDataAt after item removed index too high");
 
@@ -335,7 +335,7 @@ function test_DataTransfer(dt)
   dt.mozSetDataAt("text/unknown", "Unknown type", 1);
   is(dt.mozItemCount, 3, "add unknown type");
   checkOneDataItem(dt, ["application/-moz-node", "text/unknown"],
-                   [draggable, "Unknown type"], 1, "add unknown type item at index 1");
+                   ["draggable", "Unknown type"], 1, "add unknown type item at index 1");
   checkOneDataItem(dt, ["text/unknown"], ["Unknown type"], 2, "add unknown type item at index 2");
 
   dt.mozClearDataAt("", 1);

dom/tests/mochitest/general/mochitest.ini

@@ -64,6 +64,7 @@ skip-if = (buildapp == 'b2g' && toolkit != 'gonk') #Bug 931116, b2g desktop spec
 [test_bug653364.html]
 [test_bug861217.html]
 [test_clientRects.html]
+[test_clipboard_disallowed.html]
 [test_clipboard_events.html]
 skip-if = buildapp == 'b2g' # b2g(clipboard undefined) b2g-debug(clipboard undefined) b2g-desktop(clipboard undefined)
 [test_consoleAPI.html]

dom/tests/mochitest/general/test_clipboard_disallowed.html

@@ -0,0 +1,61 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Clipboard Events</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<p id="display"></p>
+<input id="input" value="INPUT TEXT" oncopy="checkAllowed(event)">
+
+<script>
+function doTest()
+{
+  document.getElementById("input").focus();
+  synthesizeKey("c", {accelKey: 1});
+}
+
+function checkAllowed(event)
+{
+  let clipboardData = event.clipboardData;
+
+  let exception;
+  try {
+    clipboardData.mozSetDataAt("text/customdata", document.getElementById("input"), 0);
+  } catch(ex) {
+    exception = ex;
+  }
+  is(String(exception).indexOf("SecurityError"), 0, "Cannot set non-string");
+
+  exception = null;
+  try {
+    clipboardData.mozSetDataAt("application/x-moz-file", "Test", 0);
+  } catch(ex) {
+    exception = ex;
+  }
+  is(String(exception).indexOf("SecurityError"), 0, "Cannot set file");
+
+  exception = null;
+  try {
+    clipboardData.mozSetDataAt("application/x-moz-file-promise", "Test", 0);
+  } catch(ex) {
+    exception = ex;
+  }
+  is(String(exception).indexOf("SecurityError"), 0, "Cannot set file promise");
+
+  exception = null;
+  try {
+    clipboardData.mozSetDataAt("application/something", "This is data", 0);
+  } catch(ex) {
+    exception = ex;
+  }
+  is(exception, null, "Can set custom data to a string");
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+SimpleTest.waitForFocus(doTest);
+</script>