From 5f8de423f190bbb79a62f804151bc24824fa32d8 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Fri, 2 Feb 2018 04:16:08 -0500 Subject: Add m-esr52 at 52.6.0 --- .../components/windowwatcher/nsWindowWatcher.cpp | 2610 ++++++++++++++++++++ 1 file changed, 2610 insertions(+) create mode 100644 embedding/components/windowwatcher/nsWindowWatcher.cpp (limited to 'embedding/components/windowwatcher/nsWindowWatcher.cpp') diff --git a/embedding/components/windowwatcher/nsWindowWatcher.cpp b/embedding/components/windowwatcher/nsWindowWatcher.cpp new file mode 100644 index 000000000..07872410e --- /dev/null +++ b/embedding/components/windowwatcher/nsWindowWatcher.cpp @@ -0,0 +1,2610 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +//#define USEWEAKREFS // (haven't quite figured that out yet) + +#include "nsWindowWatcher.h" +#include "nsAutoWindowStateHelper.h" + +#include "nsCRT.h" +#include "nsNetUtil.h" +#include "nsIAuthPrompt.h" +#include "nsIAuthPrompt2.h" +#include "nsISimpleEnumerator.h" +#include "nsIInterfaceRequestorUtils.h" +#include "nsJSUtils.h" +#include "plstr.h" + +#include "nsDocShell.h" +#include "nsGlobalWindow.h" +#include "nsIBaseWindow.h" +#include "nsIBrowserDOMWindow.h" +#include "nsIDocShell.h" +#include "nsIDocShellLoadInfo.h" +#include "nsIDocShellTreeItem.h" +#include "nsIDocShellTreeOwner.h" +#include "nsIDocumentLoader.h" +#include "nsIDocument.h" +#include "nsIDOMDocument.h" +#include "nsIDOMWindow.h" +#include "nsIDOMChromeWindow.h" +#include "nsIDOMModalContentWindow.h" +#include "nsIPrompt.h" +#include "nsIScriptObjectPrincipal.h" +#include "nsIScreen.h" +#include "nsIScreenManager.h" +#include "nsIScriptContext.h" +#include "nsIObserverService.h" +#include "nsIScriptSecurityManager.h" +#include "nsXPCOM.h" +#include "nsIURI.h" +#include "nsIWebBrowser.h" +#include "nsIWebBrowserChrome.h" +#include "nsIWebNavigation.h" +#include "nsIWindowCreator.h" +#include "nsIWindowCreator2.h" +#include "nsIXPConnect.h" +#include "nsIXULRuntime.h" +#include "nsPIDOMWindow.h" +#include "nsIContentViewer.h" +#include "nsIWindowProvider.h" +#include "nsIMutableArray.h" +#include "nsIDOMStorageManager.h" +#include "nsIWidget.h" +#include "nsFocusManager.h" +#include "nsIPresShell.h" +#include "nsPresContext.h" +#include "nsContentUtils.h" +#include "nsIPrefBranch.h" +#include "nsIPrefService.h" +#include "nsSandboxFlags.h" +#include "mozilla/Preferences.h" +#include "mozilla/dom/DOMStorage.h" +#include "mozilla/dom/ScriptSettings.h" +#include "mozilla/dom/TabParent.h" +#include "mozilla/dom/DocGroup.h" +#include "mozilla/dom/TabGroup.h" +#include "nsIXULWindow.h" +#include "nsIXULBrowserWindow.h" +#include "nsGlobalWindow.h" + +#ifdef USEWEAKREFS +#include "nsIWeakReference.h" +#endif + +using namespace mozilla; +using namespace mozilla::dom; + +/**************************************************************** + ******************** nsWatcherWindowEntry ********************** + ****************************************************************/ + +class nsWindowWatcher; + +struct nsWatcherWindowEntry +{ + + nsWatcherWindowEntry(mozIDOMWindowProxy* aWindow, nsIWebBrowserChrome* aChrome) + : mChrome(nullptr) + { +#ifdef USEWEAKREFS + mWindow = do_GetWeakReference(aWindow); +#else + mWindow = aWindow; +#endif + nsCOMPtr supportsweak(do_QueryInterface(aChrome)); + if (supportsweak) { + supportsweak->GetWeakReference(getter_AddRefs(mChromeWeak)); + } else { + mChrome = aChrome; + mChromeWeak = nullptr; + } + ReferenceSelf(); + } + ~nsWatcherWindowEntry() {} + + void InsertAfter(nsWatcherWindowEntry* aOlder); + void Unlink(); + void ReferenceSelf(); + +#ifdef USEWEAKREFS + nsCOMPtr mWindow; +#else // still not an owning ref + mozIDOMWindowProxy* mWindow; +#endif + nsIWebBrowserChrome* mChrome; + nsWeakPtr mChromeWeak; + // each struct is in a circular, doubly-linked list + nsWatcherWindowEntry* mYounger; // next younger in sequence + nsWatcherWindowEntry* mOlder; +}; + +void +nsWatcherWindowEntry::InsertAfter(nsWatcherWindowEntry* aOlder) +{ + if (aOlder) { + mOlder = aOlder; + mYounger = aOlder->mYounger; + mOlder->mYounger = this; + if (mOlder->mOlder == mOlder) { + mOlder->mOlder = this; + } + mYounger->mOlder = this; + if (mYounger->mYounger == mYounger) { + mYounger->mYounger = this; + } + } +} + +void +nsWatcherWindowEntry::Unlink() +{ + mOlder->mYounger = mYounger; + mYounger->mOlder = mOlder; + ReferenceSelf(); +} + +void +nsWatcherWindowEntry::ReferenceSelf() +{ + + mYounger = this; + mOlder = this; +} + +/**************************************************************** + ****************** nsWatcherWindowEnumerator ******************* + ****************************************************************/ + +class nsWatcherWindowEnumerator : public nsISimpleEnumerator +{ + +public: + explicit nsWatcherWindowEnumerator(nsWindowWatcher* aWatcher); + NS_IMETHOD HasMoreElements(bool* aResult) override; + NS_IMETHOD GetNext(nsISupports** aResult) override; + + NS_DECL_ISUPPORTS + +protected: + virtual ~nsWatcherWindowEnumerator(); + +private: + friend class nsWindowWatcher; + + nsWatcherWindowEntry* FindNext(); + void WindowRemoved(nsWatcherWindowEntry* aInfo); + + nsWindowWatcher* mWindowWatcher; + nsWatcherWindowEntry* mCurrentPosition; +}; + +NS_IMPL_ADDREF(nsWatcherWindowEnumerator) +NS_IMPL_RELEASE(nsWatcherWindowEnumerator) +NS_IMPL_QUERY_INTERFACE(nsWatcherWindowEnumerator, nsISimpleEnumerator) + +nsWatcherWindowEnumerator::nsWatcherWindowEnumerator(nsWindowWatcher* aWatcher) + : mWindowWatcher(aWatcher) + , mCurrentPosition(aWatcher->mOldestWindow) +{ + mWindowWatcher->AddEnumerator(this); + mWindowWatcher->AddRef(); +} + +nsWatcherWindowEnumerator::~nsWatcherWindowEnumerator() +{ + mWindowWatcher->RemoveEnumerator(this); + mWindowWatcher->Release(); +} + +NS_IMETHODIMP +nsWatcherWindowEnumerator::HasMoreElements(bool* aResult) +{ + if (!aResult) { + return NS_ERROR_INVALID_ARG; + } + + *aResult = !!mCurrentPosition; + return NS_OK; +} + +NS_IMETHODIMP +nsWatcherWindowEnumerator::GetNext(nsISupports** aResult) +{ + if (!aResult) { + return NS_ERROR_INVALID_ARG; + } + + *aResult = nullptr; + +#ifdef USEWEAKREFS + while (mCurrentPosition) { + CallQueryReferent(mCurrentPosition->mWindow, aResult); + if (*aResult) { + mCurrentPosition = FindNext(); + break; + } else { // window is gone! + mWindowWatcher->RemoveWindow(mCurrentPosition); + } + } + NS_IF_ADDREF(*aResult); +#else + if (mCurrentPosition) { + CallQueryInterface(mCurrentPosition->mWindow, aResult); + mCurrentPosition = FindNext(); + } +#endif + return NS_OK; +} + +nsWatcherWindowEntry* +nsWatcherWindowEnumerator::FindNext() +{ + nsWatcherWindowEntry* info; + + if (!mCurrentPosition) { + return 0; + } + + info = mCurrentPosition->mYounger; + return info == mWindowWatcher->mOldestWindow ? 0 : info; +} + +// if a window is being removed adjust the iterator's current position +void +nsWatcherWindowEnumerator::WindowRemoved(nsWatcherWindowEntry* aInfo) +{ + + if (mCurrentPosition == aInfo) { + mCurrentPosition = + mCurrentPosition != aInfo->mYounger ? aInfo->mYounger : 0; + } +} + +/**************************************************************** + *********************** nsWindowWatcher ************************ + ****************************************************************/ + +NS_IMPL_ADDREF(nsWindowWatcher) +NS_IMPL_RELEASE(nsWindowWatcher) +NS_IMPL_QUERY_INTERFACE(nsWindowWatcher, + nsIWindowWatcher, + nsIPromptFactory, + nsPIWindowWatcher) + +nsWindowWatcher::nsWindowWatcher() + : mEnumeratorList() + , mOldestWindow(0) + , mListLock("nsWindowWatcher.mListLock") +{ +} + +nsWindowWatcher::~nsWindowWatcher() +{ + // delete data + while (mOldestWindow) { + RemoveWindow(mOldestWindow); + } +} + +nsresult +nsWindowWatcher::Init() +{ + return NS_OK; +} + +/** + * Convert aArguments into either an nsIArray or nullptr. + * + * - If aArguments is nullptr, return nullptr. + * - If aArguments is an nsArray, return nullptr if it's empty, or otherwise + * return the array. + * - If aArguments is an nsIArray, return nullptr if it's empty, or + * otherwise just return the array. + * - Otherwise, return an nsIArray with one element: aArguments. + */ +static already_AddRefed +ConvertArgsToArray(nsISupports* aArguments) +{ + if (!aArguments) { + return nullptr; + } + + nsCOMPtr array = do_QueryInterface(aArguments); + if (array) { + uint32_t argc = 0; + array->GetLength(&argc); + if (argc == 0) { + return nullptr; + } + + return array.forget(); + } + + nsCOMPtr singletonArray = + do_CreateInstance(NS_ARRAY_CONTRACTID); + NS_ENSURE_TRUE(singletonArray, nullptr); + + nsresult rv = singletonArray->AppendElement(aArguments, /* aWeak = */ false); + NS_ENSURE_SUCCESS(rv, nullptr); + + return singletonArray.forget(); +} + +NS_IMETHODIMP +nsWindowWatcher::OpenWindow(mozIDOMWindowProxy* aParent, + const char* aUrl, + const char* aName, + const char* aFeatures, + nsISupports* aArguments, + mozIDOMWindowProxy** aResult) +{ + nsCOMPtr argv = ConvertArgsToArray(aArguments); + + uint32_t argc = 0; + if (argv) { + argv->GetLength(&argc); + } + bool dialog = (argc != 0); + + return OpenWindowInternal(aParent, aUrl, aName, aFeatures, + /* calledFromJS = */ false, dialog, + /* navigate = */ true, argv, + /* aIsPopupSpam = */ false, + /* aForceNoOpener = */ false, + /* aLoadInfo = */ nullptr, + aResult); +} + +struct SizeSpec +{ + SizeSpec() + : mLeft(0) + , mTop(0) + , mOuterWidth(0) + , mOuterHeight(0) + , mInnerWidth(0) + , mInnerHeight(0) + , mLeftSpecified(false) + , mTopSpecified(false) + , mOuterWidthSpecified(false) + , mOuterHeightSpecified(false) + , mInnerWidthSpecified(false) + , mInnerHeightSpecified(false) + , mUseDefaultWidth(false) + , mUseDefaultHeight(false) + { + } + + int32_t mLeft; + int32_t mTop; + int32_t mOuterWidth; // Total window width + int32_t mOuterHeight; // Total window height + int32_t mInnerWidth; // Content area width + int32_t mInnerHeight; // Content area height + + bool mLeftSpecified; + bool mTopSpecified; + bool mOuterWidthSpecified; + bool mOuterHeightSpecified; + bool mInnerWidthSpecified; + bool mInnerHeightSpecified; + + // If these booleans are true, don't look at the corresponding width values + // even if they're specified -- they'll be bogus + bool mUseDefaultWidth; + bool mUseDefaultHeight; + + bool PositionSpecified() const + { + return mLeftSpecified || mTopSpecified; + } + + bool SizeSpecified() const + { + return mOuterWidthSpecified || mOuterHeightSpecified || + mInnerWidthSpecified || mInnerHeightSpecified; + } +}; + +NS_IMETHODIMP +nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy* aParent, + const char* aUrl, + const char* aName, + const char* aFeatures, + bool aCalledFromScript, + bool aDialog, + bool aNavigate, + nsISupports* aArguments, + bool aIsPopupSpam, + bool aForceNoOpener, + nsIDocShellLoadInfo* aLoadInfo, + mozIDOMWindowProxy** aResult) +{ + nsCOMPtr argv = ConvertArgsToArray(aArguments); + + uint32_t argc = 0; + if (argv) { + argv->GetLength(&argc); + } + + // This is extremely messed up, but this behavior is necessary because + // callers lie about whether they're a dialog window and whether they're + // called from script. Fixing this is bug 779939. + bool dialog = aDialog; + if (!aCalledFromScript) { + dialog = argc > 0; + } + + return OpenWindowInternal(aParent, aUrl, aName, aFeatures, + aCalledFromScript, dialog, + aNavigate, argv, aIsPopupSpam, + aForceNoOpener, aLoadInfo, aResult); +} + +// This static function checks if the aDocShell uses an UserContextId equal to +// the userContextId of subjectPrincipal, if not null. +static bool +CheckUserContextCompatibility(nsIDocShell* aDocShell) +{ + MOZ_ASSERT(aDocShell); + + uint32_t userContextId = + static_cast(aDocShell)->GetOriginAttributes().mUserContextId; + + nsCOMPtr subjectPrincipal = + nsContentUtils::GetCurrentJSContext() + ? nsContentUtils::SubjectPrincipal() : nullptr; + + // If we don't have a valid principal, probably we are in e10s mode, parent + // side. + if (!subjectPrincipal) { + return true; + } + + // DocShell can have UsercontextID set but loading a document with system + // principal. In this case, we consider everything ok. + if (nsContentUtils::IsSystemPrincipal(subjectPrincipal)) { + return true; + } + + return subjectPrincipal->GetUserContextId() == userContextId; +} + +NS_IMETHODIMP +nsWindowWatcher::OpenWindowWithoutParent(nsITabParent** aResult) +{ + return OpenWindowWithTabParent(nullptr, EmptyCString(), true, 1.0f, aResult); +} + +nsresult +nsWindowWatcher::CreateChromeWindow(const nsACString& aFeatures, + nsIWebBrowserChrome* aParentChrome, + uint32_t aChromeFlags, + uint32_t aContextFlags, + nsITabParent* aOpeningTabParent, + mozIDOMWindowProxy* aOpener, + nsIWebBrowserChrome** aResult) +{ + nsCOMPtr windowCreator2(do_QueryInterface(mWindowCreator)); + if (NS_WARN_IF(!windowCreator2)) { + return NS_ERROR_UNEXPECTED; + } + + // B2G multi-screen support. mozDisplayId is returned from the + // "display-changed" event, it is also platform-dependent. +#ifdef MOZ_WIDGET_GONK + int retval = WinHasOption(aFeatures, "mozDisplayId", 0, nullptr); + windowCreator2->SetScreenId(retval); +#endif + + bool cancel = false; + nsCOMPtr newWindowChrome; + nsresult rv = + windowCreator2->CreateChromeWindow2(aParentChrome, aChromeFlags, aContextFlags, + aOpeningTabParent, aOpener, &cancel, + getter_AddRefs(newWindowChrome)); + + if (NS_SUCCEEDED(rv) && cancel) { + newWindowChrome = nullptr; + return NS_ERROR_ABORT; + } + + newWindowChrome.forget(aResult); + return NS_OK; +} + +/** + * Disable persistence of size/position in popups (determined by + * determining whether the features parameter specifies width or height + * in any way). We consider any overriding of the window's size or position + * in the open call as disabling persistence of those attributes. + * Popup windows (which should not persist size or position) generally set + * the size. + * + * @param aFeatures + * The features string that was used to open the window. + * @param aTreeOwner + * The nsIDocShellTreeOwner of the newly opened window. If null, + * this function is a no-op. + */ +void +nsWindowWatcher::MaybeDisablePersistence(const nsACString& aFeatures, + nsIDocShellTreeOwner* aTreeOwner) +{ + if (!aTreeOwner) { + return; + } + + // At the moment, the strings "height=" or "width=" never happen + // outside a size specification, so we can do this the Q&D way. + if (PL_strcasestr(aFeatures.BeginReading(), "width=") || + PL_strcasestr(aFeatures.BeginReading(), "height=")) { + aTreeOwner->SetPersistence(false, false, false); + } +} + +NS_IMETHODIMP +nsWindowWatcher::OpenWindowWithTabParent(nsITabParent* aOpeningTabParent, + const nsACString& aFeatures, + bool aCalledFromJS, + float aOpenerFullZoom, + nsITabParent** aResult) +{ + MOZ_ASSERT(XRE_IsParentProcess()); + MOZ_ASSERT(mWindowCreator); + + if (!nsContentUtils::IsSafeToRunScript()) { + nsContentUtils::WarnScriptWasIgnored(nullptr); + return NS_ERROR_FAILURE; + } + + if (NS_WARN_IF(!mWindowCreator)) { + return NS_ERROR_UNEXPECTED; + } + + bool isPrivateBrowsingWindow = + Preferences::GetBool("browser.privatebrowsing.autostart"); + + nsCOMPtr parentWindowOuter; + if (aOpeningTabParent) { + // We need to examine the window that aOpeningTabParent belongs to in + // order to inform us of what kind of window we're going to open. + TabParent* openingTab = TabParent::GetFrom(aOpeningTabParent); + parentWindowOuter = openingTab->GetParentWindowOuter(); + + // Propagate the privacy status of the parent window, if + // available, to the child. + if (!isPrivateBrowsingWindow) { + nsCOMPtr parentContext = openingTab->GetLoadContext(); + if (parentContext) { + isPrivateBrowsingWindow = parentContext->UsePrivateBrowsing(); + } + } + } + + if (!parentWindowOuter) { + // We couldn't find a browser window for the opener, so either we + // never were passed aOpeningTabParent, the window is closed, + // or it's in the process of closing. Either way, we'll use + // the most recently opened browser window instead. + parentWindowOuter = nsContentUtils::GetMostRecentNonPBWindow(); + } + + if (NS_WARN_IF(!parentWindowOuter)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr parentTreeOwner; + GetWindowTreeOwner(parentWindowOuter, getter_AddRefs(parentTreeOwner)); + if (NS_WARN_IF(!parentTreeOwner)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr windowCreator2(do_QueryInterface(mWindowCreator)); + if (NS_WARN_IF(!windowCreator2)) { + return NS_ERROR_UNEXPECTED; + } + + uint32_t contextFlags = 0; + if (parentWindowOuter->IsLoadingOrRunningTimeout()) { + contextFlags |= + nsIWindowCreator2::PARENT_IS_LOADING_OR_RUNNING_TIMEOUT; + } + + uint32_t chromeFlags = CalculateChromeFlagsForChild(aFeatures); + + // A content process has asked for a new window, which implies + // that the new window will need to be remote. + chromeFlags |= nsIWebBrowserChrome::CHROME_REMOTE_WINDOW; + + nsCOMPtr parentChrome(do_GetInterface(parentTreeOwner)); + nsCOMPtr newWindowChrome; + + CreateChromeWindow(aFeatures, parentChrome, chromeFlags, contextFlags, + aOpeningTabParent, nullptr, getter_AddRefs(newWindowChrome)); + + if (NS_WARN_IF(!newWindowChrome)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr chromeTreeItem = do_GetInterface(newWindowChrome); + if (NS_WARN_IF(!chromeTreeItem)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr chromeTreeOwner; + chromeTreeItem->GetTreeOwner(getter_AddRefs(chromeTreeOwner)); + if (NS_WARN_IF(!chromeTreeOwner)) { + return NS_ERROR_UNEXPECTED; + } + + nsCOMPtr chromeContext = do_QueryInterface(chromeTreeItem); + if (NS_WARN_IF(!chromeContext)) { + return NS_ERROR_UNEXPECTED; + } + + chromeContext->SetPrivateBrowsing(isPrivateBrowsingWindow); + + // Tabs opened from a content process can only open new windows + // that will also run with out-of-process tabs. + chromeContext->SetRemoteTabs(true); + + MaybeDisablePersistence(aFeatures, chromeTreeOwner); + + SizeSpec sizeSpec; + CalcSizeSpec(aFeatures, sizeSpec); + SizeOpenedWindow(chromeTreeOwner, parentWindowOuter, false, sizeSpec, + Some(aOpenerFullZoom)); + + nsCOMPtr newTabParent; + chromeTreeOwner->GetPrimaryTabParent(getter_AddRefs(newTabParent)); + if (NS_WARN_IF(!newTabParent)) { + return NS_ERROR_UNEXPECTED; + } + + newTabParent.forget(aResult); + return NS_OK; +} + +nsresult +nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy* aParent, + const char* aUrl, + const char* aName, + const char* aFeatures, + bool aCalledFromJS, + bool aDialog, + bool aNavigate, + nsIArray* aArgv, + bool aIsPopupSpam, + bool aForceNoOpener, + nsIDocShellLoadInfo* aLoadInfo, + mozIDOMWindowProxy** aResult) +{ + nsresult rv = NS_OK; + bool isNewToplevelWindow = false; + bool windowIsNew = false; + bool windowNeedsName = false; + bool windowIsModal = false; + bool uriToLoadIsChrome = false; + bool windowIsModalContentDialog = false; + + uint32_t chromeFlags; + nsAutoString name; // string version of aName + nsAutoCString features; // string version of aFeatures + nsCOMPtr uriToLoad; // from aUrl, if any + nsCOMPtr parentTreeOwner; // from the parent window, if any + nsCOMPtr newDocShellItem; // from the new window + + nsCOMPtr parent = + aParent ? nsPIDOMWindowOuter::From(aParent) : nullptr; + + NS_ENSURE_ARG_POINTER(aResult); + *aResult = 0; + + if (!nsContentUtils::IsSafeToRunScript()) { + nsContentUtils::WarnScriptWasIgnored(nullptr); + return NS_ERROR_FAILURE; + } + + GetWindowTreeOwner(parent, getter_AddRefs(parentTreeOwner)); + + // We expect TabParent to have provided us the absolute URI of the window + // we're to open, so there's no need to call URIfromURL (or more importantly, + // to check for a chrome URI, which cannot be opened from a remote tab). + if (aUrl) { + rv = URIfromURL(aUrl, aParent, getter_AddRefs(uriToLoad)); + if (NS_FAILED(rv)) { + return rv; + } + uriToLoad->SchemeIs("chrome", &uriToLoadIsChrome); + } + + bool nameSpecified = false; + if (aName) { + CopyUTF8toUTF16(aName, name); + nameSpecified = true; + } else { + name.SetIsVoid(true); + } + + if (aFeatures) { + features.Assign(aFeatures); + features.StripWhitespace(); + } else { + features.SetIsVoid(true); + } + + // try to find an extant window with the given name + nsCOMPtr foundWindow = + SafeGetWindowByName(name, aForceNoOpener, aParent); + GetWindowTreeItem(foundWindow, getter_AddRefs(newDocShellItem)); + + // Do sandbox checks here, instead of waiting until nsIDocShell::LoadURI. + // The state of the window can change before this call and if we are blocked + // because of sandboxing, we wouldn't want that to happen. + nsCOMPtr parentWindow = + aParent ? nsPIDOMWindowOuter::From(aParent) : nullptr; + nsCOMPtr parentDocShell; + if (parentWindow) { + parentDocShell = parentWindow->GetDocShell(); + if (parentDocShell) { + nsCOMPtr foundDocShell = do_QueryInterface(newDocShellItem); + if (parentDocShell->IsSandboxedFrom(foundDocShell)) { + return NS_ERROR_DOM_INVALID_ACCESS_ERR; + } + } + } + + // no extant window? make a new one. + + // If no parent, consider it chrome when running in the parent process. + bool hasChromeParent = XRE_IsContentProcess() ? false : true; + if (aParent) { + // Check if the parent document has chrome privileges. + nsIDocument* doc = parentWindow->GetDoc(); + hasChromeParent = doc && nsContentUtils::IsChromeDoc(doc); + } + + bool isCallerChrome = nsContentUtils::LegacyIsCallerChromeOrNativeCode(); + + // Make sure we calculate the chromeFlags *before* we push the + // callee context onto the context stack so that + // the calculation sees the actual caller when doing its + // security checks. + if (isCallerChrome && XRE_IsParentProcess()) { + chromeFlags = CalculateChromeFlagsForParent(aParent, features, + aDialog, uriToLoadIsChrome, + hasChromeParent, aCalledFromJS); + } else { + chromeFlags = CalculateChromeFlagsForChild(features); + + // Until ShowModalDialog is removed, it's still possible for content to + // request dialogs, but only in single-process mode. + if (aDialog) { + MOZ_ASSERT(XRE_IsParentProcess()); + chromeFlags |= nsIWebBrowserChrome::CHROME_OPENAS_DIALOG; + } + } + + // If we're not called through our JS version of the API, and we got + // our internal modal option, treat the window we're opening as a + // modal content window (and set the modal chrome flag). + if (!aCalledFromJS && aArgv && + WinHasOption(features, "-moz-internal-modal", 0, nullptr)) { + windowIsModalContentDialog = true; + + // CHROME_MODAL gets inherited by dependent windows, which affects various + // platform-specific window state (especially on OSX). So we need some way + // to determine that this window was actually opened by nsGlobalWindow:: + // ShowModalDialog(), and that somebody is actually going to be watching + // for return values and all that. + chromeFlags |= nsIWebBrowserChrome::CHROME_MODAL_CONTENT_WINDOW; + chromeFlags |= nsIWebBrowserChrome::CHROME_MODAL; + } + + SizeSpec sizeSpec; + CalcSizeSpec(features, sizeSpec); + + nsCOMPtr sm( + do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID)); + + + // XXXbz Why is an AutoJSAPI good enough here? Wouldn't AutoEntryScript (so + // we affect the entry global) make more sense? Or do we just want to affect + // GetSubjectPrincipal()? + dom::AutoJSAPI jsapiChromeGuard; + + bool windowTypeIsChrome = + chromeFlags & nsIWebBrowserChrome::CHROME_OPENAS_CHROME; + if (isCallerChrome && !hasChromeParent && !windowTypeIsChrome) { + // open() is called from chrome on a non-chrome window, initialize an + // AutoJSAPI with the callee to prevent the caller's privileges from leaking + // into code that runs while opening the new window. + // + // The reasoning for this is in bug 289204. Basically, chrome sometimes does + // someContentWindow.open(untrustedURL), and wants to be insulated from nasty + // javascript: URLs and such. But there are also cases where we create a + // window parented to a content window (such as a download dialog), usually + // directly with nsIWindowWatcher. In those cases, we want the principal of + // the initial about:blank document to be system, so that the subsequent XUL + // load can reuse the inner window and avoid blowing away expandos. As such, + // we decide whether to load with the principal of the caller or of the parent + // based on whether the docshell type is chrome or content. + + nsCOMPtr parentGlobalObject = do_QueryInterface(aParent); + if (!aParent) { + jsapiChromeGuard.Init(); + } else if (NS_WARN_IF(!jsapiChromeGuard.Init(parentGlobalObject))) { + return NS_ERROR_UNEXPECTED; + } + } + + uint32_t activeDocsSandboxFlags = 0; + if (!newDocShellItem) { + // We're going to either open up a new window ourselves or ask a + // nsIWindowProvider for one. In either case, we'll want to set the right + // name on it. + windowNeedsName = true; + + // If the parent trying to open a new window is sandboxed + // without 'allow-popups', this is not allowed and we fail here. + if (aParent) { + if (nsIDocument* doc = parentWindow->GetDoc()) { + // Save sandbox flags for copying to new browsing context (docShell). + activeDocsSandboxFlags = doc->GetSandboxFlags(); + if (activeDocsSandboxFlags & SANDBOXED_AUXILIARY_NAVIGATION) { + return NS_ERROR_DOM_INVALID_ACCESS_ERR; + } + } + } + + // Now check whether it's ok to ask a window provider for a window. Don't + // do it if we're opening a dialog or if our parent is a chrome window or + // if we're opening something that has modal, dialog, or chrome flags set. + nsCOMPtr chromeWin = do_QueryInterface(aParent); + if (!aDialog && !chromeWin && + !(chromeFlags & (nsIWebBrowserChrome::CHROME_MODAL | + nsIWebBrowserChrome::CHROME_OPENAS_DIALOG | + nsIWebBrowserChrome::CHROME_OPENAS_CHROME))) { + nsCOMPtr provider; + if (parentTreeOwner) { + provider = do_GetInterface(parentTreeOwner); + } else if (XRE_IsContentProcess()) { + // we're in a content process but we don't have a tabchild we can + // use. + provider = nsContentUtils::GetWindowProviderForContentProcess(); + } + + if (provider) { + nsCOMPtr newWindow; + rv = provider->ProvideWindow(aParent, chromeFlags, aCalledFromJS, + sizeSpec.PositionSpecified(), + sizeSpec.SizeSpecified(), + uriToLoad, name, features, aForceNoOpener, + &windowIsNew, getter_AddRefs(newWindow)); + + if (NS_SUCCEEDED(rv)) { + GetWindowTreeItem(newWindow, getter_AddRefs(newDocShellItem)); + if (windowIsNew && newDocShellItem) { + // Make sure to stop any loads happening in this window that the + // window provider might have started. Otherwise if our caller + // manipulates the window it just opened and then the load + // completes their stuff will get blown away. + nsCOMPtr webNav = + do_QueryInterface(newDocShellItem); + webNav->Stop(nsIWebNavigation::STOP_NETWORK); + } + + // If this is a new window, but it's incompatible with the current + // userContextId, we ignore it and we pretend that nothing has been + // returned by ProvideWindow. + if (!windowIsNew && newDocShellItem) { + nsCOMPtr docShell = do_QueryInterface(newDocShellItem); + if (!CheckUserContextCompatibility(docShell)) { + newWindow = nullptr; + newDocShellItem = nullptr; + windowIsNew = false; + } + } + + } else if (rv == NS_ERROR_ABORT) { + // NS_ERROR_ABORT means the window provider has flat-out rejected + // the open-window call and we should bail. Don't return an error + // here, because our caller may propagate that error, which might + // cause e.g. window.open to throw! Just return null for our out + // param. + return NS_OK; + } + } + } + } + + bool newWindowShouldBeModal = false; + bool parentIsModal = false; + if (!newDocShellItem) { + windowIsNew = true; + isNewToplevelWindow = true; + + nsCOMPtr parentChrome(do_GetInterface(parentTreeOwner)); + + // is the parent (if any) modal? if so, we must be, too. + bool weAreModal = (chromeFlags & nsIWebBrowserChrome::CHROME_MODAL) != 0; + newWindowShouldBeModal = weAreModal; + if (!weAreModal && parentChrome) { + parentChrome->IsWindowModal(&weAreModal); + parentIsModal = weAreModal; + } + + if (weAreModal) { + windowIsModal = true; + // in case we added this because weAreModal + chromeFlags |= nsIWebBrowserChrome::CHROME_MODAL | + nsIWebBrowserChrome::CHROME_DEPENDENT; + } + + // Make sure to not create modal windows if our parent is invisible and + // isn't a chrome window. Otherwise we can end up in a bizarre situation + // where we can't shut down because an invisible window is open. If + // someone tries to do this, throw. + if (!hasChromeParent && (chromeFlags & nsIWebBrowserChrome::CHROME_MODAL)) { + nsCOMPtr parentWindow(do_GetInterface(parentTreeOwner)); + nsCOMPtr parentWidget; + if (parentWindow) { + parentWindow->GetMainWidget(getter_AddRefs(parentWidget)); + } + // NOTE: the logic for this visibility check is duplicated in + // nsIDOMWindowUtils::isParentWindowMainWidgetVisible - if we change + // how a window is determined "visible" in this context then we should + // also adjust that attribute and/or any consumers of it... + if (parentWidget && !parentWidget->IsVisible()) { + return NS_ERROR_NOT_AVAILABLE; + } + } + + NS_ASSERTION(mWindowCreator, + "attempted to open a new window with no WindowCreator"); + rv = NS_ERROR_FAILURE; + if (mWindowCreator) { + nsCOMPtr newChrome; + + nsCOMPtr parentTopInnerWindow; + if (parentWindow) { + nsCOMPtr parentTopWindow = parentWindow->GetTop(); + if (parentTopWindow) { + parentTopInnerWindow = parentTopWindow->GetCurrentInnerWindow(); + } + } + + if (parentTopInnerWindow) { + parentTopInnerWindow->Suspend(); + } + + /* If the window creator is an nsIWindowCreator2, we can give it + some hints. The only hint at this time is whether the opening window + is in a situation that's likely to mean this is an unrequested + popup window we're creating. However we're not completely honest: + we clear that indicator if the opener is chrome, so that the + downstream consumer can treat the indicator to mean simply + that the new window is subject to popup control. */ + nsCOMPtr windowCreator2( + do_QueryInterface(mWindowCreator)); + if (windowCreator2) { + uint32_t contextFlags = 0; + bool popupConditions = false; + + // is the parent under popup conditions? + if (parentWindow) { + popupConditions = parentWindow->IsLoadingOrRunningTimeout(); + } + + // chrome is always allowed, so clear the flag if the opener is chrome + if (popupConditions) { + popupConditions = !isCallerChrome; + } + + if (popupConditions) { + contextFlags |= + nsIWindowCreator2::PARENT_IS_LOADING_OR_RUNNING_TIMEOUT; + } + + mozIDOMWindowProxy* openerWindow = aForceNoOpener ? nullptr : aParent; + rv = CreateChromeWindow(features, parentChrome, chromeFlags, contextFlags, + nullptr, openerWindow, getter_AddRefs(newChrome)); + + } else { + rv = mWindowCreator->CreateChromeWindow(parentChrome, chromeFlags, + getter_AddRefs(newChrome)); + } + + if (parentTopInnerWindow) { + parentTopInnerWindow->Resume(); + } + + if (newChrome) { + nsCOMPtr xulWin = do_GetInterface(newChrome); + if (xulWin) { + nsCOMPtr xulBrowserWin; + xulWin->GetXULBrowserWindow(getter_AddRefs(xulBrowserWin)); + if (xulBrowserWin) { + nsPIDOMWindowOuter* openerWindow = aForceNoOpener ? nullptr : parentWindow.get(); + xulBrowserWin->ForceInitialBrowserNonRemote(openerWindow); + } + } + /* It might be a chrome nsXULWindow, in which case it won't have + an nsIDOMWindow (primary content shell). But in that case, it'll + be able to hand over an nsIDocShellTreeItem directly. */ + nsCOMPtr newWindow(do_GetInterface(newChrome)); + if (newWindow) { + GetWindowTreeItem(newWindow, getter_AddRefs(newDocShellItem)); + } + if (!newDocShellItem) { + newDocShellItem = do_GetInterface(newChrome); + } + if (!newDocShellItem) { + rv = NS_ERROR_FAILURE; + } + } + } + } + + // better have a window to use by this point + if (!newDocShellItem) { + return rv; + } + + nsCOMPtr newDocShell(do_QueryInterface(newDocShellItem)); + NS_ENSURE_TRUE(newDocShell, NS_ERROR_UNEXPECTED); + + // If our parent is sandboxed, set it as the one permitted sandboxed navigator + // on the new window we're opening. + if (activeDocsSandboxFlags && parentWindow) { + newDocShell->SetOnePermittedSandboxedNavigator( + parentWindow->GetDocShell()); + } + + // Copy sandbox flags to the new window if activeDocsSandboxFlags says to do + // so. Note that it's only nonzero if the window is new, so clobbering + // sandbox flags on the window makes sense in that case. + if (activeDocsSandboxFlags & + SANDBOX_PROPAGATES_TO_AUXILIARY_BROWSING_CONTEXTS) { + newDocShell->SetSandboxFlags(activeDocsSandboxFlags); + } + + rv = ReadyOpenedDocShellItem(newDocShellItem, parentWindow, windowIsNew, + aForceNoOpener, aResult); + if (NS_FAILED(rv)) { + return rv; + } + + if (isNewToplevelWindow) { + nsCOMPtr newTreeOwner; + newDocShellItem->GetTreeOwner(getter_AddRefs(newTreeOwner)); + MaybeDisablePersistence(features, newTreeOwner); + } + + if ((aDialog || windowIsModalContentDialog) && aArgv) { + // Set the args on the new window. + nsCOMPtr piwin(do_QueryInterface(*aResult)); + NS_ENSURE_TRUE(piwin, NS_ERROR_UNEXPECTED); + + rv = piwin->SetArguments(aArgv); + NS_ENSURE_SUCCESS(rv, rv); + } + + /* allow a window that we found by name to keep its name (important for cases + like _self where the given name is different (and invalid)). Also, _blank + is not a window name. */ + if (windowNeedsName) { + if (nameSpecified && !name.LowerCaseEqualsLiteral("_blank")) { + newDocShellItem->SetName(name); + } else { + newDocShellItem->SetName(EmptyString()); + } + } + + // Now we have to set the right opener principal on the new window. Note + // that we have to do this _before_ starting any URI loads, thanks to the + // sync nature of javascript: loads. + // + // Note: The check for the current JSContext isn't necessarily sensical. + // It's just designed to preserve old semantics during a mass-conversion + // patch. + nsCOMPtr subjectPrincipal = + nsContentUtils::GetCurrentJSContext() ? nsContentUtils::SubjectPrincipal() : + nullptr; + + bool isPrivateBrowsingWindow = false; + + if (windowIsNew) { + auto* docShell = static_cast(newDocShell.get()); + + // If this is not a chrome docShell, we apply originAttributes from the + // subjectPrincipal unless if it's an expanded or system principal. + if (subjectPrincipal && + !nsContentUtils::IsSystemOrExpandedPrincipal(subjectPrincipal) && + docShell->ItemType() != nsIDocShellTreeItem::typeChrome) { + DocShellOriginAttributes attrs; + attrs.InheritFromDocToChildDocShell(BasePrincipal::Cast(subjectPrincipal)->OriginAttributesRef()); + isPrivateBrowsingWindow = !!attrs.mPrivateBrowsingId; + docShell->SetOriginAttributes(attrs); + } else { + nsCOMPtr parentItem; + GetWindowTreeItem(aParent, getter_AddRefs(parentItem)); + nsCOMPtr parentContext = do_QueryInterface(parentItem); + if (parentContext) { + isPrivateBrowsingWindow = parentContext->UsePrivateBrowsing(); + } + } + + bool autoPrivateBrowsing = + Preferences::GetBool("browser.privatebrowsing.autostart"); + + if (!autoPrivateBrowsing && + (chromeFlags & nsIWebBrowserChrome::CHROME_NON_PRIVATE_WINDOW)) { + isPrivateBrowsingWindow = false; + } else if (autoPrivateBrowsing || + (chromeFlags & nsIWebBrowserChrome::CHROME_PRIVATE_WINDOW)) { + isPrivateBrowsingWindow = true; + } + + // Now set the opener principal on the new window. Note that we need to do + // this no matter whether we were opened from JS; if there is nothing on + // the JS stack, just use the principal of our parent window. In those + // cases we do _not_ set the parent window principal as the owner of the + // load--since we really don't know who the owner is, just leave it null. + nsCOMPtr newWindow = do_QueryInterface(*aResult); + NS_ASSERTION(newWindow == newDocShell->GetWindow(), "Different windows??"); + + // The principal of the initial about:blank document gets set up in + // nsWindowWatcher::AddWindow. Make sure to call it. In the common case + // this call already happened when the window was created, but + // SetInitialPrincipalToSubject is safe to call multiple times. + if (newWindow) { + newWindow->SetInitialPrincipalToSubject(); + if (aIsPopupSpam) { + nsGlobalWindow* globalWin = nsGlobalWindow::Cast(newWindow); + MOZ_ASSERT(!globalWin->IsPopupSpamWindow(), + "Who marked it as popup spam already???"); + if (!globalWin->IsPopupSpamWindow()) { // Make sure we don't mess up our + // counter even if the above + // assert fails. + globalWin->SetIsPopupSpamWindow(true); + } + } + } + } + + // We rely on CalculateChromeFlags to decide whether remote (out-of-process) + // tabs should be used. + bool isRemoteWindow = + !!(chromeFlags & nsIWebBrowserChrome::CHROME_REMOTE_WINDOW); + + if (isNewToplevelWindow) { + nsCOMPtr childRoot; + newDocShellItem->GetRootTreeItem(getter_AddRefs(childRoot)); + nsCOMPtr childContext = do_QueryInterface(childRoot); + if (childContext) { + childContext->SetPrivateBrowsing(isPrivateBrowsingWindow); + childContext->SetRemoteTabs(isRemoteWindow); + } + } else if (windowIsNew) { + nsCOMPtr childContext = do_QueryInterface(newDocShellItem); + if (childContext) { + childContext->SetPrivateBrowsing(isPrivateBrowsingWindow); + childContext->SetRemoteTabs(isRemoteWindow); + } + } + + nsCOMPtr loadInfo = aLoadInfo; + if (uriToLoad && aNavigate && !loadInfo) { + newDocShell->CreateLoadInfo(getter_AddRefs(loadInfo)); + NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE); + + if (subjectPrincipal) { + loadInfo->SetTriggeringPrincipal(subjectPrincipal); + } + + /* use the URL from the *extant* document, if any. The usual accessor + GetDocument will synchronously create an about:blank document if + it has no better answer, and we only care about a real document. + Also using GetDocument to force document creation seems to + screw up focus in the hidden window; see bug 36016. + */ + nsCOMPtr doc = GetEntryDocument(); + if (!doc && parentWindow) { + doc = parentWindow->GetExtantDoc(); + } + if (doc) { + // Set the referrer + loadInfo->SetReferrer(doc->GetDocumentURI()); + loadInfo->SetReferrerPolicy(doc->GetReferrerPolicy()); + } + } + + if (isNewToplevelWindow) { + // Notify observers that the window is open and ready. + // The window has not yet started to load a document. + nsCOMPtr obsSvc = + mozilla::services::GetObserverService(); + if (obsSvc) { + obsSvc->NotifyObservers(*aResult, "toplevel-window-ready", nullptr); + } + } + + // Before loading the URI we want to be 100% sure that we use the correct + // userContextId. + MOZ_ASSERT(CheckUserContextCompatibility(newDocShell)); + + if (uriToLoad && aNavigate) { + newDocShell->LoadURI( + uriToLoad, + loadInfo, + windowIsNew ? + static_cast(nsIWebNavigation::LOAD_FLAGS_FIRST_LOAD) : + static_cast(nsIWebNavigation::LOAD_FLAGS_NONE), + true); + } + + // Copy the current session storage for the current domain. + if (subjectPrincipal && parentDocShell) { + nsCOMPtr parentStorageManager = + do_QueryInterface(parentDocShell); + nsCOMPtr newStorageManager = + do_QueryInterface(newDocShell); + + if (parentStorageManager && newStorageManager) { + nsCOMPtr storage; + nsCOMPtr pInnerWin = parentWindow->GetCurrentInnerWindow(); + + parentStorageManager->GetStorage(pInnerWin, subjectPrincipal, + isPrivateBrowsingWindow, + getter_AddRefs(storage)); + if (storage) { + newStorageManager->CloneStorage(storage); + } + } + } + + if (isNewToplevelWindow) { + nsCOMPtr newTreeOwner; + newDocShellItem->GetTreeOwner(getter_AddRefs(newTreeOwner)); + SizeOpenedWindow(newTreeOwner, aParent, isCallerChrome, sizeSpec); + } + + // XXXbz isn't windowIsModal always true when windowIsModalContentDialog? + if (windowIsModal || windowIsModalContentDialog) { + nsCOMPtr newTreeOwner; + newDocShellItem->GetTreeOwner(getter_AddRefs(newTreeOwner)); + nsCOMPtr newChrome(do_GetInterface(newTreeOwner)); + + // Throw an exception here if no web browser chrome is available, + // we need that to show a modal window. + NS_ENSURE_TRUE(newChrome, NS_ERROR_NOT_AVAILABLE); + + // Dispatch dialog events etc, but we only want to do that if + // we're opening a modal content window (the helper classes are + // no-ops if given no window), for chrome dialogs we don't want to + // do any of that (it's done elsewhere for us). + // Make sure we maintain the state on an outer window, because + // that's where it lives; inner windows assert if you try to + // maintain the state on them. + nsAutoWindowStateHelper windowStateHelper( + parentWindow ? parentWindow->GetOuterWindow() : nullptr); + + if (!windowStateHelper.DefaultEnabled()) { + // Default to cancel not opening the modal window. + NS_RELEASE(*aResult); + + return NS_OK; + } + + bool isAppModal = false; + nsCOMPtr parentWindow(do_GetInterface(newTreeOwner)); + nsCOMPtr parentWidget; + if (parentWindow) { + parentWindow->GetMainWidget(getter_AddRefs(parentWidget)); + if (parentWidget) { + isAppModal = parentWidget->IsRunningAppModal(); + } + } + if (parentWidget && + ((!newWindowShouldBeModal && parentIsModal) || isAppModal)) { + parentWidget->SetFakeModal(true); + } else { + // Reset popup state while opening a modal dialog, and firing + // events about the dialog, to prevent the current state from + // being active the whole time a modal dialog is open. + nsAutoPopupStatePusher popupStatePusher(openAbused); + + newChrome->ShowAsModal(); + } + } + + if (aForceNoOpener && windowIsNew) { + NS_RELEASE(*aResult); + } + + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::RegisterNotification(nsIObserver* aObserver) +{ + // just a convenience method; it delegates to nsIObserverService + + if (!aObserver) { + return NS_ERROR_INVALID_ARG; + } + + nsCOMPtr os = mozilla::services::GetObserverService(); + if (!os) { + return NS_ERROR_FAILURE; + } + + nsresult rv = os->AddObserver(aObserver, "domwindowopened", false); + if (NS_SUCCEEDED(rv)) { + rv = os->AddObserver(aObserver, "domwindowclosed", false); + } + + return rv; +} + +NS_IMETHODIMP +nsWindowWatcher::UnregisterNotification(nsIObserver* aObserver) +{ + // just a convenience method; it delegates to nsIObserverService + + if (!aObserver) { + return NS_ERROR_INVALID_ARG; + } + + nsCOMPtr os = mozilla::services::GetObserverService(); + if (!os) { + return NS_ERROR_FAILURE; + } + + os->RemoveObserver(aObserver, "domwindowopened"); + os->RemoveObserver(aObserver, "domwindowclosed"); + + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::GetWindowEnumerator(nsISimpleEnumerator** aResult) +{ + if (!aResult) { + return NS_ERROR_INVALID_ARG; + } + + MutexAutoLock lock(mListLock); + nsWatcherWindowEnumerator* enumerator = new nsWatcherWindowEnumerator(this); + if (enumerator) { + return CallQueryInterface(enumerator, aResult); + } + + return NS_ERROR_OUT_OF_MEMORY; +} + +NS_IMETHODIMP +nsWindowWatcher::GetNewPrompter(mozIDOMWindowProxy* aParent, nsIPrompt** aResult) +{ + // This is for backwards compat only. Callers should just use the prompt + // service directly. + nsresult rv; + nsCOMPtr factory = + do_GetService("@mozilla.org/prompter;1", &rv); + NS_ENSURE_SUCCESS(rv, rv); + return factory->GetPrompt(aParent, NS_GET_IID(nsIPrompt), + reinterpret_cast(aResult)); +} + +NS_IMETHODIMP +nsWindowWatcher::GetNewAuthPrompter(mozIDOMWindowProxy* aParent, + nsIAuthPrompt** aResult) +{ + // This is for backwards compat only. Callers should just use the prompt + // service directly. + nsresult rv; + nsCOMPtr factory = + do_GetService("@mozilla.org/prompter;1", &rv); + NS_ENSURE_SUCCESS(rv, rv); + return factory->GetPrompt(aParent, NS_GET_IID(nsIAuthPrompt), + reinterpret_cast(aResult)); +} + +NS_IMETHODIMP +nsWindowWatcher::GetPrompt(mozIDOMWindowProxy* aParent, const nsIID& aIID, + void** aResult) +{ + // This is for backwards compat only. Callers should just use the prompt + // service directly. + nsresult rv; + nsCOMPtr factory = + do_GetService("@mozilla.org/prompter;1", &rv); + NS_ENSURE_SUCCESS(rv, rv); + rv = factory->GetPrompt(aParent, aIID, aResult); + + // Allow for an embedding implementation to not support nsIAuthPrompt2. + if (rv == NS_NOINTERFACE && aIID.Equals(NS_GET_IID(nsIAuthPrompt2))) { + nsCOMPtr oldPrompt; + rv = factory->GetPrompt( + aParent, NS_GET_IID(nsIAuthPrompt), getter_AddRefs(oldPrompt)); + NS_ENSURE_SUCCESS(rv, rv); + + NS_WrapAuthPrompt(oldPrompt, reinterpret_cast(aResult)); + if (!*aResult) { + rv = NS_ERROR_NOT_AVAILABLE; + } + } + return rv; +} + +NS_IMETHODIMP +nsWindowWatcher::SetWindowCreator(nsIWindowCreator* aCreator) +{ + mWindowCreator = aCreator; + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::HasWindowCreator(bool* aResult) +{ + *aResult = mWindowCreator; + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::GetActiveWindow(mozIDOMWindowProxy** aActiveWindow) +{ + *aActiveWindow = nullptr; + nsCOMPtr fm = do_GetService(FOCUSMANAGER_CONTRACTID); + if (fm) { + return fm->GetActiveWindow(aActiveWindow); + } + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::SetActiveWindow(mozIDOMWindowProxy* aActiveWindow) +{ + nsCOMPtr fm = do_GetService(FOCUSMANAGER_CONTRACTID); + if (fm) { + return fm->SetActiveWindow(aActiveWindow); + } + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::AddWindow(mozIDOMWindowProxy* aWindow, nsIWebBrowserChrome* aChrome) +{ + if (!aWindow) { + return NS_ERROR_INVALID_ARG; + } + +#ifdef DEBUG + { + nsCOMPtr win(do_QueryInterface(aWindow)); + + NS_ASSERTION(win->IsOuterWindow(), + "Uh, the active window must be an outer window!"); + } +#endif + + { + nsWatcherWindowEntry* info; + MutexAutoLock lock(mListLock); + + // if we already have an entry for this window, adjust + // its chrome mapping and return + info = FindWindowEntry(aWindow); + if (info) { + nsCOMPtr supportsweak( + do_QueryInterface(aChrome)); + if (supportsweak) { + supportsweak->GetWeakReference(getter_AddRefs(info->mChromeWeak)); + } else { + info->mChrome = aChrome; + info->mChromeWeak = nullptr; + } + return NS_OK; + } + + // create a window info struct and add it to the list of windows + info = new nsWatcherWindowEntry(aWindow, aChrome); + if (!info) { + return NS_ERROR_OUT_OF_MEMORY; + } + + if (mOldestWindow) { + info->InsertAfter(mOldestWindow->mOlder); + } else { + mOldestWindow = info; + } + } // leave the mListLock + + // a window being added to us signifies a newly opened window. + // send notifications. + nsCOMPtr os = mozilla::services::GetObserverService(); + if (!os) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr domwin(do_QueryInterface(aWindow)); + return os->NotifyObservers(domwin, "domwindowopened", 0); +} + +NS_IMETHODIMP +nsWindowWatcher::RemoveWindow(mozIDOMWindowProxy* aWindow) +{ + // find the corresponding nsWatcherWindowEntry, remove it + + if (!aWindow) { + return NS_ERROR_INVALID_ARG; + } + + nsWatcherWindowEntry* info = FindWindowEntry(aWindow); + if (info) { + RemoveWindow(info); + return NS_OK; + } + NS_WARNING("requested removal of nonexistent window"); + return NS_ERROR_INVALID_ARG; +} + +nsWatcherWindowEntry* +nsWindowWatcher::FindWindowEntry(mozIDOMWindowProxy* aWindow) +{ + // find the corresponding nsWatcherWindowEntry + nsWatcherWindowEntry* info; + nsWatcherWindowEntry* listEnd; +#ifdef USEWEAKREFS + nsresult rv; + bool found; +#endif + + info = mOldestWindow; + listEnd = 0; +#ifdef USEWEAKREFS + rv = NS_OK; + found = false; + while (info != listEnd && NS_SUCCEEDED(rv)) { + nsCOMPtr infoWindow(do_QueryReferent(info->mWindow)); + if (!infoWindow) { // clean up dangling reference, while we're here + rv = RemoveWindow(info); + } else if (infoWindow.get() == aWindow) { + return info; + } + + info = info->mYounger; + listEnd = mOldestWindow; + } + return 0; +#else + while (info != listEnd) { + if (info->mWindow == aWindow) { + return info; + } + info = info->mYounger; + listEnd = mOldestWindow; + } + return 0; +#endif +} + +nsresult +nsWindowWatcher::RemoveWindow(nsWatcherWindowEntry* aInfo) +{ + uint32_t count = mEnumeratorList.Length(); + + { + // notify the enumerators + MutexAutoLock lock(mListLock); + for (uint32_t ctr = 0; ctr < count; ++ctr) { + mEnumeratorList[ctr]->WindowRemoved(aInfo); + } + + // remove the element from the list + if (aInfo == mOldestWindow) { + mOldestWindow = aInfo->mYounger == mOldestWindow ? 0 : aInfo->mYounger; + } + aInfo->Unlink(); + } + + // a window being removed from us signifies a newly closed window. + // send notifications. + nsCOMPtr os = mozilla::services::GetObserverService(); + if (os) { +#ifdef USEWEAKREFS + nsCOMPtr domwin(do_QueryReferent(aInfo->mWindow)); + if (domwin) { + os->NotifyObservers(domwin, "domwindowclosed", 0); + } + // else bummer. since the window is gone, there's nothing to notify with. +#else + nsCOMPtr domwin(do_QueryInterface(aInfo->mWindow)); + os->NotifyObservers(domwin, "domwindowclosed", 0); +#endif + } + + delete aInfo; + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::GetChromeForWindow(mozIDOMWindowProxy* aWindow, + nsIWebBrowserChrome** aResult) +{ + if (!aWindow || !aResult) { + return NS_ERROR_INVALID_ARG; + } + *aResult = 0; + + MutexAutoLock lock(mListLock); + nsWatcherWindowEntry* info = FindWindowEntry(aWindow); + if (info) { + if (info->mChromeWeak) { + return info->mChromeWeak->QueryReferent( + NS_GET_IID(nsIWebBrowserChrome), reinterpret_cast(aResult)); + } + *aResult = info->mChrome; + NS_IF_ADDREF(*aResult); + } + return NS_OK; +} + +NS_IMETHODIMP +nsWindowWatcher::GetWindowByName(const nsAString& aTargetName, + mozIDOMWindowProxy* aCurrentWindow, + mozIDOMWindowProxy** aResult) +{ + if (!aResult) { + return NS_ERROR_INVALID_ARG; + } + + *aResult = nullptr; + + nsPIDOMWindowOuter* currentWindow = + aCurrentWindow ? nsPIDOMWindowOuter::From(aCurrentWindow) : nullptr; + + nsCOMPtr treeItem; + + nsCOMPtr startItem; + GetWindowTreeItem(currentWindow, getter_AddRefs(startItem)); + if (startItem) { + // Note: original requestor is null here, per idl comments + startItem->FindItemWithName(aTargetName, nullptr, nullptr, + getter_AddRefs(treeItem)); + } else { + // Note: original requestor is null here, per idl comments + FindItemWithName(aTargetName, nullptr, nullptr, getter_AddRefs(treeItem)); + } + + if (treeItem) { + nsCOMPtr domWindow = treeItem->GetWindow(); + domWindow.forget(aResult); + } + + return NS_OK; +} + +bool +nsWindowWatcher::AddEnumerator(nsWatcherWindowEnumerator* aEnumerator) +{ + // (requires a lock; assumes it's called by someone holding the lock) + return mEnumeratorList.AppendElement(aEnumerator) != nullptr; +} + +bool +nsWindowWatcher::RemoveEnumerator(nsWatcherWindowEnumerator* aEnumerator) +{ + // (requires a lock; assumes it's called by someone holding the lock) + return mEnumeratorList.RemoveElement(aEnumerator); +} + +nsresult +nsWindowWatcher::URIfromURL(const char* aURL, + mozIDOMWindowProxy* aParent, + nsIURI** aURI) +{ + // Build the URI relative to the entry global. + nsCOMPtr baseWindow = do_QueryInterface(GetEntryGlobal()); + + // failing that, build it relative to the parent window, if possible + if (!baseWindow && aParent) { + baseWindow = nsPIDOMWindowOuter::From(aParent)->GetCurrentInnerWindow(); + } + + // failing that, use the given URL unmodified. It had better not be relative. + + nsIURI* baseURI = nullptr; + + // get baseWindow's document URI + if (baseWindow) { + if (nsIDocument* doc = baseWindow->GetDoc()) { + baseURI = doc->GetDocBaseURI(); + } + } + + // build and return the absolute URI + return NS_NewURI(aURI, aURL, baseURI); +} + +#define NS_CALCULATE_CHROME_FLAG_FOR(feature, flag) \ + prefBranch->GetBoolPref(feature, &forceEnable); \ + if (forceEnable && !aDialog && !aHasChromeParent && !aChromeURL) { \ + chromeFlags |= flag; \ + } else { \ + chromeFlags |= \ + WinHasOption(aFeatures, feature, 0, &presenceFlag) ? flag : 0; \ + } + +// static +uint32_t +nsWindowWatcher::CalculateChromeFlagsHelper(uint32_t aInitialFlags, + const nsACString& aFeatures, + bool& presenceFlag, + bool aDialog, + bool aHasChromeParent, + bool aChromeURL) +{ + uint32_t chromeFlags = aInitialFlags; + + nsresult rv; + nsCOMPtr prefBranch; + nsCOMPtr prefs = + do_GetService(NS_PREFSERVICE_CONTRACTID, &rv); + + NS_ENSURE_SUCCESS(rv, nsIWebBrowserChrome::CHROME_DEFAULT); + + rv = prefs->GetBranch("dom.disable_window_open_feature.", + getter_AddRefs(prefBranch)); + + NS_ENSURE_SUCCESS(rv, nsIWebBrowserChrome::CHROME_DEFAULT); + + // NS_CALCULATE_CHROME_FLAG_FOR requires aFeatures, forceEnable, aDialog + // aHasChromeParent, aChromeURL, presenceFlag and chromeFlags to be in + // scope. + bool forceEnable = false; + + NS_CALCULATE_CHROME_FLAG_FOR("titlebar", + nsIWebBrowserChrome::CHROME_TITLEBAR); + NS_CALCULATE_CHROME_FLAG_FOR("close", + nsIWebBrowserChrome::CHROME_WINDOW_CLOSE); + NS_CALCULATE_CHROME_FLAG_FOR("toolbar", + nsIWebBrowserChrome::CHROME_TOOLBAR); + NS_CALCULATE_CHROME_FLAG_FOR("location", + nsIWebBrowserChrome::CHROME_LOCATIONBAR); + NS_CALCULATE_CHROME_FLAG_FOR("personalbar", + nsIWebBrowserChrome::CHROME_PERSONAL_TOOLBAR); + NS_CALCULATE_CHROME_FLAG_FOR("status", + nsIWebBrowserChrome::CHROME_STATUSBAR); + NS_CALCULATE_CHROME_FLAG_FOR("menubar", + nsIWebBrowserChrome::CHROME_MENUBAR); + NS_CALCULATE_CHROME_FLAG_FOR("resizable", + nsIWebBrowserChrome::CHROME_WINDOW_RESIZE); + NS_CALCULATE_CHROME_FLAG_FOR("minimizable", + nsIWebBrowserChrome::CHROME_WINDOW_MIN); + + // default scrollbar to "on," unless explicitly turned off + if (WinHasOption(aFeatures, "scrollbars", 1, &presenceFlag) || !presenceFlag) { + chromeFlags |= nsIWebBrowserChrome::CHROME_SCROLLBARS; + } + + return chromeFlags; +} + +// static +uint32_t +nsWindowWatcher::EnsureFlagsSafeForContent(uint32_t aChromeFlags, + bool aChromeURL) +{ + aChromeFlags |= nsIWebBrowserChrome::CHROME_TITLEBAR; + aChromeFlags |= nsIWebBrowserChrome::CHROME_WINDOW_CLOSE; + aChromeFlags &= ~nsIWebBrowserChrome::CHROME_WINDOW_LOWERED; + aChromeFlags &= ~nsIWebBrowserChrome::CHROME_WINDOW_RAISED; + aChromeFlags &= ~nsIWebBrowserChrome::CHROME_WINDOW_POPUP; + /* Untrusted script is allowed to pose modal windows with a chrome + scheme. This check could stand to be better. But it effectively + prevents untrusted script from opening modal windows in general + while still allowing alerts and the like. */ + if (!aChromeURL) { + aChromeFlags &= ~(nsIWebBrowserChrome::CHROME_MODAL | + nsIWebBrowserChrome::CHROME_OPENAS_CHROME); + } + + if (!(aChromeFlags & nsIWebBrowserChrome::CHROME_OPENAS_CHROME)) { + aChromeFlags &= ~nsIWebBrowserChrome::CHROME_DEPENDENT; + } + + return aChromeFlags; +} + +/** + * Calculate the chrome bitmask from a string list of features requested + * from a child process. Feature strings that are restricted to the parent + * process are ignored here. + * @param aFeatures a string containing a list of named features + * @return the chrome bitmask + */ +// static +uint32_t +nsWindowWatcher::CalculateChromeFlagsForChild(const nsACString& aFeatures) +{ + if (aFeatures.IsVoid()) { + return nsIWebBrowserChrome::CHROME_ALL; + } + + bool presenceFlag = false; + uint32_t chromeFlags = CalculateChromeFlagsHelper( + nsIWebBrowserChrome::CHROME_WINDOW_BORDERS, aFeatures, presenceFlag); + + return EnsureFlagsSafeForContent(chromeFlags); +} + +/** + * Calculate the chrome bitmask from a string list of features for a new + * privileged window. + * @param aParent the opener window + * @param aFeatures a string containing a list of named chrome features + * @param aDialog affects the assumptions made about unnamed features + * @param aChromeURL true if the window is being sent to a chrome:// URL + * @param aHasChromeParent true if the parent window is privileged + * @param aCalledFromJS true if the window open request came from script. + * @return the chrome bitmask + */ +// static +uint32_t +nsWindowWatcher::CalculateChromeFlagsForParent(mozIDOMWindowProxy* aParent, + const nsACString& aFeatures, + bool aDialog, + bool aChromeURL, + bool aHasChromeParent, + bool aCalledFromJS) +{ + MOZ_ASSERT(XRE_IsParentProcess()); + MOZ_ASSERT(nsContentUtils::LegacyIsCallerChromeOrNativeCode()); + + uint32_t chromeFlags = 0; + + // The features string is made void by OpenWindowInternal + // if nullptr was originally passed as the features string. + if (aFeatures.IsVoid()) { + chromeFlags = nsIWebBrowserChrome::CHROME_ALL; + if (aDialog) { + chromeFlags |= nsIWebBrowserChrome::CHROME_OPENAS_DIALOG | + nsIWebBrowserChrome::CHROME_OPENAS_CHROME; + } + } else { + chromeFlags = nsIWebBrowserChrome::CHROME_WINDOW_BORDERS; + } + + /* This function has become complicated since browser windows and + dialogs diverged. The difference is, browser windows assume all + chrome not explicitly mentioned is off, if the features string + is not null. Exceptions are some OS border chrome new with Mozilla. + Dialogs interpret a (mostly) empty features string to mean + "OS's choice," and also support an "all" flag explicitly disallowed + in the standards-compliant window.(normal)open. */ + + bool presenceFlag = false; + if (aDialog && WinHasOption(aFeatures, "all", 0, &presenceFlag)) { + chromeFlags = nsIWebBrowserChrome::CHROME_ALL; + } + + /* Next, allow explicitly named options to override the initial settings */ + chromeFlags = CalculateChromeFlagsHelper(chromeFlags, aFeatures, presenceFlag, + aDialog, aHasChromeParent, aChromeURL); + + // Determine whether the window is a private browsing window + chromeFlags |= WinHasOption(aFeatures, "private", 0, &presenceFlag) ? + nsIWebBrowserChrome::CHROME_PRIVATE_WINDOW : 0; + chromeFlags |= WinHasOption(aFeatures, "non-private", 0, &presenceFlag) ? + nsIWebBrowserChrome::CHROME_NON_PRIVATE_WINDOW : 0; + + // Determine whether the window should have remote tabs. + bool remote = BrowserTabsRemoteAutostart(); + + if (remote) { + remote = !WinHasOption(aFeatures, "non-remote", 0, &presenceFlag); + } else { + remote = WinHasOption(aFeatures, "remote", 0, &presenceFlag); + } + + if (remote) { + chromeFlags |= nsIWebBrowserChrome::CHROME_REMOTE_WINDOW; + } + + chromeFlags |= WinHasOption(aFeatures, "popup", 0, &presenceFlag) ? + nsIWebBrowserChrome::CHROME_WINDOW_POPUP : 0; + + /* OK. + Normal browser windows, in spite of a stated pattern of turning off + all chrome not mentioned explicitly, will want the new OS chrome (window + borders, titlebars, closebox) on, unless explicitly turned off. + Dialogs, on the other hand, take the absence of any explicit settings + to mean "OS' choice." */ + + // default titlebar and closebox to "on," if not mentioned at all + if (!(chromeFlags & nsIWebBrowserChrome::CHROME_WINDOW_POPUP)) { + if (!PL_strcasestr(aFeatures.BeginReading(), "titlebar")) { + chromeFlags |= nsIWebBrowserChrome::CHROME_TITLEBAR; + } + if (!PL_strcasestr(aFeatures.BeginReading(), "close")) { + chromeFlags |= nsIWebBrowserChrome::CHROME_WINDOW_CLOSE; + } + } + + if (aDialog && !aFeatures.IsVoid() && !presenceFlag) { + chromeFlags = nsIWebBrowserChrome::CHROME_DEFAULT; + } + + /* Finally, once all the above normal chrome has been divined, deal + with the features that are more operating hints than appearance + instructions. (Note modality implies dependence.) */ + + if (WinHasOption(aFeatures, "alwaysLowered", 0, nullptr) || + WinHasOption(aFeatures, "z-lock", 0, nullptr)) { + chromeFlags |= nsIWebBrowserChrome::CHROME_WINDOW_LOWERED; + } else if (WinHasOption(aFeatures, "alwaysRaised", 0, nullptr)) { + chromeFlags |= nsIWebBrowserChrome::CHROME_WINDOW_RAISED; + } + + chromeFlags |= WinHasOption(aFeatures, "macsuppressanimation", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_MAC_SUPPRESS_ANIMATION : 0; + + chromeFlags |= WinHasOption(aFeatures, "chrome", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_OPENAS_CHROME : 0; + chromeFlags |= WinHasOption(aFeatures, "extrachrome", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_EXTRA : 0; + chromeFlags |= WinHasOption(aFeatures, "centerscreen", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_CENTER_SCREEN : 0; + chromeFlags |= WinHasOption(aFeatures, "dependent", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_DEPENDENT : 0; + chromeFlags |= WinHasOption(aFeatures, "modal", 0, nullptr) ? + (nsIWebBrowserChrome::CHROME_MODAL | nsIWebBrowserChrome::CHROME_DEPENDENT) : 0; + + /* On mobile we want to ignore the dialog window feature, since the mobile UI + does not provide any affordance for dialog windows. This does not interfere + with dialog windows created through openDialog. */ + bool disableDialogFeature = false; + nsCOMPtr branch = do_GetService(NS_PREFSERVICE_CONTRACTID); + + branch->GetBoolPref("dom.disable_window_open_dialog_feature", + &disableDialogFeature); + + if (!disableDialogFeature) { + chromeFlags |= WinHasOption(aFeatures, "dialog", 0, nullptr) ? + nsIWebBrowserChrome::CHROME_OPENAS_DIALOG : 0; + } + + /* and dialogs need to have the last word. assume dialogs are dialogs, + and opened as chrome, unless explicitly told otherwise. */ + if (aDialog) { + if (!PL_strcasestr(aFeatures.BeginReading(), "dialog")) { + chromeFlags |= nsIWebBrowserChrome::CHROME_OPENAS_DIALOG; + } + if (!PL_strcasestr(aFeatures.BeginReading(), "chrome")) { + chromeFlags |= nsIWebBrowserChrome::CHROME_OPENAS_CHROME; + } + } + + /* missing + chromeFlags->copy_history + */ + + // Check security state for use in determing window dimensions + if (!aHasChromeParent) { + chromeFlags = EnsureFlagsSafeForContent(chromeFlags, aChromeURL); + } + + // Disable CHROME_OPENAS_DIALOG if the window is inside