Bug 293394 - javascript: should never execute with chrome privs, r=bz
MozReview-Commit-ID: J6zDIcUZZMv
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -258,16 +258,21 @@ nsresult nsJSThunk::EvaluateScript(nsICh
rv = principal->Subsumes(objectPrincipal, &subsumes);
if (NS_FAILED(rv))
return rv;
if (!subsumes) {
return NS_ERROR_DOM_RETVAL_UNDEFINED;
}
+ // Fail if someone tries to execute in a global with system principal.
+ if (nsContentUtils::IsSystemPrincipal(objectPrincipal)) {
+ return NS_ERROR_DOM_SECURITY_ERR;
+ }
+
JS::Rooted<JS::Value> v (cx, JS::UndefinedValue());
// Finally, we have everything needed to evaluate the expression.
JS::CompileOptions options(cx);
options.setFileAndLine(mURL.get(), 1)
.setVersion(JSVERSION_DEFAULT);
nsJSUtils::EvaluateOptions evalOptions(cx);
evalOptions.setCoerceToString(true);
rv = nsJSUtils::EvaluateString(cx, NS_ConvertUTF8toUTF16(script),