tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 4a687553db2f5d26dbe09213a1fe56349e4a4c6f
parent d48fd8072fbfacc5a6cb4ad24b33d5a3fdc8ae58
Author: Vincent Hilla <vhilla@mozilla.com>
Date:   Fri, 12 Dec 2025 17:11:46 +0000

Bug 2003449 - Assert storage and document principal match when creating window global. r=dom-core,smaug

Differential Revision: https://phabricator.services.mozilla.com/D276222

Diffstat:

Mdocshell/base/CanonicalBrowsingContext.cpp | 2--


Mdom/clients/manager/ClientOpenWindowUtils.cpp | 1-


Mdom/ipc/WindowGlobalChild.cpp | 16++++++++++++++++


3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docshell/base/CanonicalBrowsingContext.cpp b/docshell/base/CanonicalBrowsingContext.cpp
@@ -2339,8 +2339,6 @@ nsresult CanonicalBrowsingContext::PendingRemotenessChange::FinishSubframe() {
       NullPrincipal::Create(target->OriginAttributesRef());
   RefPtr<nsOpenWindowInfo> openWindowInfo = new nsOpenWindowInfo();
   openWindowInfo->mPrincipalToInheritForAboutBlank = initialPrincipal;
-  openWindowInfo->mPartitionedPrincipalToInheritForAboutBlank =
-      initialPrincipal;
   WindowGlobalInit windowInit =
       WindowGlobalActor::AboutBlankInitializer(target, initialPrincipal);
 
diff --git a/dom/clients/manager/ClientOpenWindowUtils.cpp b/dom/clients/manager/ClientOpenWindowUtils.cpp
@@ -506,7 +506,6 @@ RefPtr<ClientOpPromise> ClientOpenWindow(
   nsCOMPtr<nsIPrincipal> initialPrincipal =
       NullPrincipal::Create(principal->OriginAttributesRef(), nullPrincipalURI);
   openInfo->mPrincipalToInheritForAboutBlank = initialPrincipal;
-  openInfo->mPartitionedPrincipalToInheritForAboutBlank = initialPrincipal;
   openInfo->mIsRemote = true;
 
   RefPtr<BrowsingContext> bc;
diff --git a/dom/ipc/WindowGlobalChild.cpp b/dom/ipc/WindowGlobalChild.cpp
@@ -79,6 +79,20 @@ WindowGlobalChild::WindowGlobalChild(dom::WindowContext* aWindowContext,
       embedderInnerWindowID, BrowsingContext()->UsePrivateBrowsing());
 }
 
+void VerifyStoragePrincipalMatchesDocumentPrincipal(WindowGlobalInit aInit) {
+  // WindowGlobalParent::CreateDisconnected performs similar checks in
+  // SetDocumentStoragePrincipal. If they fail, the parent process crashes.
+  // Let's ensure we crash in content instead, and assert each condition
+  // separately to find out what fails. See bug 2003449.
+  nsCString noSuffix, storageNoSuffix;
+  aInit.principal()->GetOriginNoSuffix(noSuffix);
+  aInit.storagePrincipal()->GetOriginNoSuffix(storageNoSuffix);
+  MOZ_RELEASE_ASSERT(noSuffix == storageNoSuffix);
+  MOZ_RELEASE_ASSERT(
+      aInit.principal()->OriginAttributesRef().EqualsIgnoringPartitionKey(
+          aInit.storagePrincipal()->OriginAttributesRef()));
+}
+
 already_AddRefed<WindowGlobalChild> WindowGlobalChild::Create(
     nsGlobalWindowInner* aWindow) {
 #ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
@@ -125,6 +139,8 @@ already_AddRefed<WindowGlobalChild> WindowGlobalChild::Create(
     MOZ_DIAGNOSTIC_ASSERT(bc->AncestorsAreCurrent());
     MOZ_DIAGNOSTIC_ASSERT(bc->IsInProcess());
 
+    VerifyStoragePrincipalMatchesDocumentPrincipal(init);
+
     ManagedEndpoint<PWindowGlobalParent> endpoint =
         browserChild->OpenPWindowGlobalEndpoint(wgc);
     browserChild->SendNewWindowGlobal(std::move(endpoint), init);