diff options
Diffstat (limited to 'dom/plugins')
| -rw-r--r-- | dom/plugins/base/nsPluginInstanceOwner.cpp | 25 | ||||
| -rw-r--r-- | dom/plugins/test/mochitest/test_bug813906.html | 22 |
2 files changed, 32 insertions, 15 deletions
diff --git a/dom/plugins/base/nsPluginInstanceOwner.cpp b/dom/plugins/base/nsPluginInstanceOwner.cpp index 291ae576d..d5b1eb9ea 100644 --- a/dom/plugins/base/nsPluginInstanceOwner.cpp +++ b/dom/plugins/base/nsPluginInstanceOwner.cpp @@ -535,16 +535,6 @@ NS_IMETHODIMP nsPluginInstanceOwner::GetURL(const char *aURL, nsresult rv = NS_NewURI(getter_AddRefs(uri), aURL, baseURI); NS_ENSURE_SUCCESS(rv, NS_ERROR_FAILURE); - if (aDoCheckLoadURIChecks) { - nsCOMPtr<nsIScriptSecurityManager> secMan( - do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv)); - NS_ENSURE_TRUE(secMan, NS_ERROR_FAILURE); - - rv = secMan->CheckLoadURIWithPrincipal(content->NodePrincipal(), uri, - nsIScriptSecurityManager::STANDARD); - NS_ENSURE_SUCCESS(rv, rv); - } - nsCOMPtr<nsIInputStream> headersDataStream; if (aPostStream && aHeadersData) { if (!aHeadersDataLen) @@ -563,8 +553,21 @@ NS_IMETHODIMP nsPluginInstanceOwner::GetURL(const char *aURL, Preferences::GetInt("privacy.popups.disable_from_plugins"); nsAutoPopupStatePusher popupStatePusher((PopupControlState)blockPopups); + + // if security checks (in particular CheckLoadURIWithPrincipal) needs + // to be skipped we are creating a codebasePrincipal to make sure + // that security check succeeds. Please note that we do not want to + // fall back to using the systemPrincipal, because that would also + // bypass ContentPolicy checks which should still be enforced. + nsCOMPtr<nsIPrincipal> triggeringPrincipal; + if (!aDoCheckLoadURIChecks) { + mozilla::PrincipalOriginAttributes attrs = + BasePrincipal::Cast(content->NodePrincipal())->OriginAttributesRef(); + triggeringPrincipal = BasePrincipal::CreateCodebasePrincipal(uri, attrs); + } + rv = lh->OnLinkClick(content, uri, unitarget.get(), NullString(), - aPostStream, headersDataStream, true); + aPostStream, headersDataStream, true, triggeringPrincipal); return rv; } diff --git a/dom/plugins/test/mochitest/test_bug813906.html b/dom/plugins/test/mochitest/test_bug813906.html index 04c34daaf..d18dbbff2 100644 --- a/dom/plugins/test/mochitest/test_bug813906.html +++ b/dom/plugins/test/mochitest/test_bug813906.html @@ -18,21 +18,35 @@ function f() { </script> <script type="application/javascript"> +SimpleTest.requestFlakyTimeout( + "Blocking an iframe does not cause the onerror event to be fired"); + SimpleTest.waitForExplicitFinish(); setTestPluginEnabledState(SpecialPowers.Ci.nsIPluginTag.STATE_ENABLED); var frameLoadCount = 0; + +function frameNavBlocked() { + isnot(SpecialPowers.wrap(window.frame1).location.href.indexOf('chrome://'), + 0, 'plugin shouldnt be able to cause navigation to chrome URLs'); + SimpleTest.finish(); +} + function frameLoaded() { frameLoadCount++; if (frameLoadCount == 1) { document.getElementsByTagName("object")[0].type = "application/x-test"; document.getElementsByTagName("use")[0].setAttributeNS("http://www.w3.org/1999/xlink", "href", location.href + "#a"); - } else if (frameLoadCount == 2) { - isnot(SpecialPowers.wrap(window.frame1).location.href.indexOf('chrome://'), - 0, 'plugin shouldnt be able to cause navigation to chrome URLs'); - SimpleTest.finish(); + + // wait two seconds and verify that frame navigation did not succeed + setTimeout(frameNavBlocked, 2000); + return; } + // we should never get here, but just in case, make sure the test fails in that case. + ok(false, "onload() event should not fire for blocked navigation"); + SimpleTest.finish(); } + </script> <!-- Note that <svg:use> ends up creating an anonymous subtree, which means that the plugin |