Fixing exploits involving changing the location of a window and getting the wrong principal. Bug 48723, r=vidur

docshell/base/nsDocShell.cpp

@@ -233,6 +233,7 @@ nsDocShell::LoadURI(nsIURI* aURI, nsIDocShellLoadInfo* aLoadInfo)
   nsresult rv;
   nsCOMPtr<nsIURI> referrer;
   nsCOMPtr<nsISupports> owner;
+  PRBool inheritOwner = PR_FALSE;
   nsCOMPtr<nsISHEntry> shEntry;
   nsDocShellInfoLoadType loadType = nsIDocShellLoadInfo::loadNormal;
 
@@ -243,6 +244,7 @@ nsDocShell::LoadURI(nsIURI* aURI, nsIDocShellLoadInfo* aLoadInfo)
     aLoadInfo->GetReferrer(getter_AddRefs(referrer));
     aLoadInfo->GetLoadType(&loadType);
     aLoadInfo->GetOwner(getter_AddRefs(owner));
+    aLoadInfo->GetInheritOwner(&inheritOwner);
     aLoadInfo->GetSHEntry(getter_AddRefs(shEntry));
   }
 
@@ -272,7 +274,7 @@ nsDocShell::LoadURI(nsIURI* aURI, nsIDocShellLoadInfo* aLoadInfo)
   if (shEntry) {
     rv = LoadHistoryEntry(shEntry, loadType);
   } else {
-    rv = InternalLoad(aURI, referrer, owner, nsnull, nsnull, loadType, nsnull);
+    rv = InternalLoad(aURI, referrer, owner, inheritOwner, nsnull, nsnull, loadType, nsnull);
   }
 
   return rv;
@@ -1376,7 +1378,7 @@ NS_IMETHODIMP nsDocShell::Reload(PRInt32 aReloadType)
    }
    else {
 	   //May be one of those <META> charset reloads in a composer or Messenger
-      return InternalLoad(mCurrentURI, mReferrerURI, nsnull, nsnull, 
+      return InternalLoad(mCurrentURI, mReferrerURI, nsnull, PR_TRUE, nsnull, 
       nsnull, type);
 
    }
@@ -1386,7 +1388,7 @@ NS_IMETHODIMP nsDocShell::Reload(PRInt32 aReloadType)
    // If this really keeps the crash from re-occuring, may be this can stay. However 
    // there is no major difference between this one and the one inside #if 0
    
-   return InternalLoad(mCurrentURI, mReferrerURI, nsnull, nsnull, 
+   return InternalLoad(mCurrentURI, mReferrerURI, nsnull, PR_TRUE, nsnull, 
       nsnull, type);
 #endif /* 0 */
 
@@ -1406,7 +1408,7 @@ NS_IMETHODIMP nsDocShell::Reload(PRInt32 aReloadType)
 
    UpdateCurrentSessionHistory();
 
-   NS_ENSURE_SUCCESS(InternalLoad(mCurrentURI, mReferrerURI, nsnull, nsnull, 
+   NS_ENSURE_SUCCESS(InternalLoad(mCurrentURI, mReferrerURI, nsnull, PR_TRUE, nsnull, 
       nsnull, type), NS_ERROR_FAILURE);
    return NS_OK;
 #endif  /* SH_IN_FRAMES  */
@@ -2742,11 +2744,13 @@ NS_IMETHODIMP nsDocShell::SetupNewViewer(nsIContentViewer* aNewViewer)
 //*****************************************************************************   
 #ifdef SH_IN_FRAMES
 NS_IMETHODIMP nsDocShell::InternalLoad(nsIURI* aURI, nsIURI* aReferrer,
-   nsISupports* aOwner, const char* aWindowTarget, nsIInputStream* aPostData, 
+   nsISupports* aOwner, PRBool aInheritOwner,
+   const char* aWindowTarget, nsIInputStream* aPostData, 
    nsDocShellInfoLoadType aLoadType, nsISHEntry * aSHEntry)
 #else
 NS_IMETHODIMP nsDocShell::InternalLoad(nsIURI* aURI, nsIURI* aReferrer,
-   nsISupports* aOwner, const char* aWindowTarget, nsIInputStream* aPostData, 
+   nsISupports* aOwner, PRBool aInheritOwner,
+   const char* aWindowTarget, nsIInputStream* aPostData, 
    nsDocShellInfoLoadType aLoadType)
 #endif
 {
@@ -2804,8 +2808,8 @@ NS_IMETHODIMP nsDocShell::InternalLoad(nsIURI* aURI, nsIURI* aReferrer,
     nsURILoadCommand  loadCmd = nsIURILoader::viewNormal;
     if(nsIDocShellLoadInfo::loadLink == aLoadType)
         loadCmd = nsIURILoader::viewUserClick;
-    NS_ENSURE_SUCCESS(DoURILoad(aURI, aReferrer, aOwner, loadCmd, aWindowTarget, 
+    NS_ENSURE_SUCCESS(DoURILoad(aURI, aReferrer, aOwner, aInheritOwner,
-        aPostData), NS_ERROR_FAILURE);
+                                loadCmd, aWindowTarget, aPostData), NS_ERROR_FAILURE);
 
     return NS_OK;
 }
@@ -3068,10 +3072,10 @@ NS_IMETHODIMP nsDocShell::GetCurrentDocumentOwner(nsISupports** aOwner)
 }
 
 NS_IMETHODIMP nsDocShell::DoURILoad(nsIURI* aURI, nsIURI* aReferrerURI,  
-   nsISupports* aOwner, nsURILoadCommand aLoadCmd, const char* aWindowTarget, 
+   nsISupports* aOwner, PRBool aInheritOwner, nsURILoadCommand aLoadCmd,
-   nsIInputStream* aPostData)
+   const char* aWindowTarget, nsIInputStream* aPostData)
 {
-
+  static const char jsSchemeName[] = "javascript";
   // if the load cmd is a user click....and we are supposed to try using
   // external default protocol handlers....then try to see if we have one for
   // this protocol
@@ -3080,7 +3084,7 @@ NS_IMETHODIMP nsDocShell::DoURILoad(nsIURI* aURI, nsIURI* aReferrerURI,
     nsXPIDLCString urlScheme;
     aURI->GetScheme(getter_Copies(urlScheme));
     // don't do it for javascript urls!
-    if (urlScheme && nsCRT::strcasecmp("javascript", urlScheme))
+    if (urlScheme && nsCRT::strcasecmp(jsSchemeName, urlScheme))
     {
       nsCOMPtr<nsIExternalProtocolService> extProtService (do_GetService(NS_EXTERNALPROTOCOLSERVICE_PROGID));
       PRBool haveHandler = PR_FALSE;
@@ -3139,34 +3143,29 @@ NS_IMETHODIMP nsDocShell::DoURILoad(nsIURI* aURI, nsIURI* aReferrerURI,
       }
       else
       {
-        // If an owner was not provided, we want to inherit the principal from the current document iff we 
+          // iff we are dealing with a JS or a data url, we may need an inherited owner.
-        // are dealing with a JS or a data url.
+          // This is either aOwner or, if aInheritOwner is true, the owner of the
-        nsCOMPtr<nsISupports> owner = aOwner;
+          // current document.
-        nsCOMPtr<nsIStreamIOChannel> ioChannel(do_QueryInterface(channel));
+          nsCOMPtr<nsISupports> owner = aOwner;
-        if(ioChannel) // Might be a javascript: URL load, need to set owner
+          PRBool isJSOrData = PR_FALSE;
-        {
+          nsCOMPtr<nsIStreamIOChannel> ioChannel(do_QueryInterface(channel));
-           static const char jsSchemeName[] = "javascript";
+          if(ioChannel) // Might be a javascript: URL load, need to set owner
-           char* scheme;
+          {
-           aURI->GetScheme(&scheme);
+              nsXPIDLCString scheme;
-           if (PL_strcasecmp(scheme, jsSchemeName) == 0)
+              aURI->GetScheme(getter_Copies(scheme));
-           {
+              isJSOrData = (PL_strcasecmp(scheme, jsSchemeName) == 0);
-             if (!owner)  // only try to call GetCurrentDocumentOwner if we are a JS url or a data url (hence the code duplication)
+          }
-               GetCurrentDocumentOwner(getter_AddRefs(owner));
+          else
+          { // Also set owner for data: URLs
+              nsCOMPtr<nsIDataChannel> dataChannel(do_QueryInterface(channel));
+              isJSOrData = (dataChannel != nsnull);
+          }
+          if (isJSOrData)
+          {
+              if (aInheritOwner && !owner)
+                  GetCurrentDocumentOwner(getter_AddRefs(owner));
               channel->SetOwner(owner);
-           }
+          }
-           if (scheme)
-               nsCRT::free(scheme);
-        }
-        else
-        { // Also set owner for data: URLs
-           nsCOMPtr<nsIDataChannel> dataChannel(do_QueryInterface(channel));
-           if (dataChannel)
-           {
-             if (!owner)
-               GetCurrentDocumentOwner(getter_AddRefs(owner));
-             channel->SetOwner(owner);
-           }
-        }
       }
 
    NS_ENSURE_SUCCESS(DoChannelLoad(channel, aLoadCmd, aWindowTarget, uriLoader), NS_ERROR_FAILURE);
@@ -3696,10 +3695,10 @@ NS_IMETHODIMP nsDocShell::LoadHistoryEntry(nsISHEntry* aEntry)
     
 
 #ifdef SH_IN_FRAMES
-   NS_ENSURE_SUCCESS(InternalLoad(uri, nsnull, nsnull, nsnull, postData, aLoadType, aEntry),
+   NS_ENSURE_SUCCESS(InternalLoad(uri, nsnull, nsnull, PR_TRUE, nsnull, postData, aLoadType, aEntry),
       NS_ERROR_FAILURE);
 #else
-   NS_ENSURE_SUCCESS(InternalLoad(uri, nsnull, nsnull, nsnull, postData, nsIDocShellLoadInfo::loadHistory),
+   NS_ENSURE_SUCCESS(InternalLoad(uri, nsnull, nsnull, PR_TRUE,  nsnull, postData, nsIDocShellLoadInfo::loadHistory),
       NS_ERROR_FAILURE);
 #endif 
 

docshell/base/nsDocShell.h

@@ -170,11 +170,11 @@ protected:
 
 #ifdef SH_IN_FRAMES
    NS_IMETHOD InternalLoad(nsIURI* aURI, nsIURI* aReferrerURI, 
-      nsISupports* owner, const char* aWindowTarget=nsnull, 
+      nsISupports* owner, PRBool inheritOwnerFromDocument, const char* aWindowTarget=nsnull, 
       nsIInputStream* aPostData=nsnull, nsDocShellInfoLoadType aLoadType=nsIDocShellLoadInfo::loadNormal, nsISHEntry * aSHEntry = nsnull);
 #else
    NS_IMETHOD InternalLoad(nsIURI* aURI, nsIURI* aReferrerURI, 
-      nsISupports* owner, const char* aWindowTarget=nsnull, 
+      nsISupports* owner, PRBool inheritOwnerFromDocument, const char* aWindowTarget=nsnull, 
       nsIInputStream* aPostData=nsnull, nsDocShellInfoLoadType aLoadType=nsIDocShellLoadInfo::loadNormal);
 #endif
 
@@ -185,7 +185,7 @@ protected:
    NS_IMETHOD KeywordURIFixup(const PRUnichar* aStringURI, nsIURI** aURI);
    NS_IMETHOD GetCurrentDocumentOwner(nsISupports** aOwner);
    NS_IMETHOD DoURILoad(nsIURI* aURI, nsIURI* aReferrer, nsISupports *aOwner,
-      nsURILoadCommand aLoadCmd, const char* aWindowTarget, 
+      PRBool inheritOwnerFromDocument, nsURILoadCommand aLoadCmd, const char* aWindowTarget, 
       nsIInputStream* aPostData);
    NS_IMETHOD DoChannelLoad(nsIChannel* aChannel, nsURILoadCommand aLoadCmd,
       const char* aWindowTarget, nsIURILoader *aURILoader);

docshell/base/nsDocShellLoadInfo.cpp

@@ -30,7 +30,8 @@
 nsDocShellLoadInfo::nsDocShellLoadInfo()
 {
 	NS_INIT_REFCNT();
-  mLoadType = nsIDocShellLoadInfo::loadNormal;
+   mLoadType = nsIDocShellLoadInfo::loadNormal;
+   mInheritOwner = PR_FALSE;
 }
 
 nsDocShellLoadInfo::~nsDocShellLoadInfo()
@@ -83,6 +84,20 @@ NS_IMETHODIMP nsDocShellLoadInfo::SetOwner(nsISupports* aOwner)
    return NS_OK;
 }
 
+NS_IMETHODIMP nsDocShellLoadInfo::GetInheritOwner(PRBool* aInheritOwner)
+{
+   NS_ENSURE_ARG_POINTER(aInheritOwner);
+
+   *aInheritOwner = mInheritOwner;
+   return NS_OK;
+}
+
+NS_IMETHODIMP nsDocShellLoadInfo::SetInheritOwner(PRBool aInheritOwner)
+{
+   mInheritOwner = aInheritOwner;
+   return NS_OK;
+}
+
 NS_IMETHODIMP nsDocShellLoadInfo::GetLoadType(nsDocShellInfoLoadType * aLoadType)
 {
    NS_ENSURE_ARG_POINTER(aLoadType);

docshell/base/nsDocShellLoadInfo.h

@@ -47,6 +47,7 @@ protected:
 protected:
    nsCOMPtr<nsIURI>                 mReferrer;
    nsCOMPtr<nsISupports>            mOwner;
+   PRBool                           mInheritOwner;
    nsDocShellInfoLoadType           mLoadType;
    nsCOMPtr<nsISHEntry>             mSHEntry;
 };

docshell/base/nsIDocShellLoadInfo.idl

@@ -47,6 +47,12 @@ interface nsIDocShellLoadInfo : nsISupports
     */
     attribute nsISupports owner;
 
+    /*
+      If this attribute is true and no owner is specified, copy the owner from
+      the referring document. 
+    */
+    attribute boolean inheritOwner;
+
     /* these are load type enums... */
    const long loadNormal = 0;					// Normal Load
    const long loadNormalReplace = 1;			// Normal Load but replaces current history slot

docshell/base/nsWebShell.cpp

@@ -831,12 +831,10 @@ nsWebShell::HandleLinkClickEvent(nsIContent *aContent,
         nsCOMPtr<nsIURI> uri;
         NS_NewURI(getter_AddRefs(uri), nsLiteralString(aURLSpec), nsnull);
 
-        nsCOMPtr<nsISupports> owner;
-        GetCurrentDocumentOwner(getter_AddRefs(owner));
 #ifdef SH_IN_FRAMES
-		InternalLoad(uri, mCurrentURI, owner, target, aPostDataStream, nsIDocShellLoadInfo::loadLink, nsnull); 
+		InternalLoad(uri, mCurrentURI, nsnull, PR_TRUE, target, aPostDataStream, nsIDocShellLoadInfo::loadLink, nsnull); 
 #else
-        InternalLoad(uri, mCurrentURI, owner, target, aPostDataStream, nsIDocShellLoadInfo::loadLink); 
+        InternalLoad(uri, mCurrentURI, nsnull, PR_TRUE, target, aPostDataStream, nsIDocShellLoadInfo::loadLink); 
 #endif  /* SH_IN_FRAMES */
       }
       break;

dom/src/base/nsGlobalWindow.cpp

@@ -2941,23 +2941,17 @@ NS_IMETHODIMP GlobalWindowImpl::OpenInternal(JSContext *cx,
   newDocShellItem->SetName(nameSpecified ? name.GetUnicode() : nsnull);
 
   nsCOMPtr<nsIDocShell> newDocShell(do_QueryInterface(newDocShellItem));
-  if (uriToLoad) {
+  if (uriToLoad) { // Get script principal and pass to docshell
     nsCOMPtr<nsIPrincipal> principal;
     if (NS_FAILED(secMan->GetSubjectPrincipal(getter_AddRefs(principal))))
       return NS_ERROR_FAILURE;
-    nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(principal);
 
     nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
-    if (codebase) {
+    if (principal) {
+      nsCOMPtr<nsISupports> owner = do_QueryInterface(principal);
       newDocShell->CreateLoadInfo(getter_AddRefs(loadInfo));
       NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
-
+      loadInfo->SetOwner(owner);
-      nsresult rv;
-      nsCOMPtr<nsIURI> codebaseURI;
-      if (NS_FAILED(rv = codebase->GetURI(getter_AddRefs(codebaseURI))))
-        return rv;
-
-      loadInfo->SetReferrer(codebaseURI);
     }
     newDocShell->LoadURI(uriToLoad, loadInfo);
   }

dom/src/base/nsLocation.cpp

@@ -131,9 +131,8 @@ LocationImpl::CheckURL(nsIURI* aURL, nsIDocShellLoadInfo** aLoadInfo)
   nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
   mDocShell->CreateLoadInfo(getter_AddRefs(loadInfo));
   NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
-    
 
-  // Now get the principal and referrer to use when loading the URI
+  // Now get the principal to use when loading the URI
   nsCOMPtr<nsIPrincipal> principal;
   if (NS_FAILED(secMan->GetSubjectPrincipal(getter_AddRefs(principal))) ||
       !principal)
@@ -141,15 +140,6 @@ LocationImpl::CheckURL(nsIURI* aURL, nsIDocShellLoadInfo** aLoadInfo)
   nsCOMPtr<nsISupports> owner = do_QueryInterface(principal);
   loadInfo->SetOwner(owner);
 
-  nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(principal);
-  if (codebase)
-  {
-    nsCOMPtr<nsIURI> referrer;
-    if (NS_FAILED(result = codebase->GetURI(getter_AddRefs(referrer))))
-      return result;
-    loadInfo->SetReferrer(referrer);
-  }
-
   *aLoadInfo = loadInfo.get();
   NS_ADDREF(*aLoadInfo);
   return NS_OK;

layout/generic/nsFrameFrame.cpp

@@ -887,19 +887,32 @@ nsHTMLFrameInnerFrame::DoLoadURL(nsIPresContext* aPresContext)
   nsCOMPtr<nsIURI> baseURI;
   rv = aPresContext->GetBaseURL(getter_AddRefs(baseURI));
 
-  // Get origin URL (from script, or default to base)
+  // Get docshell and create load info
+  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(mSubShell));
+  NS_ENSURE_TRUE(docShell, NS_ERROR_FAILURE);
+  nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
+  docShell->CreateLoadInfo(getter_AddRefs(loadInfo));
+  NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
+
+  // Get referring URL
   nsCOMPtr<nsIURI> referrer;
   nsCOMPtr<nsIPrincipal> principal;
   rv = secMan->GetSubjectPrincipal(getter_AddRefs(principal));
   NS_ENSURE_SUCCESS(rv, rv);
+  // If we were called from script, get the referring URL from the script
   if (principal) {
     nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(principal);
     if (codebase) {
       rv = codebase->GetURI(getter_AddRefs(referrer));
       NS_ENSURE_SUCCESS(rv, rv);
     }
+    // Pass the script principal to the docshell
+    nsCOMPtr<nsISupports> owner = do_QueryInterface(principal);
+    loadInfo->SetOwner(owner);
   }
-  if (!referrer) {
+  if (!referrer) { // We're not being called form script, tell the docshell
+                   // to inherit an owner from the current document.
+    loadInfo->SetInheritOwner(PR_TRUE);
     referrer = baseURI;
   }
 
@@ -911,15 +924,6 @@ nsHTMLFrameInnerFrame::DoLoadURL(nsIPresContext* aPresContext)
   if (NS_FAILED(rv))
     return rv; // We're not
 
-  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(mSubShell));
-  NS_ENSURE_TRUE(docShell, NS_ERROR_FAILURE);
-
-  nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
-  docShell->CreateLoadInfo(getter_AddRefs(loadInfo));
-  NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
-
-  loadInfo->SetReferrer(referrer);
-
   rv = docShell->LoadURI(uri, loadInfo);
   NS_ASSERTION(NS_SUCCEEDED(rv), "failed to load URL");
 

layout/html/document/src/nsFrameFrame.cpp

@@ -887,19 +887,32 @@ nsHTMLFrameInnerFrame::DoLoadURL(nsIPresContext* aPresContext)
   nsCOMPtr<nsIURI> baseURI;
   rv = aPresContext->GetBaseURL(getter_AddRefs(baseURI));
 
-  // Get origin URL (from script, or default to base)
+  // Get docshell and create load info
+  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(mSubShell));
+  NS_ENSURE_TRUE(docShell, NS_ERROR_FAILURE);
+  nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
+  docShell->CreateLoadInfo(getter_AddRefs(loadInfo));
+  NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
+
+  // Get referring URL
   nsCOMPtr<nsIURI> referrer;
   nsCOMPtr<nsIPrincipal> principal;
   rv = secMan->GetSubjectPrincipal(getter_AddRefs(principal));
   NS_ENSURE_SUCCESS(rv, rv);
+  // If we were called from script, get the referring URL from the script
   if (principal) {
     nsCOMPtr<nsICodebasePrincipal> codebase = do_QueryInterface(principal);
     if (codebase) {
       rv = codebase->GetURI(getter_AddRefs(referrer));
       NS_ENSURE_SUCCESS(rv, rv);
     }
+    // Pass the script principal to the docshell
+    nsCOMPtr<nsISupports> owner = do_QueryInterface(principal);
+    loadInfo->SetOwner(owner);
   }
-  if (!referrer) {
+  if (!referrer) { // We're not being called form script, tell the docshell
+                   // to inherit an owner from the current document.
+    loadInfo->SetInheritOwner(PR_TRUE);
     referrer = baseURI;
   }
 
@@ -911,15 +924,6 @@ nsHTMLFrameInnerFrame::DoLoadURL(nsIPresContext* aPresContext)
   if (NS_FAILED(rv))
     return rv; // We're not
 
-  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(mSubShell));
-  NS_ENSURE_TRUE(docShell, NS_ERROR_FAILURE);
-
-  nsCOMPtr<nsIDocShellLoadInfo> loadInfo;
-  docShell->CreateLoadInfo(getter_AddRefs(loadInfo));
-  NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE);
-
-  loadInfo->SetReferrer(referrer);
-
   rv = docShell->LoadURI(uri, loadInfo);
   NS_ASSERTION(NS_SUCCEEDED(rv), "failed to load URL");