Mercurial > mozreview > gecko / changeset / 30081ce2fd5e6c519dfd5e6f052b7b8307a131bf
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1352513 - re-add the hidden window exception behind a pref, r?bholley draft
authorGijs Kruitbosch <gijskruitbosch@gmail.com>
Mon, 03 Apr 2017 11:47:22 +0100
changeset 554962 30081ce2fd5e6c519dfd5e6f052b7b8307a131bf
parent 554710 7a3f514cf8490d271ee373a1d2999e4ea4dee2d7
child 622484 5023021624c8fad254898b309eacedc22994d1e3
push id52101
push usergijskruitbosch@gmail.com
push dateMon, 03 Apr 2017 11:16:39 +0000
reviewersbholley
bugs1352513
milestone55.0a1
Bug 1352513 - re-add the hidden window exception behind a pref, r?bholley MozReview-Commit-ID: 3q1CZ5QCuus
caps/nsScriptSecurityManager.cpp file | annotate | diff | comparison | revisions
modules/libpref/init/all.js file | annotate | diff | comparison | revisions 
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -893,16 +893,33 @@ nsScriptSecurityManager::CheckLoadURIFla
                 bool accessAllowed = false;
                 reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
                 if (accessAllowed) {
                     return NS_OK;
                 }
             }
         }
 
+        static bool sCanLoadChromeInContent = false;
+        static bool sCachedCanLoadChromeInContentPref = false;
+        if (!sCachedCanLoadChromeInContentPref) {
+            sCachedCanLoadChromeInContentPref = true;
+            mozilla::Preferences::AddBoolVarCache(&sCanLoadChromeInContent,
+                "security.allow_chrome_frames_inside_content");
+        }
+        if (sCanLoadChromeInContent) {
+            // Special-case the hidden window: it's allowed to load
+            // URI_IS_UI_RESOURCE no matter what.  Bug 1145470 tracks removing this.
+            nsAutoCString sourceSpec;
+            if (NS_SUCCEEDED(aSourceBaseURI->GetSpec(sourceSpec)) &&
+                sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
+                return NS_OK;
+            }
+        }
+
         if (reportErrors) {
             ReportError(nullptr, errorTag, aSourceURI, aTargetURI);
         }
         return NS_ERROR_DOM_BAD_URI;
     }
 
     // Check for target URI pointing to a file
     rv = NS_URIChainHasFlags(aTargetURI,
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2215,16 +2215,20 @@ pref("security.cert_pinning.enforcement_
 // This is to prevent accidental pinning from MITM devices and is used
 // for tests.
 pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
 
 // If set to true, allow view-source URIs to be opened from URIs that share
 // their protocol with the inner URI of the view-source URI
 pref("security.view-source.reachable-from-inner-protocol", false);
 
+// If set to true, in some limited circumstances it may be possible to load
+// privileged content in frames inside unprivileged content.
+pref("security.allow_chrome_frames_inside_content", false);
+
 // Services security settings
 pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
 
 // Blocklist preferences
 pref("extensions.blocklist.enabled", true);
 // OneCRL freshness checking depends on this value, so if you change it,
 // please also update security.onecrl.maximum_staleness_in_seconds.
 pref("extensions.blocklist.interval", 86400);
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:58Z.