tor-browser

PostMessageEvent.cpp (11422B)

---

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "PostMessageEvent.h"

#include "MessageEvent.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/EventDispatcher.h"
#include "mozilla/StaticPrefs_dom.h"
#include "mozilla/dom/BrowsingContext.h"
#include "mozilla/dom/BrowsingContextGroup.h"
#include "mozilla/dom/DocGroup.h"
#include "mozilla/dom/DocumentInlines.h"
#include "mozilla/dom/MessageEventBinding.h"
#include "mozilla/dom/MessagePort.h"
#include "mozilla/dom/RootedDictionary.h"
#include "nsDocShell.h"
#include "nsGlobalWindowInner.h"
#include "nsGlobalWindowOuter.h"
#include "nsIConsoleService.h"
#include "nsIPrincipal.h"
#include "nsIScriptError.h"
#include "nsPresContext.h"
#include "nsQueryObject.h"
#include "nsServiceManagerUtils.h"

namespace mozilla::dom {

PostMessageEvent::PostMessageEvent(BrowsingContext* aSource,
                                  const nsAString& aCallerOrigin,
                                  nsGlobalWindowOuter* aTargetWindow,
                                  nsIPrincipal* aProvidedPrincipal,
                                  uint64_t aCallerWindowID, nsIURI* aCallerURI,
                                  const nsCString& aScriptLocation,
                                  bool aIsFromPrivateWindow,
                                  const Maybe<nsID>& aCallerAgentClusterId)
   : Runnable("dom::PostMessageEvent"),
     mSource(aSource),
     mCallerOrigin(aCallerOrigin),
     mTargetWindow(aTargetWindow),
     mProvidedPrincipal(aProvidedPrincipal),
     mCallerWindowID(aCallerWindowID),
     mCallerAgentClusterId(aCallerAgentClusterId),
     mCallerURI(aCallerURI),
     mScriptLocation(Some(aScriptLocation)),
     mIsFromPrivateWindow(aIsFromPrivateWindow) {}

PostMessageEvent::~PostMessageEvent() = default;

// TODO: Convert this to MOZ_CAN_RUN_SCRIPT (bug 1415230, bug 1535398)
MOZ_CAN_RUN_SCRIPT_BOUNDARY NS_IMETHODIMP PostMessageEvent::Run() {
 // Note: We don't init this AutoJSAPI with targetWindow, because we do not
 // want exceptions during message deserialization to trigger error events on
 // targetWindow.
 AutoJSAPI jsapi;
 jsapi.Init();
 JSContext* cx = jsapi.cx();

 // The document URI is just used for the principal mismatch error message
 // below. Use a stack variable so mCallerURI is not held onto after
 // this method finishes, regardless of the method outcome.
 nsCOMPtr<nsIURI> callerURI = std::move(mCallerURI);

 // If we bailed before this point we're going to leak mMessage, but
 // that's probably better than crashing.

 RefPtr<nsGlobalWindowInner> targetWindow;
 if (mTargetWindow->IsClosedOrClosing() ||
     !(targetWindow = nsGlobalWindowInner::Cast(
           mTargetWindow->GetCurrentInnerWindow())) ||
     targetWindow->IsDying())
   return NS_OK;

 // If the window's document has suppressed event handling, hand off this event
 // for running later. We check the top window's document so that when multiple
 // same-origin windows exist in the same top window, postMessage events will
 // be delivered in the same order they were posted, regardless of which window
 // they were posted to.
 if (nsCOMPtr<nsPIDOMWindowOuter> topWindow =
         targetWindow->GetOuterWindow()->GetInProcessTop()) {
   if (nsCOMPtr<nsPIDOMWindowInner> topInner =
           topWindow->GetCurrentInnerWindow()) {
     if (topInner->GetExtantDoc() &&
         topInner->GetExtantDoc()->SuspendPostMessageEvent(this)) {
       return NS_OK;
     }
   }
 }

 JSAutoRealm ar(cx, targetWindow->GetWrapper());

 // Ensure that any origin which might have been provided is the origin of this
 // window's document.  Note that we do this *now* instead of when postMessage
 // is called because the target window might have been navigated to a
 // different location between then and now.  If this check happened when
 // postMessage was called, it would be fairly easy for a malicious webpage to
 // intercept messages intended for another site by carefully timing navigation
 // of the target window so it changed location after postMessage but before
 // now.
 if (mProvidedPrincipal) {
   // Get the target's origin either from its principal or, in the case the
   // principal doesn't carry a URI (e.g. the system principal), the target's
   // document.
   nsIPrincipal* targetPrin = targetWindow->GetPrincipal();
   if (NS_WARN_IF(!targetPrin)) return NS_OK;

   // Note: This is contrary to the spec with respect to file: URLs, which
   //       the spec groups into a single origin, but given we intentionally
   //       don't do that in other places it seems better to hold the line for
   //       now.  Long-term, we want HTML5 to address this so that we can
   //       be compliant while being safer.
   if (!targetPrin->Equals(mProvidedPrincipal)) {
     OriginAttributes sourceAttrs = mProvidedPrincipal->OriginAttributesRef();
     OriginAttributes targetAttrs = targetPrin->OriginAttributesRef();

     MOZ_DIAGNOSTIC_ASSERT(
         sourceAttrs.mUserContextId == targetAttrs.mUserContextId,
         "Target and source should have the same userContextId attribute.");

     nsAutoString providedOrigin, targetOrigin;
     nsresult rv = nsContentUtils::GetWebExposedOriginSerialization(
         targetPrin, targetOrigin);
     NS_ENSURE_SUCCESS(rv, rv);
     rv = nsContentUtils::GetWebExposedOriginSerialization(mProvidedPrincipal,
                                                           providedOrigin);
     NS_ENSURE_SUCCESS(rv, rv);

     nsAutoString errorText;
     nsContentUtils::FormatLocalizedString(
         errorText, nsContentUtils::eDOM_PROPERTIES,
         "TargetPrincipalDoesNotMatch", providedOrigin, targetOrigin);

     nsCOMPtr<nsIScriptError> errorObject =
         do_CreateInstance(NS_SCRIPTERROR_CONTRACTID, &rv);
     NS_ENSURE_SUCCESS(rv, rv);

     if (mCallerWindowID == 0) {
       rv = errorObject->Init(errorText, mScriptLocation.value(), 0, 0,
                              nsIScriptError::errorFlag, "DOM Window"_ns,
                              mIsFromPrivateWindow,
                              mProvidedPrincipal->IsSystemPrincipal());
     } else if (callerURI) {
       rv = errorObject->InitWithSourceURI(errorText, callerURI, 0, 0,
                                           nsIScriptError::errorFlag,
                                           "DOM Window"_ns, mCallerWindowID);
     } else {
       rv = errorObject->InitWithWindowID(errorText, mScriptLocation.value(),
                                          0, 0, nsIScriptError::errorFlag,
                                          "DOM Window"_ns, mCallerWindowID);
     }
     NS_ENSURE_SUCCESS(rv, rv);

     nsCOMPtr<nsIConsoleService> consoleService =
         do_GetService(NS_CONSOLESERVICE_CONTRACTID, &rv);
     NS_ENSURE_SUCCESS(rv, rv);

     return consoleService->LogMessage(errorObject);
   }
 }

 IgnoredErrorResult rv;
 JS::Rooted<JS::Value> messageData(cx);
 nsCOMPtr<mozilla::dom::EventTarget> eventTarget =
     do_QueryObject(targetWindow);

 JS::CloneDataPolicy cloneDataPolicy;

 MOZ_DIAGNOSTIC_ASSERT(targetWindow);
 if (mCallerAgentClusterId.isSome() && targetWindow->GetDocGroup() &&
     targetWindow->GetDocGroup()->AgentClusterId().Equals(
         mCallerAgentClusterId.ref())) {
   cloneDataPolicy.allowIntraClusterClonableSharedObjects();
 }

 if (targetWindow->IsSharedMemoryAllowed()) {
   cloneDataPolicy.allowSharedMemoryObjects();
 }

 if (mHolder.empty()) {
   DispatchError(cx, targetWindow, eventTarget);
   return NS_OK;
 }

 StructuredCloneHolder* holder;
 if (mHolder.constructed<StructuredCloneHolder>()) {
   mHolder.ref<StructuredCloneHolder>().Read(
       targetWindow->AsGlobal(), cx, &messageData, cloneDataPolicy, rv);
   holder = &mHolder.ref<StructuredCloneHolder>();
 } else {
   MOZ_ASSERT(mHolder.constructed<ipc::StructuredCloneData>());
   mHolder.ref<ipc::StructuredCloneData>().Read(cx, &messageData, rv);
   holder = &mHolder.ref<ipc::StructuredCloneData>();
 }
 if (NS_WARN_IF(rv.Failed())) {
   JS_ClearPendingException(cx);
   DispatchError(cx, targetWindow, eventTarget);
   return NS_OK;
 }

 // Create the event
 RefPtr<MessageEvent> event = new MessageEvent(eventTarget, nullptr, nullptr);

 Nullable<WindowProxyOrMessagePortOrServiceWorker> source;
 if (mSource) {
   source.SetValue().SetAsWindowProxy() = mSource;
 }

 Sequence<OwningNonNull<MessagePort>> ports;
 if (!holder->TakeTransferredPortsAsSequence(ports)) {
   DispatchError(cx, targetWindow, eventTarget);
   return NS_OK;
 }

 event->InitMessageEvent(nullptr, u"message"_ns, CanBubble::eNo,
                         Cancelable::eNo, messageData, mCallerOrigin, u""_ns,
                         source, ports);

 Dispatch(targetWindow, event);
 return NS_OK;
}

void PostMessageEvent::DispatchError(JSContext* aCx,
                                    nsGlobalWindowInner* aTargetWindow,
                                    mozilla::dom::EventTarget* aEventTarget) {
 RootedDictionary<MessageEventInit> init(aCx);
 init.mBubbles = false;
 init.mCancelable = false;
 init.mOrigin = mCallerOrigin;

 if (mSource) {
   init.mSource.SetValue().SetAsWindowProxy() = mSource;
 }

 RefPtr<Event> event =
     MessageEvent::Constructor(aEventTarget, u"messageerror"_ns, init);
 Dispatch(aTargetWindow, event);
}

void PostMessageEvent::Dispatch(nsGlobalWindowInner* aTargetWindow,
                               Event* aEvent) {
 // We can't simply call dispatchEvent on the window because doing so ends
 // up flipping the trusted bit on the event, and we don't want that to
 // happen because then untrusted content can call postMessage on a chrome
 // window if it can get a reference to it.

 RefPtr<nsPresContext> presContext =
     aTargetWindow->GetExtantDoc()->GetPresContext();

 aEvent->SetTrusted(true);
 WidgetEvent* internalEvent = aEvent->WidgetEventPtr();

 nsEventStatus status = nsEventStatus_eIgnore;
 EventDispatcher::Dispatch(aTargetWindow, presContext, internalEvent, aEvent,
                           &status);
}

static nsresult MaybeThrottle(nsGlobalWindowOuter* aTargetWindow,
                             PostMessageEvent* aEvent) {
 BrowsingContext* bc = aTargetWindow->GetBrowsingContext();
 if (!bc) {
   return NS_ERROR_FAILURE;
 }
 bc = bc->Top();
 if (!bc->IsLoading()) {
   return NS_ERROR_FAILURE;
 }
 if (nsContentUtils::IsPDFJS(aTargetWindow->GetPrincipal())) {
   // pdf.js is known to block the load event on a worker's postMessage event.
   // Avoid throttling postMessage for pdf.js to avoid pathological wait times,
   // see bug 1840762.
   return NS_ERROR_FAILURE;
 }
 if (!StaticPrefs::dom_separate_event_queue_for_post_message_enabled()) {
   return NS_ERROR_FAILURE;
 }
 return bc->Group()->QueuePostMessageEvent(aEvent);
}

void PostMessageEvent::DispatchToTargetThread(ErrorResult& aError) {
 if (NS_SUCCEEDED(MaybeThrottle(mTargetWindow, this))) {
   return;
 }
 aError = mTargetWindow->Dispatch(do_AddRef(this));
}

}  // namespace mozilla::dom