tor-browser

WindowGlobalChild.cpp (34798B)

---

/* -*- Mode: C++; c-basic-offset: 2; indent-tabs-mode: nil; tab-width: 8 -*- */
/* vim: set sw=2 ts=8 et tw=80 ft=cpp : */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "mozilla/dom/WindowGlobalChild.h"

#include "GeckoProfiler.h"
#include "mozilla/AntiTrackingUtils.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/PresShell.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/dom/BrowserBridgeChild.h"
#include "mozilla/dom/BrowserChild.h"
#include "mozilla/dom/BrowsingContext.h"
#include "mozilla/dom/BrowsingContextGroup.h"
#include "mozilla/dom/CloseWatcherManager.h"
#include "mozilla/dom/ContentChild.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/IdentityCredential.h"
#include "mozilla/dom/InProcessChild.h"
#include "mozilla/dom/InProcessParent.h"
#include "mozilla/dom/JSActorService.h"
#include "mozilla/dom/JSWindowActorBinding.h"
#include "mozilla/dom/JSWindowActorChild.h"
#include "mozilla/dom/MozFrameLoaderOwnerBinding.h"
#include "mozilla/dom/SecurityPolicyViolationEvent.h"
#include "mozilla/dom/SessionStoreRestoreData.h"
#include "mozilla/dom/WindowContext.h"
#include "mozilla/dom/WindowGlobalActorsBinding.h"
#include "mozilla/dom/WindowGlobalParent.h"
#include "mozilla/dom/nsMixedContentBlocker.h"
#include "mozilla/ipc/Endpoint.h"
#include "nsContentUtils.h"
#include "nsDocShell.h"
#include "nsFocusManager.h"
#include "nsFrameLoader.h"
#include "nsFrameLoaderOwner.h"
#include "nsGlobalWindowInner.h"
#include "nsIHttpChannelInternal.h"
#include "nsIURIMutator.h"
#include "nsNetUtil.h"
#include "nsQueryObject.h"
#include "nsScriptSecurityManager.h"
#include "nsSerializationHelper.h"
#include "nsURLHelper.h"

using namespace mozilla::ipc;
using namespace mozilla::dom::ipc;

namespace mozilla::dom {

WindowGlobalChild::WindowGlobalChild(dom::WindowContext* aWindowContext,
                                    nsIPrincipal* aPrincipal,
                                    nsIURI* aDocumentURI)
   : mWindowContext(aWindowContext),
     mDocumentPrincipal(aPrincipal),
     mDocumentURI(aDocumentURI) {
 MOZ_DIAGNOSTIC_ASSERT(mWindowContext);
 MOZ_DIAGNOSTIC_ASSERT(mDocumentPrincipal);
 MOZ_DIAGNOSTIC_ASSERT(mDocumentPrincipal->GetIsLocalIpAddress() ==
                       mWindowContext->IsLocalIP());

 if (!mDocumentURI) {
   NS_NewURI(getter_AddRefs(mDocumentURI), "about:blank");
 }

 // Registers a DOM Window with the profiler. It re-registers the same Inner
 // Window ID with different URIs because when a Browsing context is first
 // loaded, the first url loaded in it will be about:blank. This call keeps the
 // first non-about:blank registration of window and discards the previous one.
 uint64_t embedderInnerWindowID = 0;
 if (BrowsingContext()->GetParent()) {
   embedderInnerWindowID = BrowsingContext()->GetEmbedderInnerWindowId();
 }
 profiler_register_page(
     BrowsingContext()->BrowserId(), InnerWindowId(),
     nsContentUtils::TruncatedURLForDisplay(aDocumentURI, 1024),
     embedderInnerWindowID, BrowsingContext()->UsePrivateBrowsing());
}

void VerifyStoragePrincipalMatchesDocumentPrincipal(WindowGlobalInit aInit) {
 // WindowGlobalParent::CreateDisconnected performs similar checks in
 // SetDocumentStoragePrincipal. If they fail, the parent process crashes.
 // Let's ensure we crash in content instead, and assert each condition
 // separately to find out what fails. See bug 2003449.
 nsCString noSuffix, storageNoSuffix;
 aInit.principal()->GetOriginNoSuffix(noSuffix);
 aInit.storagePrincipal()->GetOriginNoSuffix(storageNoSuffix);
 MOZ_RELEASE_ASSERT(noSuffix == storageNoSuffix);
 MOZ_RELEASE_ASSERT(
     aInit.principal()->OriginAttributesRef().EqualsIgnoringPartitionKey(
         aInit.storagePrincipal()->OriginAttributesRef()));
}

already_AddRefed<WindowGlobalChild> WindowGlobalChild::Create(
   nsGlobalWindowInner* aWindow) {
#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
 // Opener policy is set when we start to load a document. Here, we ensure we
 // have set the correct Opener policy so that it will be available in the
 // parent process through window global child.
 nsCOMPtr<nsIChannel> chan = aWindow->GetDocument()->GetChannel();
 nsCOMPtr<nsILoadInfo> loadInfo = chan ? chan->LoadInfo() : nullptr;
 nsCOMPtr<nsIHttpChannelInternal> httpChan = do_QueryInterface(chan);
 nsILoadInfo::CrossOriginOpenerPolicy policy;
 if (httpChan &&
     loadInfo->GetExternalContentPolicyType() ==
         ExtContentPolicy::TYPE_DOCUMENT &&
     NS_SUCCEEDED(httpChan->GetCrossOriginOpenerPolicy(&policy))) {
   MOZ_DIAGNOSTIC_ASSERT(policy ==
                         aWindow->GetBrowsingContext()->GetOpenerPolicy());
 }
#endif

 WindowGlobalInit init = WindowGlobalActor::WindowInitializer(aWindow);
 RefPtr<WindowGlobalChild> wgc = CreateDisconnected(init);

 // Send the link constructor over PBrowser, or link over PInProcess.
 if (XRE_IsParentProcess()) {
   InProcessChild* ipChild = InProcessChild::Singleton();
   InProcessParent* ipParent = InProcessParent::Singleton();
   if (!ipChild || !ipParent) {
     return nullptr;
   }

   ManagedEndpoint<PWindowGlobalParent> endpoint =
       ipChild->OpenPWindowGlobalEndpoint(wgc);
   ipParent->BindPWindowGlobalEndpoint(std::move(endpoint),
                                       wgc->WindowContext()->Canonical());
 } else {
   RefPtr<BrowserChild> browserChild =
       BrowserChild::GetFrom(static_cast<mozIDOMWindow*>(aWindow));
   MOZ_ASSERT(browserChild);

#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
   dom::BrowsingContext* bc = aWindow->GetBrowsingContext();
#endif

   MOZ_DIAGNOSTIC_ASSERT(bc->AncestorsAreCurrent());
   MOZ_DIAGNOSTIC_ASSERT(bc->IsInProcess());

   VerifyStoragePrincipalMatchesDocumentPrincipal(init);

   ManagedEndpoint<PWindowGlobalParent> endpoint =
       browserChild->OpenPWindowGlobalEndpoint(wgc);
   browserChild->SendNewWindowGlobal(std::move(endpoint), init);
 }

 wgc->Init();
 wgc->InitWindowGlobal(aWindow);
 return wgc.forget();
}

already_AddRefed<WindowGlobalChild> WindowGlobalChild::CreateDisconnected(
   const WindowGlobalInit& aInit) {
 RefPtr<dom::BrowsingContext> browsingContext =
     dom::BrowsingContext::Get(aInit.context().mBrowsingContextId);

 RefPtr<dom::WindowContext> windowContext =
     dom::WindowContext::GetById(aInit.context().mInnerWindowId);
 MOZ_RELEASE_ASSERT(!windowContext, "Creating duplicate WindowContext");

 // Create our new WindowContext
 if (XRE_IsParentProcess()) {
   windowContext = WindowGlobalParent::CreateDisconnected(aInit);
 } else {
   dom::WindowContext::FieldValues fields = aInit.context().mFields;
   windowContext = new dom::WindowContext(
       browsingContext, aInit.context().mInnerWindowId,
       aInit.context().mOuterWindowId, std::move(fields));
 }

 RefPtr<WindowGlobalChild> windowChild = new WindowGlobalChild(
     windowContext, aInit.principal(), aInit.documentURI());
 windowContext->mIsInProcess = true;
 windowContext->mWindowGlobalChild = windowChild;
 return windowChild.forget();
}

void WindowGlobalChild::Init() {
 MOZ_ASSERT(mWindowContext->mWindowGlobalChild == this);
 mWindowContext->Init();
}

void WindowGlobalChild::InitWindowGlobal(nsGlobalWindowInner* aWindow) {
 mWindowGlobal = aWindow;
}

void WindowGlobalChild::OnNewDocument(Document* aDocument) {
 MOZ_RELEASE_ASSERT(mWindowGlobal);
 MOZ_RELEASE_ASSERT(aDocument);

 // Send a series of messages to update document-specific state on
 // WindowGlobalParent, when we change documents on an existing WindowGlobal.
 // This data is also all sent when we construct a WindowGlobal, so anything
 // added here should also be added to WindowGlobalActor::WindowInitializer.

 // FIXME: Perhaps these should be combined into a smaller number of messages?
 SendSetIsInitialDocument(aDocument->IsInitialDocument());
 SetDocumentURI(aDocument->GetDocumentURI());
 SetDocumentPrincipal(aDocument->NodePrincipal(),
                      aDocument->EffectiveStoragePrincipal());

 nsCOMPtr<nsITransportSecurityInfo> securityInfo;
 if (nsCOMPtr<nsIChannel> channel = aDocument->GetChannel()) {
   channel->GetSecurityInfo(getter_AddRefs(securityInfo));
 }
 SendUpdateDocumentSecurityInfo(securityInfo);

 SendUpdateDocumentCspSettings(aDocument->GetBlockAllMixedContent(false),
                               aDocument->GetUpgradeInsecureRequests(false));
 SendUpdateSandboxFlags(aDocument->GetSandboxFlags());

 net::CookieJarSettingsArgs csArgs;
 net::CookieJarSettings::Cast(aDocument->CookieJarSettings())
     ->Serialize(csArgs);
 if (!SendUpdateCookieJarSettings(csArgs)) {
   NS_WARNING(
       "Failed to update document's cookie jar settings on the "
       "WindowGlobalParent");
 }

 SendUpdateHttpsOnlyStatus(aDocument->HttpsOnlyStatus());

 // Update window context fields for the newly loaded Document.
 WindowContext::Transaction txn;
 txn.SetCookieBehavior(
     Some(aDocument->CookieJarSettings()->GetCookieBehavior()));
 txn.SetIsOnContentBlockingAllowList(
     aDocument->CookieJarSettings()->GetIsOnContentBlockingAllowList());
 txn.SetIsThirdPartyWindow(aDocument->HasThirdPartyChannel());
 txn.SetIsThirdPartyTrackingResourceWindow(
     nsContentUtils::IsThirdPartyTrackingResourceWindow(mWindowGlobal));
 txn.SetIsSecureContext(mWindowGlobal->IsSecureContext());
 if (auto policy = aDocument->GetEmbedderPolicy()) {
   txn.SetEmbedderPolicy(*policy);
 }
 txn.SetShouldResistFingerprinting(aDocument->ShouldResistFingerprinting(
     RFPTarget::IsAlwaysEnabledForPrecompute));
 txn.SetOverriddenFingerprintingSettings(
     aDocument->GetOverriddenFingerprintingSettings());

 if (nsCOMPtr<nsIChannel> channel = aDocument->GetChannel()) {
   nsCOMPtr<nsILoadInfo> loadInfo(channel->LoadInfo());
   txn.SetIsOriginalFrameSource(loadInfo->GetOriginalFrameSrcLoad());

   nsILoadInfo::StoragePermissionState storageAccess =
       loadInfo->GetStoragePermission();
   txn.SetUsingStorageAccess(
       storageAccess == nsILoadInfo::HasStoragePermission ||
       storageAccess == nsILoadInfo::StoragePermissionAllowListed);
 } else {
   txn.SetIsOriginalFrameSource(false);
 }

 // Init Mixed Content Fields
 nsCOMPtr<nsIURI> innerDocURI =
     NS_GetInnermostURI(aDocument->GetDocumentURI());
 if (innerDocURI) {
   txn.SetIsSecure(
       innerDocURI->SchemeIs("https") ||
       nsMixedContentBlocker::IsPotentiallyTrustworthyOnion(innerDocURI));
 }

 MOZ_DIAGNOSTIC_ASSERT(mDocumentPrincipal->GetIsLocalIpAddress() ==
                       mWindowContext->IsLocalIP());

 MOZ_ALWAYS_SUCCEEDS(txn.Commit(mWindowContext));
}

/* static */
already_AddRefed<WindowGlobalChild> WindowGlobalChild::GetByInnerWindowId(
   uint64_t aInnerWindowId) {
 if (RefPtr<dom::WindowContext> context =
         dom::WindowContext::GetById(aInnerWindowId)) {
   return do_AddRef(context->GetWindowGlobalChild());
 }
 return nullptr;
}

dom::BrowsingContext* WindowGlobalChild::BrowsingContext() {
 return mWindowContext->GetBrowsingContext();
}

Nullable<WindowProxyHolder> WindowGlobalChild::GetContentWindow() {
 if (IsCurrentGlobal()) {
   return WindowProxyHolder(BrowsingContext());
 }
 return nullptr;
}

uint64_t WindowGlobalChild::InnerWindowId() {
 return mWindowContext->InnerWindowId();
}

uint64_t WindowGlobalChild::OuterWindowId() {
 return mWindowContext->OuterWindowId();
}

bool WindowGlobalChild::IsCurrentGlobal() {
 return CanSend() && mWindowGlobal->IsCurrentInnerWindow();
}

already_AddRefed<WindowGlobalParent> WindowGlobalChild::GetParentActor() {
 if (!CanSend()) {
   return nullptr;
 }
 IProtocol* otherSide = InProcessChild::ParentActorFor(this);
 return do_AddRef(static_cast<WindowGlobalParent*>(otherSide));
}

already_AddRefed<BrowserChild> WindowGlobalChild::GetBrowserChild() {
 if (IsInProcess() || !CanSend()) {
   return nullptr;
 }
 return do_AddRef(static_cast<BrowserChild*>(Manager()));
}

uint64_t WindowGlobalChild::ContentParentId() {
 if (XRE_IsParentProcess()) {
   return 0;
 }
 return ContentChild::GetSingleton()->GetID();
}

// A WindowGlobalChild is the root in its process if it has no parent, or its
// embedder is in a different process.
bool WindowGlobalChild::IsProcessRoot() {
 if (!BrowsingContext()->GetParent()) {
   return true;
 }

 return !BrowsingContext()->GetEmbedderElement();
}

// When a "beforeunload" handler is added, it's recorded to be able to know when
// dispatching "beforeunload" is needed.
void WindowGlobalChild::BeforeUnloadAdded() {
 // Don't bother notifying the parent if we don't have an IPC link open.
 if (mBeforeUnloadListeners == 0 && CanSend()) {
   (void)mWindowContext->SetNeedsBeforeUnload(true);
 }

 mBeforeUnloadListeners++;
 MOZ_ASSERT(mBeforeUnloadListeners > 0);
}

// This is the inverse of `BeforeUnloadAdded`, making sure that "beforeunload"
// isn't dispatched if all "beforeunload" handlers have been removed.
void WindowGlobalChild::BeforeUnloadRemoved() {
 mBeforeUnloadListeners--;
 MOZ_ASSERT(mBeforeUnloadListeners >= 0);

 if (mBeforeUnloadListeners == 0) {
   (void)mWindowContext->SetNeedsBeforeUnload(false);
 }
}

// This is very similar to what is done for "beforeunload" and uses the same
// state to keep track, but is only ever used for a top level window. It's used
// to be able to track when a "navigate" event needs to be dispatched to the top
// level window's navigation object, which needs to happen right after a
// "beforeunload" event for that window would be dispatched, regardless of if it
// is.
void WindowGlobalChild::NavigateAdded() {
 if (!BrowsingContext()->IsTop()) {
   return;
 }
 BeforeUnloadAdded();
}

// The inverse of `NavigateAdded`, again only ever used for a top level window.
void WindowGlobalChild::NavigateRemoved() {
 if (!BrowsingContext()->IsTop()) {
   return;
 }
 BeforeUnloadRemoved();
}

void WindowGlobalChild::Destroy() {
 JSActorWillDestroy();

 mWindowContext->Discard();

 // Perform async IPC shutdown unless we're not in-process, and our
 // BrowserChild is in the process of being destroyed, which will destroy
 // us as well.
 RefPtr<BrowserChild> browserChild = GetBrowserChild();
 if (!browserChild || !browserChild->IsDestroyed()) {
   SendDestroy();
 }
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvMakeFrameLocal(
   const MaybeDiscarded<dom::BrowsingContext>& aFrameContext,
   uint64_t aPendingSwitchId) {
 MOZ_DIAGNOSTIC_ASSERT(XRE_IsContentProcess());

 MOZ_LOG(BrowsingContext::GetLog(), LogLevel::Debug,
         ("RecvMakeFrameLocal ID=%" PRIx64, aFrameContext.ContextId()));

 if (NS_WARN_IF(aFrameContext.IsNullOrDiscarded())) {
   return IPC_OK();
 }
 dom::BrowsingContext* frameContext = aFrameContext.get();

 RefPtr<Element> embedderElt = frameContext->GetEmbedderElement();
 if (NS_WARN_IF(!embedderElt)) {
   return IPC_OK();
 }

 if (NS_WARN_IF(embedderElt->GetOwnerGlobal() != GetWindowGlobal())) {
   return IPC_OK();
 }

 RefPtr<nsFrameLoaderOwner> flo = do_QueryObject(embedderElt);
 MOZ_DIAGNOSTIC_ASSERT(flo, "Embedder must be a nsFrameLoaderOwner");

 // Trigger a process switch into the current process.
 RemotenessOptions options;
 options.mRemoteType = NOT_REMOTE_TYPE;
 options.mPendingSwitchID.Construct(aPendingSwitchId);
 options.mSwitchingInProgressLoad = true;
 flo->ChangeRemoteness(options, IgnoreErrors());
 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvMakeFrameRemote(
   const MaybeDiscarded<dom::BrowsingContext>& aFrameContext,
   ManagedEndpoint<PBrowserBridgeChild>&& aEndpoint, const TabId& aTabId,
   const LayersId& aLayersId, MakeFrameRemoteResolver&& aResolve) {
 MOZ_DIAGNOSTIC_ASSERT(XRE_IsContentProcess());

 MOZ_LOG(BrowsingContext::GetLog(), LogLevel::Debug,
         ("RecvMakeFrameRemote ID=%" PRIx64, aFrameContext.ContextId()));

 if (!aLayersId.IsValid()) {
   return IPC_FAIL(this, "Received an invalid LayersId");
 }

 // Resolve the promise when this function exits, as we'll have fully unloaded
 // at that point.
 auto scopeExit = MakeScopeExit([&] { aResolve(true); });

 // Get a BrowsingContext if we're not null or discarded. We don't want to
 // early-return before we connect the BrowserBridgeChild, as otherwise we'll
 // never break the channel in the parent.
 RefPtr<dom::BrowsingContext> frameContext;
 if (!aFrameContext.IsDiscarded()) {
   frameContext = aFrameContext.get();
 }

 // Immediately construct the BrowserBridgeChild so we can destroy it cleanly
 // if the process switch fails.
 RefPtr<BrowserBridgeChild> bridge =
     new BrowserBridgeChild(frameContext, aTabId, aLayersId);
 RefPtr<BrowserChild> manager = GetBrowserChild();
 if (NS_WARN_IF(
         !manager->BindPBrowserBridgeEndpoint(std::move(aEndpoint), bridge))) {
   return IPC_OK();
 }

 // Synchronously delete de actor here rather than using SendBeginDestroy(), as
 // we haven't initialized it yet.
 auto deleteBridge =
     MakeScopeExit([&] { BrowserBridgeChild::Send__delete__(bridge); });

 // Immediately tear down the actor if we don't have a valid FrameContext.
 if (NS_WARN_IF(aFrameContext.IsNullOrDiscarded())) {
   return IPC_OK();
 }

 RefPtr<Element> embedderElt = frameContext->GetEmbedderElement();
 if (NS_WARN_IF(!embedderElt)) {
   return IPC_OK();
 }

 if (NS_WARN_IF(embedderElt->GetOwnerGlobal() != GetWindowGlobal())) {
   return IPC_OK();
 }

 RefPtr<nsFrameLoaderOwner> flo = do_QueryObject(embedderElt);
 MOZ_DIAGNOSTIC_ASSERT(flo, "Embedder must be a nsFrameLoaderOwner");

 // Trgger a process switch into the specified process.
 IgnoredErrorResult rv;
 flo->ChangeRemotenessWithBridge(bridge, rv);
 if (NS_WARN_IF(rv.Failed())) {
   return IPC_OK();
 }

 // Everything succeeded, so don't delete the bridge.
 deleteBridge.release();

 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvDrawSnapshot(
   const Maybe<IntRect>& aRect, const float& aScale,
   const nscolor& aBackgroundColor, const uint32_t& aFlags,
   DrawSnapshotResolver&& aResolve) {
 aResolve(gfx::PaintFragment::Record(BrowsingContext(), aRect, aScale,
                                     aBackgroundColor,
                                     (gfx::CrossProcessPaintFlags)aFlags));
 return IPC_OK();
}

mozilla::ipc::IPCResult
WindowGlobalChild::RecvSaveStorageAccessPermissionGranted() {
 nsCOMPtr<nsPIDOMWindowInner> inner = GetWindowGlobal();
 if (inner) {
   inner->SaveStorageAccessPermissionGranted();
 }

 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvDispatchSecurityPolicyViolation(
   const nsString& aViolationEventJSON) {
 nsGlobalWindowInner* window = GetWindowGlobal();
 if (!window) {
   return IPC_OK();
 }

 Document* doc = window->GetDocument();
 if (!doc) {
   return IPC_OK();
 }

 SecurityPolicyViolationEventInit violationEvent;
 if (!violationEvent.Init(aViolationEventJSON)) {
   return IPC_OK();
 }

 RefPtr<Event> event = SecurityPolicyViolationEvent::Constructor(
     doc, u"securitypolicyviolation"_ns, violationEvent);
 event->SetTrusted(true);
 doc->DispatchEvent(*event, IgnoreErrors());
 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvAddBlockedFrameNodeByClassifier(
   const MaybeDiscardedBrowsingContext& aNode) {
 if (aNode.IsNullOrDiscarded()) {
   return IPC_OK();
 }

 nsGlobalWindowInner* window = GetWindowGlobal();
 if (!window) {
   return IPC_OK();
 }

 Document* doc = window->GetDocument();
 if (!doc) {
   return IPC_OK();
 }

 MOZ_ASSERT(aNode.get()->GetEmbedderElement()->OwnerDoc() == doc);
 doc->AddBlockedNodeByClassifier(aNode.get()->GetEmbedderElement());
 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvResetScalingZoom() {
 if (Document* doc = mWindowGlobal->GetExtantDoc()) {
   if (PresShell* ps = doc->GetPresShell()) {
     ps->SetResolutionAndScaleTo(1.0,
                                 ResolutionChangeOrigin::MainThreadAdjustment);
   }
 }
 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvRestoreDocShellState(
   const dom::sessionstore::DocShellRestoreState& aState,
   RestoreDocShellStateResolver&& aResolve) {
 if (mWindowGlobal) {
   SessionStoreUtils::RestoreDocShellState(mWindowGlobal->GetDocShell(),
                                           aState);
 }
 aResolve(true);
 return IPC_OK();
}

mozilla::ipc::IPCResult WindowGlobalChild::RecvRestoreTabContent(
   dom::SessionStoreRestoreData* aData, RestoreTabContentResolver&& aResolve) {
 aData->RestoreInto(BrowsingContext());
 aResolve(true);
 return IPC_OK();
}

IPCResult WindowGlobalChild::RecvRawMessage(
   const JSActorMessageMeta& aMeta, JSIPCValue&& aData,
   const UniquePtr<ClonedMessageData>& aStack) {
 UniquePtr<StructuredCloneData> stack;
 if (aStack) {
   stack = MakeUnique<StructuredCloneData>();
   stack->BorrowFromClonedMessageData(*aStack);
 }
 ReceiveRawMessage(aMeta, std::move(aData), std::move(stack));
 return IPC_OK();
}

IPCResult WindowGlobalChild::RecvNotifyPermissionChange(const nsCString& aType,
                                                       uint32_t aPermission) {
 nsCOMPtr<nsIObserverService> observerService = services::GetObserverService();
 NS_ENSURE_TRUE(observerService,
                IPC_FAIL(this, "Failed to get observer service"));
 nsPIDOMWindowInner* notifyTarget =
     static_cast<nsPIDOMWindowInner*>(this->GetWindowGlobal());
 observerService->NotifyObservers(notifyTarget, "perm-changed-notify-only",
                                  NS_ConvertUTF8toUTF16(aType).get());
 // We only need to handle the revoked permission case here. The permission
 // grant case is handled via the Storage Access API code.
 if (this->GetWindowGlobal() &&
     this->GetWindowGlobal()->UsingStorageAccess() &&
     aPermission != nsIPermissionManager::ALLOW_ACTION) {
   this->GetWindowGlobal()->SaveStorageAccessPermissionRevoked();
 }
 return IPC_OK();
}

IPCResult WindowGlobalChild::RecvProcessCloseRequest(
   const MaybeDiscarded<dom::BrowsingContext>& aFocused) {
 RefPtr<nsFocusManager> focusManager = nsFocusManager::GetFocusManager();
 RefPtr<dom::BrowsingContext> focusedContext =
     focusManager ? focusManager->GetFocusedBrowsingContext() : nullptr;
 MOZ_ASSERT(focusedContext, "Cannot find focused context");
 // Only the currently focused context's CloseWatcher should be processed.
 if (RefPtr<Document> doc = focusedContext->GetExtantDocument()) {
   RefPtr<nsPIDOMWindowInner> win = doc->GetInnerWindow();
   if (win && win->IsFullyActive()) {
     RefPtr manager = win->EnsureCloseWatcherManager();
     manager->ProcessCloseRequest();
   }
 }
 return IPC_OK();
}

void WindowGlobalChild::SetDocumentURI(nsIURI* aDocumentURI) {
 // Registers a DOM Window with the profiler. It re-registers the same Inner
 // Window ID with different URIs because when a Browsing context is first
 // loaded, the first url loaded in it will be about:blank. This call keeps the
 // first non-about:blank registration of window and discards the previous one.
 uint64_t embedderInnerWindowID = 0;
 if (BrowsingContext()->GetParent()) {
   embedderInnerWindowID = BrowsingContext()->GetEmbedderInnerWindowId();
 }
 profiler_register_page(
     BrowsingContext()->BrowserId(), InnerWindowId(),
     nsContentUtils::TruncatedURLForDisplay(aDocumentURI, 1024),
     embedderInnerWindowID, BrowsingContext()->UsePrivateBrowsing());

 nsCOMPtr<nsIURI> principalURI = mDocumentPrincipal->GetURI();
 if (mDocumentPrincipal->GetIsNullPrincipal()) {
   if (nsCOMPtr<nsIPrincipal> precursor =
           mDocumentPrincipal->GetPrecursorPrincipal()) {
     principalURI = precursor->GetURI();
   }
 }

 MOZ_DIAGNOSTIC_ASSERT(!nsScriptSecurityManager::IsHttpOrHttpsAndCrossOrigin(
                           principalURI, aDocumentURI),
                       "Setting DocumentURI with a different origin "
                       "than principal URI");

 mDocumentURI = aDocumentURI;
 SendUpdateDocumentURI(WrapNotNull(aDocumentURI));
}

void WindowGlobalChild::SetDocumentPrincipal(
   nsIPrincipal* aNewDocumentPrincipal,
   nsIPrincipal* aNewDocumentStoragePrincipal) {
 MOZ_ASSERT(mDocumentPrincipal->Equals(aNewDocumentPrincipal));
 mDocumentPrincipal = aNewDocumentPrincipal;
 SendUpdateDocumentPrincipal(aNewDocumentPrincipal,
                             aNewDocumentStoragePrincipal);
}

const nsACString& WindowGlobalChild::GetRemoteType() const {
 if (XRE_IsContentProcess()) {
   return ContentChild::GetSingleton()->GetRemoteType();
 }

 return NOT_REMOTE_TYPE;
}

already_AddRefed<JSWindowActorChild> WindowGlobalChild::GetActor(
   JSContext* aCx, const nsACString& aName, ErrorResult& aRv) {
 return JSActorManager::GetActor(aCx, aName, aRv)
     .downcast<JSWindowActorChild>();
}

already_AddRefed<JSWindowActorChild> WindowGlobalChild::GetExistingActor(
   const nsACString& aName) {
 return JSActorManager::GetExistingActor(aName).downcast<JSWindowActorChild>();
}

already_AddRefed<JSActor> WindowGlobalChild::InitJSActor(
   JS::Handle<JSObject*> aMaybeActor, const nsACString& aName,
   ErrorResult& aRv) {
 RefPtr<JSWindowActorChild> actor;
 if (aMaybeActor.get()) {
   aRv = UNWRAP_OBJECT(JSWindowActorChild, aMaybeActor.get(), actor);
   if (aRv.Failed()) {
     return nullptr;
   }
 } else {
   actor = new JSWindowActorChild();
 }

 MOZ_RELEASE_ASSERT(!actor->GetManager(),
                    "mManager was already initialized once!");
 actor->Init(aName, this);
 return actor.forget();
}

void WindowGlobalChild::ActorDestroy(ActorDestroyReason aWhy) {
 MOZ_ASSERT(nsContentUtils::IsSafeToRunScript(),
            "Destroying WindowGlobalChild can run script");

 // If our WindowContext hasn't been marked as discarded yet, ensure it's
 // marked as discarded at this point.
 mWindowContext->Discard();

 profiler_unregister_page(InnerWindowId());

 // Destroy our JSActors, and reject any pending queries.
 JSActorDidDestroy();
}

bool WindowGlobalChild::IsSameOriginWith(
   const dom::WindowContext* aOther) const {
 if (aOther == WindowContext()) {
   return true;
 }

 MOZ_DIAGNOSTIC_ASSERT(WindowContext()->Group() == aOther->Group());
 if (nsGlobalWindowInner* otherWin = aOther->GetInnerWindow()) {
   return mDocumentPrincipal->Equals(otherWin->GetPrincipal());
 }
 return false;
}

bool WindowGlobalChild::SameOriginWithTop() {
 return IsSameOriginWith(WindowContext()->TopWindowContext());
}

// For historical context, see:
//
// Bug 13871:   Prevent frameset spoofing
// Bug 103638:  Targets with same name in different windows open in wrong
//              window with javascript
// Bug 408052:  Adopt "ancestor" frame navigation policy
// Bug 1570207: Refactor logic to rely on BrowsingContextGroups to enforce
//              origin attribute isolation
// Bug 1810619: Crash at null in nsDocShell::ValidateOrigin
bool WindowGlobalChild::CanNavigate(dom::BrowsingContext* aTarget,
                                   bool aConsiderOpener) {
 MOZ_DIAGNOSTIC_ASSERT(WindowContext()->Group() == aTarget->Group(),
                       "A WindowGlobalChild should never try to navigate a "
                       "BrowsingContext from another group");

 auto isFileScheme = [](nsIPrincipal* aPrincipal) -> bool {
   // NOTE: This code previously checked for a file scheme using
   // `nsIPrincipal::GetURI()` combined with `NS_GetInnermostURI`. We no longer
   // use GetURI, as it has been deprecated, and it makes more sense to take
   // advantage of the pre-computed origin, which will already use the
   // innermost URI (bug 1810619)
   nsAutoCString origin, scheme;
   return NS_SUCCEEDED(aPrincipal->GetOriginNoSuffix(origin)) &&
          NS_SUCCEEDED(net_ExtractURLScheme(origin, scheme)) &&
          scheme == "file"_ns;
 };

 // A frame can navigate itself and its own root.
 if (aTarget == BrowsingContext() || aTarget == BrowsingContext()->Top()) {
   return true;
 }

 // If the target frame doesn't yet have a WindowContext, start checking
 // principals from its direct ancestor instead. It would inherit its principal
 // from this document upon creation.
 dom::WindowContext* initialWc = aTarget->GetCurrentWindowContext();
 if (!initialWc) {
   initialWc = aTarget->GetParentWindowContext();
 }

 // A frame can navigate any frame with a same-origin ancestor.
 bool isFileDocument = isFileScheme(DocumentPrincipal());
 for (dom::WindowContext* wc = initialWc; wc;
      wc = wc->GetParentWindowContext()) {
   dom::WindowGlobalChild* wgc = wc->GetWindowGlobalChild();
   if (!wgc) {
     continue;  // out-of process, so not same-origin.
   }

   if (DocumentPrincipal()->Equals(wgc->DocumentPrincipal())) {
     return true;
   }

   // Not strictly equal, special case if both are file: URIs.
   //
   // file: URIs are considered the same domain for the purpose of frame
   // navigation, regardless of script accessibility (bug 420425).
   if (isFileDocument && isFileScheme(wgc->DocumentPrincipal())) {
     return true;
   }
 }

 // If the target is a top-level document, a frame can navigate it if it can
 // navigate its opener.
 if (aConsiderOpener && !aTarget->GetParent()) {
   if (RefPtr<dom::BrowsingContext> opener = aTarget->GetOpener()) {
     return CanNavigate(opener, false);
   }
 }

 return false;
}

// FindWithName follows the rules for choosing a browsing context,
// with the exception of sandboxing for iframes. The implementation
// for arbitrarily choosing between two browsing contexts with the
// same name is as follows:
//
// 1) The start browsing context, i.e. 'this'
// 2) Descendants in insertion order
// 3) The parent
// 4) Siblings and their children, both in insertion order
// 5) After this we iteratively follow the parent chain, repeating 3
//    and 4 until
// 6) If there is no parent, consider all other top level browsing
//    contexts and their children, both in insertion order
//
// See
// https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name
dom::BrowsingContext* WindowGlobalChild::FindBrowsingContextWithName(
   const nsAString& aName, bool aUseEntryGlobalForAccessCheck) {
 RefPtr<WindowGlobalChild> requestingContext = this;
 if (aUseEntryGlobalForAccessCheck) {
   if (nsGlobalWindowInner* caller = nsContentUtils::EntryInnerWindow()) {
     if (caller->GetBrowsingContextGroup() == WindowContext()->Group()) {
       requestingContext = caller->GetWindowGlobalChild();
     } else {
       MOZ_RELEASE_ASSERT(caller->GetPrincipal()->IsSystemPrincipal(),
                          "caller must be either same-group or system");
     }
   }
 }
 MOZ_ASSERT(requestingContext, "must have a requestingContext");

 dom::BrowsingContext* found = nullptr;
 if (aName.IsEmpty()) {
   // You can't find a browsing context with an empty name.
   found = nullptr;
 } else if (aName.LowerCaseEqualsLiteral("_blank")) {
   // Just return null. Caller must handle creating a new window with
   // a blank name.
   found = nullptr;
 } else if (nsContentUtils::IsSpecialName(aName)) {
   found = BrowsingContext()->FindWithSpecialName(aName, *requestingContext);
 } else if (dom::BrowsingContext* child =
                BrowsingContext()->FindWithNameInSubtree(aName,
                                                         requestingContext)) {
   found = child;
 } else {
   dom::WindowContext* current = WindowContext();

   do {
     Span<RefPtr<dom::BrowsingContext>> siblings;
     dom::WindowContext* parent = current->GetParentWindowContext();

     if (!parent) {
       // We've reached the root of the tree, consider browsing
       // contexts in the same browsing context group.
       siblings = WindowContext()->Group()->Toplevels();
     } else if (dom::BrowsingContext* bc = parent->GetBrowsingContext();
                bc && bc->NameEquals(aName) &&
                requestingContext->CanNavigate(bc) && bc->IsTargetable()) {
       found = bc;
       break;
     } else {
       siblings = parent->NonSyntheticChildren();
     }

     for (dom::BrowsingContext* sibling : siblings) {
       if (sibling == current->GetBrowsingContext()) {
         continue;
       }

       if (dom::BrowsingContext* relative =
               sibling->FindWithNameInSubtree(aName, requestingContext)) {
         found = relative;
         // Breaks the outer loop
         parent = nullptr;
         break;
       }
     }

     current = parent;
   } while (current);
 }

 // Helpers should perform access control checks, which means that we
 // only need to assert that we can access found.
 MOZ_DIAGNOSTIC_ASSERT(!found || requestingContext->CanNavigate(found));

 return found;
}

void WindowGlobalChild::UnblockBFCacheFor(BFCacheStatus aStatus) {
 SendUpdateBFCacheStatus(0, aStatus);
}

void WindowGlobalChild::BlockBFCacheFor(BFCacheStatus aStatus) {
 SendUpdateBFCacheStatus(aStatus, 0);
}

WindowGlobalChild::~WindowGlobalChild() = default;

JSObject* WindowGlobalChild::WrapObject(JSContext* aCx,
                                       JS::Handle<JSObject*> aGivenProto) {
 return WindowGlobalChild_Binding::Wrap(aCx, this, aGivenProto);
}

nsISupports* WindowGlobalChild::GetParentObject() {
 return xpc::NativeGlobal(xpc::PrivilegedJunkScope());
}

NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(WindowGlobalChild)

NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(WindowGlobalChild)
 NS_IMPL_CYCLE_COLLECTION_UNLINK(mWindowGlobal)
 NS_IMPL_CYCLE_COLLECTION_UNLINK(mContainerFeaturePolicy)
 NS_IMPL_CYCLE_COLLECTION_UNLINK(mWindowContext)
 tmp->UnlinkManager();
 NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
 NS_IMPL_CYCLE_COLLECTION_UNLINK_WEAK_PTR
NS_IMPL_CYCLE_COLLECTION_UNLINK_END

NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(WindowGlobalChild)
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mWindowGlobal)
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mContainerFeaturePolicy)
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mWindowContext)
 if (!tmp->IsInProcess()) {
   CycleCollectionNoteChild(cb, static_cast<BrowserChild*>(tmp->Manager()),
                            "Manager()");
 }
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END

NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(WindowGlobalChild)
 NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
 NS_INTERFACE_MAP_ENTRY(nsISupports)
NS_INTERFACE_MAP_END

NS_IMPL_CYCLE_COLLECTING_ADDREF(WindowGlobalChild)
NS_IMPL_CYCLE_COLLECTING_RELEASE(WindowGlobalChild)

}  // namespace mozilla::dom