corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1626404: Part 3 - Do sandbox flag checks at both ends of cross-process loads. r=nika

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D69420
This commit is contained in:
Kris Maglione
2020-04-04 00:12:57 +00:00
parent 1b63d41a43
commit 1c110e1fd9
3 changed files with 34 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docshell/base/nsDocShell.cpp
View File

@@ -8791,13 +8791,12 @@ nsresult nsDocShell::InternalLoad(nsDocShellLoadState* aLoadState,
}
}
// If a source docshell has been passed, check to see if we are sandboxed
// from it as the result of an iframe or CSP sandbox.
const auto& sourceBC = aLoadState->SourceBrowsingContext();
if (sourceBC.IsDiscarded() ||
(sourceBC && sourceBC->IsSandboxedFrom(mBrowsingContext))) {
return NS_ERROR_DOM_INVALID_ACCESS_ERR;
}
// Note: We do this check both here and in BrowsingContext::
// LoadURI/InternalLoad, since document-specific sandbox flags are only
// available in the process triggering the load, and we don't want the target
// process to have to trust the triggering process to do the appropriate
// checks for the BrowsingContext's sandbox flags.
MOZ_TRY(mBrowsingContext->CheckSandboxFlags(aLoadState));
NS_ENSURE_STATE(!HasUnloadedParent());