Bug 1595491 - Part 1: Make <embed> and <object> behave more like <iframe>. r=smaug,emilio

By making image loading in <embed> and <object> behave more like when
an <iframe> loads an image, we can make sure that the synthetic
document generated is process switched if the image is cross
origin. This is done by making image loading in nsObjectLoadingContent
follow the document loading path.

We also make sure that we pass the image size back to the embedder
element to not get stuck with the intrinsic size.

To avoid named targeting being able to target these synthetic
documents, as well as showing up in `Window.frames` and being counted
in `Window.length`, we keep a filtered list of non-synthetic browsing
contexts for that use-case.

This feature is controlled by two prefs:

* browser.opaqueResponseBlocking.syntheticBrowsingContext

  This triggers the creation of synthetic documents for images loaded
  in <object> or embed.

* browser.opaqueResponseBlocking.syntheticBrowsingContext.filter

  This turns on the filtering of synthetic browsing contexts in named
  targeting, `Window.length` and `Window.frames`.

Differential Revision: https://phabricator.services.mozilla.com/D148117

docshell/base/WindowContext.cpp

@@ -122,6 +122,9 @@ void WindowContext::AppendChildBrowsingContext(
   MOZ_DIAGNOSTIC_ASSERT(!mChildren.Contains(aBrowsingContext));
 
   mChildren.AppendElement(aBrowsingContext);
+  if (!aBrowsingContext->IsEmbedderTypeObjectOrEmbed()) {
+    mNonSyntheticChildren.AppendElement(aBrowsingContext);
+  }
 
   // If we're the current WindowContext in our BrowsingContext, make sure to
   // clear any cached `children` value.
@@ -136,6 +139,7 @@ void WindowContext::RemoveChildBrowsingContext(
                         "Mismatched groups?");
 
   mChildren.RemoveElement(aBrowsingContext);
+  mNonSyntheticChildren.RemoveElement(aBrowsingContext);
 
   // If we're the current WindowContext in our BrowsingContext, make sure to
   // clear any cached `children` value.
@@ -144,6 +148,19 @@ void WindowContext::RemoveChildBrowsingContext(
   }
 }
 
+void WindowContext::UpdateChildSynthetic(BrowsingContext* aBrowsingContext,
+                                         bool aIsSynthetic) {
+  if (aIsSynthetic) {
+    mNonSyntheticChildren.RemoveElement(aBrowsingContext);
+  } else {
+    // The same BrowsingContext will be reused for error pages, so it can be in
+    // the list already.
+    if (!mNonSyntheticChildren.Contains(aBrowsingContext)) {
+      mNonSyntheticChildren.AppendElement(aBrowsingContext);
+    }
+  }
+}
+
 void WindowContext::SendCommitTransaction(ContentParent* aParent,
                                           const BaseTransaction& aTxn,
                                           uint64_t aEpoch) {
@@ -569,12 +586,14 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(WindowContext)
 
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mBrowsingContext)
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mChildren)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK(mNonSyntheticChildren)
   NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
 NS_IMPL_CYCLE_COLLECTION_UNLINK_END
 
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(WindowContext)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mBrowsingContext)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mChildren)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mNonSyntheticChildren)
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
 
 NS_IMPL_CYCLE_COLLECTION_TRACE_WRAPPERCACHE(WindowContext)