TabId
ContentProcessManager::AllocateTabId(const TabId& aOpenerTabId,
const IPCTabContext& aContext,
const ContentParentId& aChildCpId)
{
MOZ_ASSERT(NS_IsMainThread());
auto iter = mContentParentMap.find(aChildCpId);
if (NS_WARN_IF(iter == mContentParentMap.end())) {
ASSERT_UNLESS_FUZZING();
return TabId(0);
}
struct RemoteFrameInfo info;
// If it's a PopupIPCTabContext, it's the case that a TabChild want to
// open a new tab. aOpenerTabId has to be it's parent frame's opener id.
if (aContext.type() == IPCTabContext::TPopupIPCTabContext) {
auto remoteFrameIter = iter->second.mRemoteFrames.find(aOpenerTabId);
if (remoteFrameIter == iter->second.mRemoteFrames.end()) {
ASSERT_UNLESS_FUZZING("Failed to find parent frame's opener id.");
return TabId(0);
}
info.mOpenerTabId = remoteFrameIter->second.mOpenerTabId;
const PopupIPCTabContext &ipcContext = aContext.get_PopupIPCTabContext();
MOZ_ASSERT(ipcContext.opener().type() == PBrowserOrId::TTabId);
remoteFrameIter = iter->second.mRemoteFrames.find(ipcContext.opener().get_TabId());
if (remoteFrameIter == iter->second.mRemoteFrames.end()) {
ASSERT_UNLESS_FUZZING("Failed to find tab id.");
return TabId(0);
}
info.mContext = remoteFrameIter->second.mContext;
}
else {
MaybeInvalidTabContext tc(aContext);
if (!tc.IsValid()) {
NS_ERROR(nsPrintfCString("Received an invalid TabContext from "
"the child process. (%s)",
tc.GetInvalidReason()).get());
return TabId(0);
}
info.mOpenerTabId = aOpenerTabId;
info.mContext = tc.GetTabContext();
}
mUniqueId = ++gTabId;
iter->second.mRemoteFrames[mUniqueId] = info;
return mUniqueId;
}
bool
nsIContentParent::CanOpenBrowser(const IPCTabContext& aContext)
{
// (PopupIPCTabContext lets the child process prove that it has access to
// the app it's trying to open.)
// On e10s we also allow UnsafeTabContext to allow service workers to open
// windows. This is enforced in MaybeInvalidTabContext.
if (aContext.type() != IPCTabContext::TPopupIPCTabContext &&
aContext.type() != IPCTabContext::TUnsafeIPCTabContext) {
ASSERT_UNLESS_FUZZING("Unexpected IPCTabContext type. Aborting AllocPBrowserParent.");
return false;
}
if (aContext.type() == IPCTabContext::TPopupIPCTabContext) {
const PopupIPCTabContext& popupContext = aContext.get_PopupIPCTabContext();
if (popupContext.opener().type() != PBrowserOrId::TPBrowserParent) {
ASSERT_UNLESS_FUZZING("Unexpected PopupIPCTabContext type. Aborting AllocPBrowserParent.");
return false;
}
auto opener = TabParent::GetFrom(popupContext.opener().get_PBrowserParent());
if (!opener) {
ASSERT_UNLESS_FUZZING("Got null opener from child; aborting AllocPBrowserParent.");
return false;
}
// Popup windows of isMozBrowserElement frames must be isMozBrowserElement if
// the parent isMozBrowserElement. Allocating a !isMozBrowserElement frame with
// same app ID would allow the content to access data it's not supposed to.
if (!popupContext.isMozBrowserElement() && opener->IsMozBrowserElement()) {
ASSERT_UNLESS_FUZZING("Child trying to escalate privileges! Aborting AllocPBrowserParent.");
return false;
}
}
MaybeInvalidTabContext tc(aContext);
if (!tc.IsValid()) {
NS_ERROR(nsPrintfCString("Child passed us an invalid TabContext. (%s) "
"Aborting AllocPBrowserParent.",
tc.GetInvalidReason()).get());
return false;
}
return true;
}
bool
nsIContentParent::CanOpenBrowser(const IPCTabContext& aContext)
{
const IPCTabAppBrowserContext& appBrowser = aContext.appBrowserContext();
// We don't trust the IPCTabContext we receive from the child, so we'll bail
// if we receive an IPCTabContext that's not a PopupIPCTabContext.
// (PopupIPCTabContext lets the child process prove that it has access to
// the app it's trying to open.)
if (appBrowser.type() != IPCTabAppBrowserContext::TPopupIPCTabContext) {
ASSERT_UNLESS_FUZZING("Unexpected IPCTabContext type. Aborting AllocPBrowserParent.");
return false;
}
const PopupIPCTabContext& popupContext = appBrowser.get_PopupIPCTabContext();
if (popupContext.opener().type() != PBrowserOrId::TPBrowserParent) {
ASSERT_UNLESS_FUZZING("Unexpected PopupIPCTabContext type. Aborting AllocPBrowserParent.");
return false;
}
auto opener = TabParent::GetFrom(popupContext.opener().get_PBrowserParent());
if (!opener) {
ASSERT_UNLESS_FUZZING("Got null opener from child; aborting AllocPBrowserParent.");
return false;
}
// Popup windows of isBrowser frames must be isBrowser if the parent
// isBrowser. Allocating a !isBrowser frame with same app ID would allow
// the content to access data it's not supposed to.
if (!popupContext.isBrowserElement() && opener->IsBrowserElement()) {
ASSERT_UNLESS_FUZZING("Child trying to escalate privileges! Aborting AllocPBrowserParent.");
return false;
}
MaybeInvalidTabContext tc(aContext);
if (!tc.IsValid()) {
NS_ERROR(nsPrintfCString("Child passed us an invalid TabContext. (%s) "
"Aborting AllocPBrowserParent.",
tc.GetInvalidReason()).get());
return false;
}
return true;
}
TabContext::TabContext(const IPCTabContext& aParams)
: mInitialized(true)
{
const IPCTabAppBrowserContext& appBrowser = aParams.appBrowserContext();
switch(appBrowser.type()) {
case IPCTabAppBrowserContext::TPopupIPCTabContext: {
const PopupIPCTabContext &ipcContext = appBrowser.get_PopupIPCTabContext();
TabContext *context;
if (ipcContext.openerParent()) {
context = static_cast<TabParent*>(ipcContext.openerParent());
if (context->IsBrowserElement() && !ipcContext.isBrowserElement()) {
// If the TabParent corresponds to a browser element, then it can only
// open other browser elements, for security reasons. We should have
// checked this before calling the TabContext constructor, so this is
// a fatal error.
MOZ_CRASH();
}
}
else if (ipcContext.openerChild()) {
context = static_cast<TabChild*>(ipcContext.openerChild());
}
else {
// This should be unreachable because PopupIPCTabContext::opener is not a
// nullable field.
MOZ_CRASH();
}
// If ipcContext is a browser element, then the opener's app-id becomes
// our containing app-id. Otherwise, our own and containing app-ids are
// directly inherited from our opener.
if (ipcContext.isBrowserElement()) {
mIsBrowser = true;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = context->OwnAppId();
}
else {
mIsBrowser = false;
mOwnAppId = context->mOwnAppId;
mContainingAppId = context->mContainingAppId;
}
break;
}
case IPCTabAppBrowserContext::TAppFrameIPCTabContext: {
const AppFrameIPCTabContext &ipcContext =
appBrowser.get_AppFrameIPCTabContext();
mIsBrowser = false;
mOwnAppId = ipcContext.ownAppId();
mContainingAppId = ipcContext.appFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TBrowserFrameIPCTabContext: {
const BrowserFrameIPCTabContext &ipcContext =
appBrowser.get_BrowserFrameIPCTabContext();
mIsBrowser = true;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = ipcContext.browserFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TVanillaFrameIPCTabContext: {
mIsBrowser = false;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = nsIScriptSecurityManager::NO_APP_ID;
break;
}
default: {
MOZ_CRASH();
}
}
mScrollingBehavior = aParams.scrollingBehavior();
}
MaybeInvalidTabContext::MaybeInvalidTabContext(const IPCTabContext& aParams)
: mInvalidReason(nullptr)
{
bool isMozBrowserElement = false;
bool isPrerendered = false;
uint32_t containingAppId = NO_APP_ID;
DocShellOriginAttributes originAttributes;
nsAutoCString signedPkgOriginNoSuffix;
nsAutoString presentationURL;
UIStateChangeType showAccelerators = UIStateChangeType_NoChange;
UIStateChangeType showFocusRings = UIStateChangeType_NoChange;
switch(aParams.type()) {
case IPCTabContext::TPopupIPCTabContext: {
const PopupIPCTabContext &ipcContext = aParams.get_PopupIPCTabContext();
TabContext *context;
if (ipcContext.opener().type() == PBrowserOrId::TPBrowserParent) {
context = TabParent::GetFrom(ipcContext.opener().get_PBrowserParent());
if (!context) {
mInvalidReason = "Child is-browser process tried to "
"open a null tab.";
return;
}
if (context->IsMozBrowserElement() &&
!ipcContext.isMozBrowserElement()) {
// If the TabParent corresponds to a browser element, then it can only
// open other browser elements, for security reasons. We should have
// checked this before calling the TabContext constructor, so this is
// a fatal error.
mInvalidReason = "Child is-browser process tried to "
"open a non-browser tab.";
return;
}
} else if (ipcContext.opener().type() == PBrowserOrId::TPBrowserChild) {
context = static_cast<TabChild*>(ipcContext.opener().get_PBrowserChild());
} else if (ipcContext.opener().type() == PBrowserOrId::TTabId) {
// We should never get here because this PopupIPCTabContext is only
// used for allocating a new tab id, not for allocating a PBrowser.
mInvalidReason = "Child process tried to open an tab without the opener information.";
return;
} else {
// This should be unreachable because PopupIPCTabContext::opener is not a
// nullable field.
mInvalidReason = "PopupIPCTabContext::opener was null (?!).";
return;
}
// Browser elements can't nest other browser elements. So if
// our opener is browser element, we must be a new DOM window
// opened by it. In that case we inherit our containing app ID
// (if any).
//
// Otherwise, we're a new app window and we inherit from our
// opener app.
isMozBrowserElement = ipcContext.isMozBrowserElement();
originAttributes = context->mOriginAttributes;
if (isMozBrowserElement) {
containingAppId = context->OwnOrContainingAppId();
} else {
containingAppId = context->mContainingAppId;
}
break;
}
case IPCTabContext::TFrameIPCTabContext: {
const FrameIPCTabContext &ipcContext =
aParams.get_FrameIPCTabContext();
isMozBrowserElement = ipcContext.isMozBrowserElement();
isPrerendered = ipcContext.isPrerendered();
containingAppId = ipcContext.frameOwnerAppId();
signedPkgOriginNoSuffix = ipcContext.signedPkgOriginNoSuffix();
presentationURL = ipcContext.presentationURL();
showAccelerators = ipcContext.showAccelerators();
showFocusRings = ipcContext.showFocusRings();
originAttributes = ipcContext.originAttributes();
break;
}
case IPCTabContext::TUnsafeIPCTabContext: {
// XXXcatalinb: This used *only* by ServiceWorkerClients::OpenWindow.
// It is meant as a temporary solution until service workers can
// provide a TabChild equivalent. Don't allow this on b2g since
// it might be used to escalate privileges.
#ifdef MOZ_B2G
mInvalidReason = "ServiceWorkerClients::OpenWindow is not supported.";
return;
#endif
if (!Preferences::GetBool("dom.serviceWorkers.enabled", false)) {
mInvalidReason = "ServiceWorkers should be enabled.";
return;
}
containingAppId = NO_APP_ID;
break;
}
default: {
MOZ_CRASH();
}
}
nsCOMPtr<mozIApplication> ownApp;
if (!isMozBrowserElement) {
// mAppId corresponds to OwnOrContainingAppId; if isMozBrowserElement is
// false then it's ownApp otherwise it's containingApp
ownApp = GetAppForId(originAttributes.mAppId);
if ((ownApp == nullptr) != (originAttributes.mAppId == NO_APP_ID)) {
mInvalidReason = "Got an ownAppId that didn't correspond to an app.";
return;
}
}
nsCOMPtr<mozIApplication> containingApp = GetAppForId(containingAppId);
if ((containingApp == nullptr) != (containingAppId == NO_APP_ID)) {
mInvalidReason = "Got a containingAppId that didn't correspond to an app.";
return;
}
bool rv;
rv = mTabContext.SetTabContext(isMozBrowserElement,
isPrerendered,
ownApp,
containingApp,
showAccelerators,
showFocusRings,
originAttributes,
signedPkgOriginNoSuffix,
presentationURL);
if (!rv) {
mInvalidReason = "Couldn't initialize TabContext.";
}
}
TabContext::TabContext(const IPCTabContext& aParams)
: mInitialized(true)
{
const IPCTabAppBrowserContext& appBrowser = aParams.appBrowserContext();
switch(appBrowser.type()) {
case IPCTabAppBrowserContext::TPopupIPCTabContext: {
const PopupIPCTabContext &ipcContext = appBrowser.get_PopupIPCTabContext();
TabContext *context;
if (ipcContext.openerParent()) {
context = static_cast<TabParent*>(ipcContext.openerParent());
if (context->IsBrowserElement() && !ipcContext.isBrowserElement()) {
// If the TabParent corresponds to a browser element, then it can only
// open other browser elements, for security reasons. We should have
// checked this before calling the TabContext constructor, so this is
// a fatal error.
MOZ_CRASH();
}
}
else if (ipcContext.openerChild()) {
context = static_cast<TabChild*>(ipcContext.openerChild());
}
else {
// This should be unreachable because PopupIPCTabContext::opener is not a
// nullable field.
MOZ_CRASH();
}
// Browser elements can't nest other browser elements. So if
// our opener is browser element, we must be a new DOM window
// opened by it. In that case we inherit our containing app ID
// (if any).
//
// Otherwise, we're a new app window and we inherit from our
// opener app.
if (ipcContext.isBrowserElement()) {
mIsBrowser = true;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = context->OwnOrContainingAppId();
}
else {
mIsBrowser = false;
mOwnAppId = context->mOwnAppId;
mContainingAppId = context->mContainingAppId;
}
break;
}
case IPCTabAppBrowserContext::TAppFrameIPCTabContext: {
const AppFrameIPCTabContext &ipcContext =
appBrowser.get_AppFrameIPCTabContext();
mIsBrowser = false;
mOwnAppId = ipcContext.ownAppId();
mContainingAppId = ipcContext.appFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TBrowserFrameIPCTabContext: {
const BrowserFrameIPCTabContext &ipcContext =
appBrowser.get_BrowserFrameIPCTabContext();
mIsBrowser = true;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = ipcContext.browserFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TVanillaFrameIPCTabContext: {
mIsBrowser = false;
mOwnAppId = nsIScriptSecurityManager::NO_APP_ID;
mContainingAppId = nsIScriptSecurityManager::NO_APP_ID;
break;
}
default: {
MOZ_CRASH();
}
}
mScrollingBehavior = aParams.scrollingBehavior();
}
MaybeInvalidTabContext::MaybeInvalidTabContext(const IPCTabContext& aParams)
: mInvalidReason(nullptr)
{
bool isBrowser = false;
uint32_t ownAppId = NO_APP_ID;
uint32_t containingAppId = NO_APP_ID;
const IPCTabAppBrowserContext& appBrowser = aParams.appBrowserContext();
switch(appBrowser.type()) {
case IPCTabAppBrowserContext::TPopupIPCTabContext: {
const PopupIPCTabContext &ipcContext = appBrowser.get_PopupIPCTabContext();
TabContext *context;
if (ipcContext.openerParent()) {
context = static_cast<TabParent*>(ipcContext.openerParent());
if (context->IsBrowserElement() && !ipcContext.isBrowserElement()) {
// If the TabParent corresponds to a browser element, then it can only
// open other browser elements, for security reasons. We should have
// checked this before calling the TabContext constructor, so this is
// a fatal error.
mInvalidReason = "Child is-browser process tried to "
"open a non-browser tab.";
return;
}
} else if (ipcContext.openerChild()) {
context = static_cast<TabChild*>(ipcContext.openerChild());
} else {
// This should be unreachable because PopupIPCTabContext::opener is not a
// nullable field.
mInvalidReason = "PopupIPCTabContext::opener was null (?!).";
return;
}
// Browser elements can't nest other browser elements. So if
// our opener is browser element, we must be a new DOM window
// opened by it. In that case we inherit our containing app ID
// (if any).
//
// Otherwise, we're a new app window and we inherit from our
// opener app.
if (ipcContext.isBrowserElement()) {
isBrowser = true;
ownAppId = NO_APP_ID;
containingAppId = context->OwnOrContainingAppId();
} else {
isBrowser = false;
ownAppId = context->mOwnAppId;
containingAppId = context->mContainingAppId;
}
break;
}
case IPCTabAppBrowserContext::TAppFrameIPCTabContext: {
const AppFrameIPCTabContext &ipcContext =
appBrowser.get_AppFrameIPCTabContext();
isBrowser = false;
ownAppId = ipcContext.ownAppId();
containingAppId = ipcContext.appFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TBrowserFrameIPCTabContext: {
const BrowserFrameIPCTabContext &ipcContext =
appBrowser.get_BrowserFrameIPCTabContext();
isBrowser = true;
ownAppId = NO_APP_ID;
containingAppId = ipcContext.browserFrameOwnerAppId();
break;
}
case IPCTabAppBrowserContext::TVanillaFrameIPCTabContext: {
isBrowser = false;
ownAppId = NO_APP_ID;
containingAppId = NO_APP_ID;
break;
}
default: {
MOZ_CRASH();
}
}
nsCOMPtr<mozIApplication> ownApp = GetAppForId(ownAppId);
if ((ownApp == nullptr) != (ownAppId == NO_APP_ID)) {
mInvalidReason = "Got an ownAppId that didn't correspond to an app.";
return;
}
nsCOMPtr<mozIApplication> containingApp = GetAppForId(containingAppId);
if ((containingApp == nullptr) != (containingAppId == NO_APP_ID)) {
mInvalidReason = "Got a containingAppId that didn't correspond to an app.";
return;
}
bool rv;
if (isBrowser) {
rv = mTabContext.SetTabContextForBrowserFrame(containingApp,
aParams.scrollingBehavior());
} else {
rv = mTabContext.SetTabContextForAppFrame(ownApp,
containingApp,
aParams.scrollingBehavior());
}
if (!rv) {
mInvalidReason = "Couldn't initialize TabContext.";
}
}
