Bug 1595491 - Part 1: Make <embed> and <object> behave more like <iframe>. r=smaug,emilio

By making image loading in <embed> and <object> behave more like when an <iframe> loads an image, we can make sure that the synthetic document generated is process switched if the image is cross origin. This is done by making image loading in nsObjectLoadingContent follow the document loading path. We also make sure that we pass the image size back to the embedder element to not get stuck with the intrinsic size. To avoid named targeting being able to target these synthetic documents, as well as showing up in `Window.frames` and being counted in `Window.length`, we keep a filtered list of non-synthetic browsing contexts for that use-case. This feature is controlled by two prefs: * browser.opaqueResponseBlocking.syntheticBrowsingContext This triggers the creation of synthetic documents for images loaded in <object> or embed. * browser.opaqueResponseBlocking.syntheticBrowsingContext.filter This turns on the filtering of synthetic browsing contexts in named targeting, `Window.length` and `Window.frames`. Differential Revision: https://phabricator.services.mozilla.com/D148117
2022-08-16 16:42:58 +00:00
parent b7cc81d297
commit 3cab76dcc7
39 changed files with 771 additions and 71 deletions
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -34,6 +34,7 @@
 #include "mozilla/ScopeExit.h"
 #include "mozilla/ServoBindings.h"
 #include "mozilla/ServoStyleSetInlines.h"
+#include "mozilla/StaticPrefs_browser.h"
 #include "mozilla/StaticPrefs_layout.h"
 #include "mozilla/StaticPrefs_mathml.h"
 #include "mozilla/Unused.h"
@@ -3610,6 +3611,14 @@ nsCSSFrameConstructor::FindInputData(const Element& aElement,
                       ArrayLength(sInputData));
 }

+static nsIFrame* NS_NewSubDocumentOrImageFrame(mozilla::PresShell* aPresShell,
+                                               mozilla::ComputedStyle* aStyle) {
+  return StaticPrefs::
+                 browser_opaqueResponseBlocking_syntheticBrowsingContext_AtStartup()
+             ? NS_NewSubDocumentFrame(aPresShell, aStyle)
+             : NS_NewImageFrame(aPresShell, aStyle);
+}
+
 /* static */
 const nsCSSFrameConstructor::FrameConstructionData*
 nsCSSFrameConstructor::FindObjectData(const Element& aElement,
@@ -3640,7 +3649,8 @@ nsCSSFrameConstructor::FindObjectData(const Element& aElement,
                        NS_NewEmptyFrame),
      SIMPLE_INT_CREATE(nsIObjectLoadingContent::TYPE_FALLBACK,
                        ToCreationFunc(NS_NewBlockFrame)),
-      SIMPLE_INT_CREATE(nsIObjectLoadingContent::TYPE_IMAGE, NS_NewImageFrame),
+      SIMPLE_INT_CREATE(nsIObjectLoadingContent::TYPE_IMAGE,
+                        NS_NewSubDocumentOrImageFrame),
      SIMPLE_INT_CREATE(nsIObjectLoadingContent::TYPE_DOCUMENT,
                        NS_NewSubDocumentFrame),
      // Fake plugin handlers load as documents