From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- dom/base/WindowNamedPropertiesHandler.cpp | 278 ++++++++++++++++++++++++++++++ 1 file changed, 278 insertions(+) create mode 100644 dom/base/WindowNamedPropertiesHandler.cpp (limited to 'dom/base/WindowNamedPropertiesHandler.cpp') diff --git a/dom/base/WindowNamedPropertiesHandler.cpp b/dom/base/WindowNamedPropertiesHandler.cpp new file mode 100644 index 0000000000..7601438af6 --- /dev/null +++ b/dom/base/WindowNamedPropertiesHandler.cpp @@ -0,0 +1,278 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "WindowNamedPropertiesHandler.h" +#include "mozilla/dom/EventTargetBinding.h" +#include "mozilla/dom/ProxyHandlerUtils.h" +#include "mozilla/dom/WindowBinding.h" +#include "mozilla/dom/WindowProxyHolder.h" +#include "nsContentUtils.h" +#include "nsGlobalWindow.h" +#include "nsHTMLDocument.h" +#include "nsJSUtils.h" +#include "xpcprivate.h" + +namespace mozilla::dom { + +static bool ShouldExposeChildWindow(const nsString& aNameBeingResolved, + BrowsingContext* aChild) { + Element* e = aChild->GetEmbedderElement(); + if (e && e->IsInShadowTree()) { + return false; + } + + // If we're same-origin with the child, go ahead and expose it. + nsPIDOMWindowOuter* child = aChild->GetDOMWindow(); + nsCOMPtr sop = do_QueryInterface(child); + if (sop && nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) { + return true; + } + + // If we're not same-origin, expose it _only_ if the name of the browsing + // context matches the 'name' attribute of the frame element in the parent. + // The motivations behind this heuristic are worth explaining here. + // + // Historically, all UAs supported global named access to any child browsing + // context (that is to say, window.dolske returns a child frame where either + // the "name" attribute on the frame element was set to "dolske", or where + // the child explicitly set window.name = "dolske"). + // + // This is problematic because it allows possibly-malicious and unrelated + // cross-origin subframes to pollute the global namespace of their parent in + // unpredictable ways (see bug 860494). This is also problematic for browser + // engines like Servo that want to run cross-origin script on different + // threads. + // + // The naive solution here would be to filter out any cross-origin subframes + // obtained when doing named lookup in global scope. But that is unlikely to + // be web-compatible, since it will break named access for consumers that do + //