Bug 833935 - Warn when child is about to issue illegal IPDL request. …

…r=jdm

netwerk/cookie/CookieServiceChild.cpp

@@ -124,6 +124,9 @@ CookieServiceChild::GetCookieStringInternal(nsIURI *aHostURI,
     if (iTabChild) {
       tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
     }
+    if (MissingRequiredTabChild(tabChild, "cookie")) {
+      return NS_ERROR_ILLEGAL_VALUE;
+    }
   }
 
   // Synchronously call the parent.
@@ -166,6 +169,9 @@ CookieServiceChild::SetCookieStringInternal(nsIURI *aHostURI,
     if (iTabChild) {
       tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
     }
+    if (MissingRequiredTabChild(tabChild, "cookie")) {
+      return NS_ERROR_ILLEGAL_VALUE;
+    }
   }
 
   // Synchronously call the parent.

netwerk/ipc/NeckoCommon.h

@@ -13,6 +13,10 @@
 #include "nsPrintfCString.h"
 #include "mozilla/Preferences.h"
 
+namespace mozilla { namespace dom {
+class TabChild;
+}}
+
 #if defined(DEBUG) || defined(ENABLE_TESTS)
 # define NECKO_ERRORS_ARE_FATAL_DEFAULT true
 #else
@@ -111,6 +115,25 @@ UsingNeckoIPCSecurity()
   return !securityDisabled;
 }
 
+inline bool
+MissingRequiredTabChild(mozilla::dom::TabChild* tabChild,
+                        const char* context)
+{
+  if (UsingNeckoIPCSecurity()) {
+    // Bug 833935: during navigation away from page some loads may lack
+    // TabParent: we don't want to kill browser for that.  Doesn't happen in
+    // test harness, so fail in debug mode so we can catch new code that fails
+    // to pass security info.
+    MOZ_ASSERT(tabChild);
+
+    if (!tabChild) {
+      printf_stderr("WARNING: child tried to open %s IPDL channel w/o "
+                    "security info\n", context);
+      return true;
+    }
+  }
+  return false;
+}
 
 
 } // namespace net

netwerk/ipc/RemoteOpenFileChild.cpp

@@ -106,6 +106,9 @@ RemoteOpenFileChild::AsyncRemoteFileOpen(int32_t aFlags,
   if (aTabChild) {
     tabChild = static_cast<mozilla::dom::TabChild*>(aTabChild);
   }
+  if (MissingRequiredTabChild(tabChild, "remoteopenfile")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
 
 #if defined(XP_WIN) || defined(MOZ_WIDGET_COCOA)
   // Windows/OSX desktop builds skip remoting, and just open file in child

netwerk/protocol/ftp/FTPChannelChild.cpp

@@ -165,6 +165,9 @@ FTPChannelChild::AsyncOpen(::nsIStreamListener* listener, nsISupports* aContext)
   if (iTabChild) {
     tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
   }
+  if (MissingRequiredTabChild(tabChild, "ftp")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
 
   // FIXME: like bug 558623, merge constructor+SendAsyncOpen into 1 IPC msg
   gNeckoChild->SendPFTPChannelConstructor(this, tabChild, IPC::SerializedLoadContext(this));

netwerk/protocol/http/HttpChannelChild.cpp

@@ -806,6 +806,9 @@ HttpChannelChild::ConnectParent(uint32_t id)
   if (iTabChild) {
     tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
   }
+  if (MissingRequiredTabChild(tabChild, "http")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
 
   // The socket transport in the chrome process now holds a logical ref to us
   // until OnStopRequest, or we do a redirect, or we hit an IPDL error.
@@ -1044,6 +1047,9 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
   if (iTabChild) {
     tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
   }
+  if (MissingRequiredTabChild(tabChild, "http")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
 
   // The socket transport in the chrome process now holds a logical ref to us
   // until OnStopRequest, or we do a redirect, or we hit an IPDL error.

netwerk/protocol/websocket/WebSocketChannelChild.cpp

@@ -331,6 +331,9 @@ WebSocketChannelChild::AsyncOpen(nsIURI *aURI,
   if (iTabChild) {
     tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
   }
+  if (MissingRequiredTabChild(tabChild, "websocket")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
 
   URIParams uri;
   SerializeURI(aURI, uri);

netwerk/protocol/wyciwyg/WyciwygChannelChild.cpp

@@ -603,6 +603,10 @@ WyciwygChannelChild::AsyncOpen(nsIStreamListener *aListener, nsISupports *aConte
   SerializeURI(mOriginalURI, originalURI);
 
   mozilla::dom::TabChild* tabChild = GetTabChild(this);
+  if (MissingRequiredTabChild(tabChild, "wyciwyg")) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
+
   SendAsyncOpen(originalURI, mLoadFlags, IPC::SerializedLoadContext(this), tabChild);
 
   mSentAppData = true;

uriloader/prefetch/OfflineCacheUpdateChild.cpp

@@ -8,6 +8,7 @@
 #include "mozilla/dom/ContentChild.h"
 #include "mozilla/dom/TabChild.h"
 #include "mozilla/ipc/URIUtils.h"
+#include "mozilla/net/NeckoCommon.h"
 
 #include "nsIApplicationCacheContainer.h"
 #include "nsIApplicationCacheChannel.h"
@@ -31,6 +32,8 @@
 #include "nsIAsyncVerifyRedirectCallback.h"
 
 using namespace mozilla::ipc;
+using namespace mozilla::net;
+using mozilla::dom::TabChild;
 
 #if defined(PR_LOGGING)
 //
@@ -406,19 +409,18 @@ OfflineCacheUpdateChild::Schedule()
     item->GetTreeOwner(getter_AddRefs(owner));
 
     nsCOMPtr<nsITabChild> tabchild = do_GetInterface(owner);
-    if (!tabchild) {
-      NS_WARNING("tab is null");
+    // because owner implements nsITabChild, we can assume that it is
+    // the one and only TabChild.
+    TabChild* child = tabchild ? static_cast<TabChild*>(tabchild.get()) : nullptr;
+
+    if (MissingRequiredTabChild(child, "offlinecacheupdate")) {
       return NS_ERROR_FAILURE;
     }
 
     URIParams manifestURI, documentURI;
     SerializeURI(mManifestURI, manifestURI);
     SerializeURI(mDocumentURI, documentURI);
 
-    // because owner implements nsITabChild, we can assume that it is
-    // the one and only TabChild.
-    mozilla::dom::TabChild* child = static_cast<mozilla::dom::TabChild*>(tabchild.get());
-
     nsCOMPtr<nsIObserverService> observerService =
       mozilla::services::GetObserverService();
     if (observerService) {