corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1647519: Reject javascript: requests targeting other content processes. r=nika

Browse Source 
Loads targeting cross-process BrowsingContexts are by definition cross-origin,
which should preclude any javascript: loads. While those loads are currently
prevented by principal checks in the final target process, sending IPC
messages for the attempts is unnecessary, and potentially opens a door to
privilege escalation exploits by a compromised content process.

This patch prevents any cross-process load requests from being sent by content
processes, and adds checks in the parent process to kill any (potentially
compromised) content process which attempts to send them.

Differential Revision: https://phabricator.services.mozilla.com/D103529
This commit is contained in:
Kris Maglione
2021-02-02 21:46:53 +00:00
parent e325efe5aa
commit f533d213f0
10 changed files with 305 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docshell/base/nsDocShell.cpp
View File

@@ -743,6 +743,22 @@ nsDocShell::SetCancelContentJSEpoch(int32_t aEpoch) {
return NS_OK;
}
nsresult nsDocShell::CheckDisallowedJavascriptLoad(
nsDocShellLoadState* aLoadState) {
if (!net::SchemeIsJavascript(aLoadState->URI())) {
return NS_OK;
}
if (nsCOMPtr<nsIPrincipal> targetPrincipal =
GetInheritedPrincipal(/* aConsiderCurrentDocument */ true)) {
if (!aLoadState->TriggeringPrincipal()->Subsumes(targetPrincipal)) {
return NS_ERROR_DOM_BAD_CROSS_ORIGIN_URI;
}
return NS_OK;
}
return NS_ERROR_DOM_BAD_CROSS_ORIGIN_URI;
}
NS_IMETHODIMP
nsDocShell::LoadURI(nsDocShellLoadState* aLoadState, bool aSetNavigating) {
return LoadURI(aLoadState, aSetNavigating, false);
@@ -767,6 +783,8 @@ nsresult nsDocShell::LoadURI(nsDocShellLoadState* aLoadState,
return NS_ERROR_FAILURE;
}
MOZ_TRY(CheckDisallowedJavascriptLoad(aLoadState));
bool oldIsNavigating = mIsNavigating;
auto cleanupIsNavigating =
MakeScopeExit([&]() { mIsNavigating = oldIsNavigating; });
@@ -9195,6 +9213,8 @@ nsresult nsDocShell::InternalLoad(nsDocShellLoadState* aLoadState,
aLoadState->TargetBrowsingContext() == GetBrowsingContext(),
"Load must be targeting this BrowsingContext");
MOZ_TRY(CheckDisallowedJavascriptLoad(aLoadState));
// If we don't have a target, we're loading into ourselves, and our load
// delegate may want to intercept that load.
SameDocumentNavigationState sameDocumentNavigationState;