Bug 782542 - Secure necko IPDL usage. r=ted,jduell

* * *
Bug 782542 - Disable network.ipc security for certain mochitests r=ted
* * *
Bug 782542.  Disable some more tests that use mozbrowser w/o app r?ted
* * *
Bug 782542 : yet another test needs tweaking. r?ted

content/base/test/test_child_process_shutdown_message.html

@@ -112,6 +112,10 @@
   SpecialPowers.setBoolPref("dom.ipc.browser_frames.oop_by_default", true);
   SpecialPowers.addPermission("browser", true, window.document);
   SpecialPowers.addPermission("embed-apps", true, window.document);
+
+  // TODO: remove in bug 820712
+  SpecialPowers.setBoolPref("network.disable.ipc.security", true);
+
   runNextTest();
 }
 
@@ -136,6 +140,10 @@
 function tearDown() {
   SpecialPowers.clearUserPref("dom.mozBrowserFramesEnabled");
   SpecialPowers.clearUserPref("dom.ipc.browser_frames.oop_by_default");
+
+  // TODO: remove in bug 820712
+  SpecialPowers.clearUserPref("network.disable.ipc.security");
+
   SimpleTest.finish();
 }
 

docshell/base/LoadContext.cpp

@@ -8,22 +8,12 @@
 #include "nsIScriptSecurityManager.h"
 #include "nsServiceManagerUtils.h"
 #include "nsContentUtils.h"
+#include "mozIApplication.h"
 
 namespace mozilla {
 
 NS_IMPL_ISUPPORTS1(LoadContext, nsILoadContext);
 
-LoadContext::LoadContext(const IPC::SerializedLoadContext& aToCopy,
-                         nsIDOMElement* aTopFrameElemenet)
-  : mIsNotNull(aToCopy.mIsNotNull)
-  , mIsContent(aToCopy.mIsContent)
-  , mUsePrivateBrowsing(aToCopy.mUsePrivateBrowsing)
-  , mIsInBrowserElement(aToCopy.mIsInBrowserElement)
-  , mAppId(aToCopy.mAppId)
-  , mTopFrameElement(do_GetWeakReference(aTopFrameElemenet))
-{}
-
-
 //-----------------------------------------------------------------------------
 // LoadContext::nsILoadContext
 //-----------------------------------------------------------------------------

docshell/base/LoadContext.h

@@ -10,6 +10,9 @@
 #include "SerializedLoadContext.h"
 #include "mozilla/Attributes.h"
 #include "nsWeakReference.h"
+#include "nsIDOMElement.h"
+
+class mozIApplication;
 
 namespace mozilla {
 
@@ -29,17 +32,19 @@ class LoadContext MOZ_FINAL : public nsILoadContext
   NS_DECL_ISUPPORTS
   NS_DECL_NSILOADCONTEXT
 
-  LoadContext(const IPC::SerializedLoadContext& aToCopy)
+  // AppId/inBrowser arguments override those in SerializedLoadContext provided
+  // by child process.
+  LoadContext(const IPC::SerializedLoadContext& aToCopy,
+              nsIDOMElement* aTopFrameElement,
+              uint32_t aAppId, bool aInBrowser)
     : mIsNotNull(aToCopy.mIsNotNull)
     , mIsContent(aToCopy.mIsContent)
     , mUsePrivateBrowsing(aToCopy.mUsePrivateBrowsing)
-    , mIsInBrowserElement(aToCopy.mIsInBrowserElement)
-    , mAppId(aToCopy.mAppId)
+    , mIsInBrowserElement(aInBrowser)
+    , mAppId(aAppId)
+    , mTopFrameElement(do_GetWeakReference(aTopFrameElement))
   {}
 
-  LoadContext(const IPC::SerializedLoadContext& aToCopy,
-              nsIDOMElement* aTopFrameElemenet);
-
 private:
   bool          mIsNotNull;
   bool          mIsContent;

dom/browser-element/mochitest/browserElementTestHelpers.js

@@ -65,6 +65,14 @@ const browserElementTestHelpers = {
     return this._setBoolPref("dom.ipc.browser_frames.oop_by_default", value);
   },
 
+  getIPCSecurityDisabledPref: function() {
+    return this._getBoolPref("network.disable.ipc.security");
+  },
+
+  setIPCSecurityDisabledPref: function(value) {
+    return this._setBoolPref("network.disable.ipc.security", value);
+  },
+
   getPageThumbsEnabledPref: function() {
     return this._getBoolPref('browser.pageThumbs.enabled');
   },
@@ -94,13 +102,15 @@ const browserElementTestHelpers = {
     this.setOOPDisabledPref(this.origOOPDisabledPref);
     this.setOOPByDefaultPref(this.origOOPByDefaultPref);
     this.setPageThumbsEnabledPref(this.origPageThumbsEnabledPref);
+    this.setIPCSecurityDisabledPref(this.origIPCSecurityPref);
     this.removeAllTempPermissions();
   },
 
   'origEnabledPref': null,
   'origOOPDisabledPref': null,
   'origOOPByDefaultPref': null,
   'origPageThumbsEnabledPref': null,
+  'origIPCSecurityPref': null,
   'tempPermissions': [],
 
   // Some basically-empty pages from different domains you can load.
@@ -122,6 +132,7 @@ browserElementTestHelpers.origEnabledPref = browserElementTestHelpers.getEnabled
 browserElementTestHelpers.origOOPDisabledPref = browserElementTestHelpers.getOOPDisabledPref();
 browserElementTestHelpers.origOOPByDefaultPref = browserElementTestHelpers.getOOPByDefaultPref();
 browserElementTestHelpers.origPageThumbsEnabledPref = browserElementTestHelpers.getPageThumbsEnabledPref();
+browserElementTestHelpers.origIPCSecurityPref = browserElementTestHelpers.getIPCSecurityDisabledPref();
 
 // Disable tab view; it seriously messes us up.
 browserElementTestHelpers.setPageThumbsEnabledPref(false);
@@ -133,6 +144,10 @@ var oop = location.pathname.indexOf('_inproc_') == -1;
 browserElementTestHelpers.setOOPByDefaultPref(oop);
 browserElementTestHelpers.setOOPDisabledPref(false);
 
+// Disable the networking security checks; our test harness just tests browser elements
+// without sticking them in apps, and the security checks dislike that.
+browserElementTestHelpers.setIPCSecurityDisabledPref(true);
+
 addEventListener('unload', function() {
   browserElementTestHelpers.restoreOriginalPrefs();
 });

dom/devicestorage/ipc/test_ipc.html

@@ -153,6 +153,9 @@
           ["device.storage.testing", true],
           ["device.storage.prompt.testing", true],
 
+          // TODO: remove this as part of bug 820712
+          ["network.disable.ipc.security", true],
+
           ["dom.ipc.browser_frames.oop_by_default", true],
           ["dom.mozBrowserFramesEnabled", true],
           ["browser.pageThumbs.enabled", false]

dom/indexedDB/ipc/test_ipc.html

@@ -168,6 +168,9 @@
       SpecialPowers.addPermission("browser", true, document);
       SpecialPowers.pushPrefEnv({
         "set": [
+          // TODO: remove this as part of bug 820712
+          ["network.disable.ipc.security", true],
+
           ["dom.ipc.browser_frames.oop_by_default", true],
           ["dom.mozBrowserFramesEnabled", true]
         ]

dom/indexedDB/test/file_app_isolation.js

@@ -159,5 +159,10 @@ if (!SpecialPowers.isMainProcess()) {
   todo(false, "We should make this work on content process");
   SimpleTest.finish();
 } else {
-  startTest();
+  // TODO: remove unsetting network.disable.ipc.security as part of bug 820712
+  SpecialPowers.pushPrefEnv({
+    "set": [
+      ["network.disable.ipc.security", true],
+    ]
+  }, startTest);
 }

dom/ipc/PBrowser.ipdl

@@ -214,8 +214,6 @@ parent:
      *   URI of the manifest to fetch, the application cache group ID
      * @param documentURI
      *   URI of the document that referred the manifest
-     * @param clientID
-     *   The group cache version identifier to use
      * @param stickDocument
      *   True if the update was initiated by a document load that referred
      *   a manifest.
@@ -233,7 +231,6 @@ parent:
      *   has already been cached (stickDocument=false).
      */
     POfflineCacheUpdate(URIParams manifestURI, URIParams documentURI,
-                        bool isInBrowserElement, uint32_t appId,
                         bool stickDocument);
 
     sync PIndexedDB(nsCString asciiOrigin)

dom/ipc/TabChild.cpp

@@ -1577,8 +1577,6 @@ TabChild::RecvActivateFrameEvent(const nsString& aType, const bool& capture)
 POfflineCacheUpdateChild*
 TabChild::AllocPOfflineCacheUpdate(const URIParams& manifestURI,
                                    const URIParams& documentURI,
-                                   const bool& isInBrowserElement,
-                                   const uint32_t& appId,
                                    const bool& stickDocument)
 {
   NS_RUNTIMEABORT("unused");

dom/ipc/TabChild.h

@@ -277,8 +277,6 @@ class TabChild : public PBrowserChild,
     virtual POfflineCacheUpdateChild* AllocPOfflineCacheUpdate(
             const URIParams& manifestURI,
             const URIParams& documentURI,
-            const bool& isInBrowserElement,
-            const uint32_t& appId,
             const bool& stickDocument);
     virtual bool DeallocPOfflineCacheUpdate(POfflineCacheUpdateChild* offlineCacheUpdate);
 

dom/ipc/TabParent.cpp

@@ -1128,15 +1128,13 @@ TabParent::DeallocPRenderFrame(PRenderFrameParent* aFrame)
 mozilla::docshell::POfflineCacheUpdateParent*
 TabParent::AllocPOfflineCacheUpdate(const URIParams& aManifestURI,
                                     const URIParams& aDocumentURI,
-                                    const bool& isInBrowserElement,
-                                    const uint32_t& appId,
                                     const bool& stickDocument)
 {
   nsRefPtr<mozilla::docshell::OfflineCacheUpdateParent> update =
-    new mozilla::docshell::OfflineCacheUpdateParent();
+    new mozilla::docshell::OfflineCacheUpdateParent(OwnOrContainingAppId(),
+                                                    IsBrowserElement());
 
-  nsresult rv = update->Schedule(aManifestURI, aDocumentURI,
-                                 isInBrowserElement, appId, stickDocument);
+  nsresult rv = update->Schedule(aManifestURI, aDocumentURI, stickDocument);
   if (NS_FAILED(rv))
     return nullptr;
 

dom/ipc/TabParent.h

@@ -191,8 +191,6 @@ class TabParent : public PBrowserParent
     virtual POfflineCacheUpdateParent* AllocPOfflineCacheUpdate(
             const URIParams& aManifestURI,
             const URIParams& aDocumentURI,
-            const bool& isInBrowserElement,
-            const uint32_t& appId,
             const bool& stickDocument);
     virtual bool DeallocPOfflineCacheUpdate(POfflineCacheUpdateParent* actor);
 

modules/libpref/src/init/all.js

@@ -770,6 +770,9 @@ pref("security.fileuri.strict_origin_policy", true);
 // the results
 pref("network.allow-experiments", true);
 
+// Turn off interprocess security checks. Needed to run xpcshell tests.
+pref("network.disable.ipc.security", false);
+
 // Default action for unlisted external protocol handlers
 pref("network.protocol-handler.external-default", true);      // OK to load
 pref("network.protocol-handler.warn-external-default", true); // warn before load

netwerk/cookie/CookieServiceChild.cpp

@@ -4,12 +4,14 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceChild.h"
-
+#include "mozilla/dom/TabChild.h"
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/net/NeckoChild.h"
 #include "nsIURI.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
+#include "nsITabChild.h"
+#include "nsNetUtil.h"
 
 using namespace mozilla::ipc;
 
@@ -115,10 +117,19 @@ CookieServiceChild::GetCookieStringInternal(nsIURI *aHostURI,
   URIParams uriParams;
   SerializeURI(aHostURI, uriParams);
 
+  nsCOMPtr<nsITabChild> iTabChild;
+  mozilla::dom::TabChild* tabChild = nullptr;
+  if (aChannel) {
+    NS_QueryNotificationCallbacks(aChannel, iTabChild);
+    if (iTabChild) {
+      tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+    }
+  }
+
   // Synchronously call the parent.
   nsAutoCString result;
   SendGetCookieString(uriParams, !!isForeign, aFromHttp,
-                      IPC::SerializedLoadContext(aChannel), &result);
+                      IPC::SerializedLoadContext(aChannel), tabChild, &result);
   if (!result.IsEmpty())
     *aCookieString = ToNewCString(result);
 
@@ -148,9 +159,18 @@ CookieServiceChild::SetCookieStringInternal(nsIURI *aHostURI,
   URIParams uriParams;
   SerializeURI(aHostURI, uriParams);
 
+  nsCOMPtr<nsITabChild> iTabChild;
+  mozilla::dom::TabChild* tabChild = nullptr;
+  if (aChannel) {
+    NS_QueryNotificationCallbacks(aChannel, iTabChild);
+    if (iTabChild) {
+      tabChild = static_cast<mozilla::dom::TabChild*>(iTabChild.get());
+    }
+  }
+
   // Synchronously call the parent.
   SendSetCookieString(uriParams, !!isForeign, cookieString, serverTime,
-                      aFromHttp, IPC::SerializedLoadContext(aChannel));
+                      aFromHttp, IPC::SerializedLoadContext(aChannel), tabChild);
   return NS_OK;
 }
 

netwerk/cookie/CookieServiceParent.cpp

@@ -4,32 +4,44 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mozilla/net/CookieServiceParent.h"
+#include "mozilla/dom/PBrowserParent.h"
+#include "mozilla/net/NeckoParent.h"
 
 #include "mozilla/ipc/URIUtils.h"
 #include "nsCookieService.h"
 #include "nsNetUtil.h"
+#include "nsPrintfCString.h"
 
 using namespace mozilla::ipc;
-
-static void
-GetAppInfoFromLoadContext(const IPC::SerializedLoadContext &aLoadContext,
-                          uint32_t& aAppId,
-                          bool& aIsInBrowserElement,
-                          bool& aIsPrivate)
+using mozilla::dom::PBrowserParent;
+using mozilla::net::NeckoParent;
+
+MOZ_WARN_UNUSED_RESULT
+static bool
+GetAppInfoFromParams(const IPC::SerializedLoadContext &aLoadContext,
+                     PBrowserParent* aBrowser,
+                     uint32_t& aAppId,
+                     bool& aIsInBrowserElement,
+                     bool& aIsPrivate) 
 {
-  // TODO: bug 782542: what to do when we get null loadContext?  For now assume
-  // NECKO_NO_APP_ID.
   aAppId = NECKO_NO_APP_ID;
   aIsInBrowserElement = false;
   aIsPrivate = false;
 
-  if (aLoadContext.IsNotNull()) {
-    aAppId = aLoadContext.mAppId;
-    aIsInBrowserElement = aLoadContext.mIsInBrowserElement;
+  const char* error = NeckoParent::GetValidatedAppInfo(aLoadContext, aBrowser,
+                                                       &aAppId,
+                                                       &aIsInBrowserElement);
+  if (error) {
+    NS_WARNING(nsPrintfCString("CookieServiceParent: GetAppInfoFromParams: "
+                               "FATAL error: %s: KILLING CHILD PROCESS\n",
+                               error).get());
+    return false;
   }
 
   if (aLoadContext.IsPrivateBitValid())
     aIsPrivate = aLoadContext.mUsePrivateBrowsing;
+
+  return true;
 }
 
 namespace mozilla {
@@ -57,6 +69,7 @@ CookieServiceParent::RecvGetCookieString(const URIParams& aHost,
                                          const bool& aFromHttp,
                                          const IPC::SerializedLoadContext&
                                                aLoadContext,
+                                         PBrowserParent* aBrowser,
                                          nsCString* aResult)
 {
   if (!mCookieService)
@@ -70,10 +83,15 @@ CookieServiceParent::RecvGetCookieString(const URIParams& aHost,
 
   uint32_t appId;
   bool isInBrowserElement, isPrivate;
-  GetAppInfoFromLoadContext(aLoadContext, appId, isInBrowserElement, isPrivate);
+  bool valid = GetAppInfoFromParams(aLoadContext, aBrowser, appId,
+                                    isInBrowserElement, isPrivate);
+  if (!valid) {
+    return false;
+  }
 
   mCookieService->GetCookieStringInternal(hostURI, aIsForeign, aFromHttp, appId,
-                                          isInBrowserElement, isPrivate, *aResult);
+                                          isInBrowserElement, isPrivate,
+                                          *aResult);
   return true;
 }
 
@@ -84,7 +102,8 @@ CookieServiceParent::RecvSetCookieString(const URIParams& aHost,
                                          const nsCString& aServerTime,
                                          const bool& aFromHttp,
                                          const IPC::SerializedLoadContext&
-                                               aLoadContext)
+                                               aLoadContext,
+                                         PBrowserParent* aBrowser)
 {
   if (!mCookieService)
     return true;
@@ -97,7 +116,11 @@ CookieServiceParent::RecvSetCookieString(const URIParams& aHost,
 
   uint32_t appId;
   bool isInBrowserElement, isPrivate;
-  GetAppInfoFromLoadContext(aLoadContext, appId, isInBrowserElement, isPrivate);
+  bool valid = GetAppInfoFromParams(aLoadContext, aBrowser, appId,
+                                    isInBrowserElement, isPrivate);
+  if (!valid) {
+    return false;
+  }
 
   nsDependentCString cookieString(aCookieString, 0);
   //TODO: bug 812475, pass a real channel object