/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "WindowNamedPropertiesHandler.h" #include "mozilla/dom/EventTargetBinding.h" #include "mozilla/dom/WindowBinding.h" #include "mozilla/dom/WindowProxyHolder.h" #include "nsContentUtils.h" #include "nsGlobalWindow.h" #include "nsHTMLDocument.h" #include "nsJSUtils.h" #include "xpcprivate.h" namespace mozilla::dom { static bool ShouldExposeChildWindow(const nsString& aNameBeingResolved, BrowsingContext* aChild) { Element* e = aChild->GetEmbedderElement(); if (e && e->IsInShadowTree()) { return false; } // If we're same-origin with the child, go ahead and expose it. nsPIDOMWindowOuter* child = aChild->GetDOMWindow(); nsCOMPtr sop = do_QueryInterface(child); if (sop && nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) { return true; } // If we're not same-origin, expose it _only_ if the name of the browsing // context matches the 'name' attribute of the frame element in the parent. // The motivations behind this heuristic are worth explaining here. // // Historically, all UAs supported global named access to any child browsing // context (that is to say, window.dolske returns a child frame where either // the "name" attribute on the frame element was set to "dolske", or where // the child explicitly set window.name = "dolske"). // // This is problematic because it allows possibly-malicious and unrelated // cross-origin subframes to pollute the global namespace of their parent in // unpredictable ways (see bug 860494). This is also problematic for browser // engines like Servo that want to run cross-origin script on different // threads. // // The naive solution here would be to filter out any cross-origin subframes // obtained when doing named lookup in global scope. But that is unlikely to // be web-compatible, since it will break named access for consumers that do //