Bug 1744321 - Add IsInProcess() check while checking sandbox flags; r=nika

Differential Revision: https://phabricator.services.mozilla.com/D133073

docshell/base/BrowsingContext.cpp

@@ -1354,10 +1354,14 @@ bool BrowsingContext::IsSandboxedFrom(BrowsingContext* aTarget) {
   }
 
   // If SANDBOXED_TOPLEVEL_NAVIGATION_USER_ACTIVATION flag is not on, we are not
-  // sandboxed from our top if we have user interaction.
+  // sandboxed from our top if we have user interaction. We assume there is a
+  // valid transient user gesture interaction if this check happens in the
+  // target process given that we have checked in the triggering process
+  // already.
   if (!(sandboxFlags & SANDBOXED_TOPLEVEL_NAVIGATION_USER_ACTIVATION) &&
       mCurrentWindowContext &&
-      mCurrentWindowContext->HasValidTransientUserGestureActivation() &&
+      (!mCurrentWindowContext->IsInProcess() ||
+       mCurrentWindowContext->HasValidTransientUserGestureActivation()) &&
       aTarget == Top()) {
     return false;
   }

docshell/test/iframesandbox/file_top_navigation_by_user_activation.html

@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Test window for top navigation with user activation</title>
+<script>
+window.onload = () => {
+  opener.postMessage("READY", "*");
+};
+
+window.onhashchange = () => {
+  opener.postMessage("NAVIGATED", "*");
+};
+
+window.onmessage = (e) => {
+  if (e.data == "CLICK" || e.data == "SCRIPT") {
+    frames[0].postMessage([e.data, location.href + "#hash"], "*");
+  } else {
+    opener.postMessage(e.data, "*");
+  }
+};
+</script>
+</head>
+<body>
+  <iframe sandbox="allow-scripts allow-top-navigation-by-user-activation" src="http://example.org/tests/docshell/test/iframesandbox/file_top_navigation_by_user_activation_iframe.html"></iframe>
+</body>
+</html>

docshell/test/iframesandbox/file_top_navigation_by_user_activation_iframe.html

@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<meta charset="utf-8">
+<script src="/tests/SimpleTest/EventUtils.js"></script>
+<title>Test window for top navigation with user activation</title>
+<script>
+function navigate(aURL) {
+  try {
+    top.location.href = aURL;
+  } catch (e) {
+    top.postMessage("BLOCKED", "*");
+  }
+}
+
+window.onmessage = (e) => {
+  SpecialPowers.wrap(document).clearUserGestureActivation();
+  let [command, url] = e.data;
+  if (command == "CLICK") {
+    let button = document.querySelector("button");
+    button.addEventListener("click", () => {
+      navigate(url);
+    }, { once: true });
+    synthesizeMouseAtCenter(button, {});
+  } else if (command == "SCRIPT") {
+    navigate(url);
+  }
+};
+</script>
+</head>
+<body><button>Click</button></body>
+</html>

docshell/test/iframesandbox/mochitest.ini

@@ -22,3 +22,7 @@ tags = openwindow
 tags = openwindow
 [test_top_navigation_by_location_exotic.html]
 [test_top_navigation_by_location.html]
+[test_top_navigation_by_user_activation.html]
+support-files =
+  file_top_navigation_by_user_activation.html
+  file_top_navigation_by_user_activation_iframe.html

docshell/test/iframesandbox/test_top_navigation_by_user_activation.html

@@ -0,0 +1,74 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1744321
+-->
+<head>
+<meta charset="utf-8">
+<title>Iframe sandbox top navigation by user activation</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+<script>
+function waitForMessage(aCallback) {
+  return new Promise((aResolve) => {
+    window.addEventListener("message", function listener(aEvent) {
+      aCallback(aEvent);
+      aResolve();
+    }, { once: true });
+  });
+}
+
+[
+  {
+    desc: "A same-origin iframe in sandbox with 'allow-top-navigation-by-user-activation' cannot navigate its top level page, if the navigation is not triggered by a user gesture",
+    sameOrigin: true,
+    userGesture: false,
+  },
+  {
+    desc: "A same-origin iframe in sandbox with 'allow-top-navigation-by-user-activation' can navigate its top level page, if the navigation is triggered by a user gesture",
+    sameOrigin: true,
+    userGesture: true,
+  },
+  {
+    desc: "A cross-origin iframe in sandbox with 'allow-top-navigation-by-user-activation' cannot navigate its top level page, if the navigation is not triggered by a user gesture",
+    sameOrigin: false,
+    userGesture: false,
+  },
+  {
+    desc: "A cross-origin iframe in sandbox with 'allow-top-navigation-by-user-activation' can navigate its top level page, if the navigation is triggered by a user gesture",
+    sameOrigin: false,
+    userGesture: true,
+  },
+].forEach(({desc, sameOrigin, userGesture}) => {
+  add_task(async function() {
+    info(`Test: ${desc}`);
+
+    let url = "file_top_navigation_by_user_activation.html";
+    if (sameOrigin) {
+      url = "http://example.org/tests/docshell/test/iframesandbox/" + url;
+    }
+
+    let promise = waitForMessage((e) => {
+      is(e.data, "READY", "Ready for test");
+    });
+    let testWin = window.open(url);
+    await promise;
+
+    promise = waitForMessage((e) => {
+      is(e.data, userGesture ? "NAVIGATED" : "BLOCKED", "Check the result");
+    });
+    testWin.postMessage(userGesture ? "CLICK" : "SCRIPT", "*");
+    await promise;
+    testWin.close();
+  });
+});
+</script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1744321">Mozilla Bug 1744321</a>
+<p id="display"></p>
+<div id="content">
+Tests for Bug 1744321
+</div>
+</body>
+</html>