Bug 1539595 - Reject FXA messages if they don't come from the correct type of process r=rfkelly

Differential Revision: https://phabricator.services.mozilla.com/D30277 --HG-- extra : moz-landing-system : lando
2019-05-28 14:09:08 +00:00 · 2019-05-28 14:09:08 +00:00 · f94a4bdb87
--- a/browser/base/content/test/sync/browser_fxa_web_channel.js
+++ b/browser/base/content/test/sync/browser_fxa_web_channel.js
@ -191,8 +191,14 @@ function makeObserver(aObserveTopic, aObserveFunc) {
  return removeMe;
 }

+registerCleanupFunction(function() {
+  Services.prefs.clearUserPref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess");
+});
+
+
 function test() {
  waitForExplicitFinish();
+  Services.prefs.setBoolPref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", false);

  (async function() {
    for (let testCase of gTests) {
--- a/services/fxaccounts/FxAccountsWebChannel.jsm
+++ b/services/fxaccounts/FxAccountsWebChannel.jsm
@ -33,6 +33,14 @@ ChromeUtils.defineModuleGetter(this, "FxAccountsPairingFlow",
  "resource://gre/modules/FxAccountsPairing.jsm");
 XPCOMUtils.defineLazyPreferenceGetter(this, "pairingEnabled",
  "identity.fxaccounts.pairing.enabled");
+XPCOMUtils.defineLazyPreferenceGetter(this, "separatePrivilegedMozillaWebContentProcess",
+  "browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", false);
+XPCOMUtils.defineLazyPreferenceGetter(this, "separatedMozillaDomains",
+                                      "browser.tabs.remote.separatedMozillaDomains", false,
+                                      false, val => val.split(","));
+XPCOMUtils.defineLazyPreferenceGetter(this, "accountServer",
+                                      "identity.fxaccounts.remote.root", false, false,
+                                      val => Services.io.newURI(val));

 // These engines were added years after Sync had been introduced, they need
 // special handling since they are system add-ons and are un-available on
@ -142,6 +150,16 @@ this.FxAccountsWebChannel.prototype = {
  _receiveMessage(message, sendingContext) {
    const {command, data} = message;

+    let shouldCheckRemoteType = separatePrivilegedMozillaWebContentProcess &&
+      separatedMozillaDomains.some(function(val) {
+        return accountServer.asciiHost == val || accountServer.asciiHost.endsWith("." + val);
+      });
+    if (shouldCheckRemoteType &&
+        sendingContext.browser.remoteType != "privilegedmozilla") {
+      log.error("Rejected FxA webchannel message from remoteType = " + sendingContext.browser.remoteType);
+      return;
+    }
+
    switch (command) {
      case COMMAND_PROFILE_CHANGE:
        Services.obs.notifyObservers(null, ON_PROFILE_CHANGE_NOTIFICATION, data.uid);