From f94a4bdb879ca8102914f9b7e56d6eb08c6e422f Mon Sep 17 00:00:00 2001
From: Tom Ritter <tom@mozilla.com>
Date: Tue, 28 May 2019 14:09:08 +0000
Subject: [PATCH] Bug 1539595 - Reject FXA messages if they don't come from the
 correct type of process r=rfkelly

Differential Revision: https://phabricator.services.mozilla.com/D30277

--HG--
extra : moz-landing-system : lando
---
 .../test/sync/browser_fxa_web_channel.js       |  6 ++++++
 services/fxaccounts/FxAccountsWebChannel.jsm   | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/browser/base/content/test/sync/browser_fxa_web_channel.js b/browser/base/content/test/sync/browser_fxa_web_channel.js
index 878dff438a99..de3550011e87 100644
--- a/browser/base/content/test/sync/browser_fxa_web_channel.js
+++ b/browser/base/content/test/sync/browser_fxa_web_channel.js
@@ -191,8 +191,14 @@ function makeObserver(aObserveTopic, aObserveFunc) {
   return removeMe;
 }
 
+registerCleanupFunction(function() {
+  Services.prefs.clearUserPref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess");
+});
+
+
 function test() {
   waitForExplicitFinish();
+  Services.prefs.setBoolPref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", false);
 
   (async function() {
     for (let testCase of gTests) {
diff --git a/services/fxaccounts/FxAccountsWebChannel.jsm b/services/fxaccounts/FxAccountsWebChannel.jsm
index 1656b0145a56..3b06ec77580f 100644
--- a/services/fxaccounts/FxAccountsWebChannel.jsm
+++ b/services/fxaccounts/FxAccountsWebChannel.jsm
@@ -33,6 +33,14 @@ ChromeUtils.defineModuleGetter(this, "FxAccountsPairingFlow",
   "resource://gre/modules/FxAccountsPairing.jsm");
 XPCOMUtils.defineLazyPreferenceGetter(this, "pairingEnabled",
   "identity.fxaccounts.pairing.enabled");
+XPCOMUtils.defineLazyPreferenceGetter(this, "separatePrivilegedMozillaWebContentProcess",
+  "browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", false);
+XPCOMUtils.defineLazyPreferenceGetter(this, "separatedMozillaDomains",
+                                      "browser.tabs.remote.separatedMozillaDomains", false,
+                                      false, val => val.split(","));
+XPCOMUtils.defineLazyPreferenceGetter(this, "accountServer",
+                                      "identity.fxaccounts.remote.root", false, false,
+                                      val => Services.io.newURI(val));
 
 // These engines were added years after Sync had been introduced, they need
 // special handling since they are system add-ons and are un-available on
@@ -142,6 +150,16 @@ this.FxAccountsWebChannel.prototype = {
   _receiveMessage(message, sendingContext) {
     const {command, data} = message;
 
+    let shouldCheckRemoteType = separatePrivilegedMozillaWebContentProcess &&
+      separatedMozillaDomains.some(function(val) {
+        return accountServer.asciiHost == val || accountServer.asciiHost.endsWith("." + val);
+      });
+    if (shouldCheckRemoteType &&
+        sendingContext.browser.remoteType != "privilegedmozilla") {
+      log.error("Rejected FxA webchannel message from remoteType = " + sendingContext.browser.remoteType);
+      return;
+    }
+
     switch (command) {
       case COMMAND_PROFILE_CHANGE:
         Services.obs.notifyObservers(null, ON_PROFILE_CHANGE_NOTIFICATION, data.uid);