commit a0dd1f06871848e2d73df3422ebdaed618c62f69 parent 123cb4730ee3f404dedf349d424721c2bd1a1d90 Author: Jan-Niklas Jaeschke <jjaschke@mozilla.com> Date: Tue, 2 Dec 2025 15:54:51 +0000 Bug 2003017 - Block sandboxed iframes from navigating traversable. r=dom-core,smaug Differential Revision: https://phabricator.services.mozilla.com/D274431 Diffstat:
3 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/docshell/base/CanonicalBrowsingContext.cpp b/docshell/base/CanonicalBrowsingContext.cpp @@ -1613,6 +1613,8 @@ Maybe<int32_t> CanonicalBrowsingContext::HistoryGo( // GoToIndex checks that index is >= 0 and < length. nsTArray<nsSHistory::LoadEntryResult> loadResults; + const int32_t oldRequestedIndex = shistory->GetRequestedIndex(); + nsresult rv = shistory->GotoIndex(this, index.value(), loadResults, sameEpoch, aOffset == 0, aUserActivation); if (NS_FAILED(rv)) { @@ -1620,6 +1622,19 @@ Maybe<int32_t> CanonicalBrowsingContext::HistoryGo( ("Dropping HistoryGo - bad index or same epoch (not in same doc)")); return Nothing(); } + + for (auto& loadResult : loadResults) { + if (nsresult result = loadResult.mBrowsingContext->CheckSandboxFlags( + loadResult.mLoadState); + NS_FAILED(result)) { + aResolver(result); + MOZ_LOG(gSHLog, LogLevel::Debug, + ("Dropping HistoryGo - sandbox check failed")); + shistory->InternalSetRequestedIndex(oldRequestedIndex); + return Nothing(); + } + } + if (epoch < aHistoryEpoch || aContentId != id) { MOZ_LOG(gSHLog, LogLevel::Debug, ("Set epoch")); shistory->SetEpoch(aHistoryEpoch, aContentId); diff --git a/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-back-parent.html.ini b/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-back-parent.html.ini @@ -1,6 +0,0 @@ -[sandboxing-back-parent.html] - expected: - OK - [A sandboxed iframe cannot navigate its parent via its own navigation object by using back()] - expected: - FAIL diff --git a/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-back-sibling.html.ini b/testing/web-platform/meta/navigation-api/navigation-methods/sandboxing-back-sibling.html.ini @@ -1,3 +0,0 @@ -[sandboxing-back-sibling.html] - [A sandboxed iframe cannot navigate its sibling via its own navigation object by using back()] - expected: FAIL