This patch is bigger than I'd like it to be, but there are a lot of interlocked
dependencies and I eventually decided it was easier to just lump it together.
The semantics of |showModalDialog|/|window.dialogArguments| (an web-exposed
HTML5 feature) and |openDialog|/|window.arguments| (a XUL-proprietary feature)
are quite different. The former is essentially a security-checked JSVal, while
the latter gets converted into an array. We handled them together in the old
world, which led to a lot of confusion and muddled semantics. This patch
separates them.
This patch also eschews the roundabout resolve hook for dialogArguments in favor
of returning them directly from the XPIDL getter. This better matches the
behavior in the spec, especially because it allows dialogArguments to live on
the outer as they're supposed to, rather than the first inner that happens to
end up in the docshell. All in all, this should make this all very
straightforward to convert WebIDL when the time comes.
The current spec on the origin checks here is pretty fictional, so I've filed
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21932 to fix it. This patch
should more or less preserve the current security behavior.
Tracking this with CHROME_MODAL is problematic, because that gets inherited by
any dependent windows opened by the modal content window, which may or may not
be modal content windows themselves. Thankfully, we have a few free bits lying
around.
This patch is bigger than I'd like it to be, but there are a lot of interlocked
dependencies and I eventually decided it was easier to just lump it together.
The semantics of |showModalDialog|/|window.dialogArguments| (an web-exposed
HTML5 feature) and |openDialog|/|window.arguments| (a XUL-proprietary feature)
are quite different. The former is essentially a security-checked JSVal, while
the latter gets converted into an array. We handled them together in the old
world, which led to a lot of confusion and muddled semantics. This patch
separates them.
This patch also eschews the roundabout resolve hook for dialogArguments in favor
of returning them directly from the XPIDL getter. This better matches the
behavior in the spec, especially because it allows dialogArguments to live on
the outer as they're supposed to, rather than the first inner that happens to
end up in the docshell. All in all, this should make this all very
straightforward to convert WebIDL when the time comes.
The current spec on the origin checks here is pretty fictional, so I've filed
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21932 to fix it. This patch
should more or less preserve the current security behavior.
Tracking this with CHROME_MODAL is problematic, because that gets inherited by
any dependent windows opened by the modal content window, which may or may not
be modal content windows themselves. Thankfully, we have a few free bits lying
around.
We don't test with MOZ_MEDIA=0 so that configuration no longer
works. It's better to drop the switch altogether and enable
this code unconditionally. Per-codec and -feature configure
and runtime options remain available.
dom/interfaces/svg/Makefile.in and dom/media/Makefile.in had merge
conflicts. They were resolved by hand. The former needed 2 IDLs removed.
The latter had a context conflict for EXPORTS_NAMESPACES.
XPIDL_MODULE defaults to MODULE. These Makefile.in were setting
XPIDL_MODULE to the same value as MODULE.
--HG--
extra : rebase_source : e96bd34d5949d0ab94cecbec35d6c9f4bffec01e
Except for the changes in:
layout/generic/nsIFrame.h (part)
layout/style/nsComputedDOMStyle.h (all)
layout/style/nsRuleNode.cpp (part)
layout/style/nsStyleContext.cpp (part)
layout/style/nsStyleContext.h (part)
(see patch 3b in the bug), this patch was written with the sed script:
s/\<GetStyle\(Font\|Color\|List\|Text\|Visibility\|Quotes\|UserInterface\|TableBorder\|SVG\|Background\|Position\|TextReset\|Display\|Content\|UIReset\|Table\|Margin\|Padding\|Border\|Outline\|XUL\|SVGReset\|Column\)\>/Style\1/g
This patch adds support for a "non-private" window flag which can be
used to open new chrome windows in non-private mode in per-window
private browsing builds. It also tests to make sure that the flag is
not accessible from content.
The main bug fixed here is that in half of our interfaces, we use "is browser frame/element" to mean "browser or app", and in the other half, we use it to mean "is browser not app".
There's a related, functional bug also fixed here, which is that a browser process doesn't inherit its parent's app-id. This causes problems e.g. for IndexedDB: If a browser inside an app uses IndexedDB, the DB should have the app's app-id.
I also modified Tab{Parent,Child} and nsFrameLoader to call "app" "ownOrContainingApp", to emphasize that we might have inherited the app from a parent process. I left nsIDocShell::appId alone, because changing that would have necessitated changing nsILoadGroup and therefore a /lot/ of users in Necko; it's also not clear it would have clarified anything in those cases.
The main bug fixed here is that in half of our interfaces, we use "is browser frame/element" to mean "browser or app", and in the other half, we use it to mean "is browser not app".
There's a related, functional bug also fixed here, which is that a browser process doesn't inherit its parent's app-id. This causes problems e.g. for IndexedDB: If a browser inside an app uses IndexedDB, the DB should have the app's app-id.
I also modified Tab{Parent,Child} and nsFrameLoader to call "app" "ownOrContainingApp", to emphasize that we might have inherited the app from a parent process. I left nsIDocShell::appId alone, because changing that would have necessitated changing nsILoadGroup and therefore a /lot/ of users in Necko; it's also not clear it would have clarified anything in those cases.
The main bug fixed here is that in half of our interfaces, we use "is browser frame/element" to mean "browser or app", and in the other half, we use it to mean "is browser not app".
There's a related, functional bug also fixed here, which is that a browser process doesn't inherit its parent's app-id. This causes problems e.g. for IndexedDB: If a browser inside an app uses IndexedDB, the DB should have the app's app-id.
I also modified Tab{Parent,Child} and nsFrameLoader to call "app" "ownOrContainingApp", to emphasize that we might have inherited the app from a parent process. I left nsIDocShell::appId alone, because changing that would have necessitated changing nsILoadGroup and therefore a /lot/ of users in Necko; it's also not clear it would have clarified anything in those cases.
(Re-landing changeset a6a847452dbf, backed out in 5091aa6083c4, because it was originally landed with the incorrect bug number.)
The main bug fixed here is that in half of our interfaces, we use "is browser frame/element" to mean "browser or app", and in the other half, we use it to mean "is browser not app".
There's a related, functional bug also fixed here, which is that a browser process doesn't inherit its parent's app-id. This causes problems e.g. for IndexedDB: If a browser inside an app uses IndexedDB, the DB should have the app's app-id.
I also modified Tab{Parent,Child} and nsFrameLoader to call "app" "ownOrContainingApp", to emphasize that we might have inherited the app from a parent process. I left nsIDocShell::appId alone, because changing that would have necessitated changing nsILoadGroup and therefore a /lot/ of users in Necko; it's also not clear it would have clarified anything in those cases.
--HG--
extra : rebase_source : f3ef9475e21204da10bf39c6cca506bc08096949
This patch adds support for a "private" window flag which can be used to
open new chrome windows in private browsing mode. It also tests to make
sure that the flag is not accessible from content. A test in the next
part makes sure that the flag is accessible from chrome.
WouldReuseInnerWindow also returns true if the new window is same-origin with
the old one about:blank document.
This condition exists in order to handle some sloppiness with respect to the
principals on initial about:blank documents. Chrome callers sometimes parent
chrome windows (with XUL document) to content windows. But this parenting causes
us to push the cx of the content window during window creation, meaning that
the subsequent load of chrome://foo.xul blows away the old inner window and any
expandos on it. We can handle this case more precisely by skipping the cx push
for type="chrome" windows.
Furthermore, this was also necessary to prevent the inner window from being
blown away in the call to SetOpenerScriptPrincipal once nsWindowWatcher gets
the window back from the window creator (and after it's already told consumers
about the window via "domwindowcreated"). But we fixed this nastiness in the
previous patches.
So we can remove this case. By doing so, we can prevent inner windows from ever
changing origins, which is very important for compartment security invariants.
We can remove the fallback to the principal of aParent because we already push the
cx for aParent (callerContextGuard) whenever we're concerned about using its principal.
This doesn't change any functionality in the code. Note that the name is currently
a bit of a misnomer, but we change that in the next patch when we rip out the
arguments.
WouldReuseInnerWindow also returns true if the new window is same-origin with
the old one about:blank document.
This condition exists in order to handle some sloppiness with respect to the
principals on initial about:blank documents. Chrome callers sometimes parent
chrome windows (with XUL document) to content windows. But this parenting causes
us to push the cx of the content window during window creation, meaning that
the subsequent load of chrome://foo.xul blows away the old inner window and any
expandos on it. We can handle this case more precisely by skipping the cx push
for type="chrome" windows.
Furthermore, this was also necessary to prevent the inner window from being
blown away in the call to SetOpenerScriptPrincipal once nsWindowWatcher gets
the window back from the window creator (and after it's already told consumers
about the window via "domwindowcreated"). But we fixed this nastiness in the
previous patches.
So we can remove this case. By doing so, we can prevent inner windows from ever
changing origins, which is very important for compartment security invariants.
We can remove the fallback to the principal of aParent because we already push the
cx for aParent (callerContextGuard) whenever we're concerned about using its principal.
This doesn't change any functionality in the code. Note that the name is currently
a bit of a misnomer, but we change that in the next patch when we rip out the
arguments.