GitLab

at 2024-08-06T15:54:56+02:00

Bug 1899180. If a channel is not nsIPrivateBrowsingChannel and has no load context, use the private browsing field from it's origin attributes. r=necko-reviewers,anti-tracking-reviewers,valentin

If the channel is not a nsIPrivateBrowsingChannel, and it also has no load context (eg inside svg images) then we will over write a non-zero mPrivateBrowsingId on the OriginAttributes of the channel with 0, making NS_UsePrivateBrowsing return false for the channel.

Differential Revision: https://phabricator.services.mozilla.com/D212083

@@ -15,6 +15,9 @@ skip-if = ["true"] # Bug 1207012 - Permaorange from an uncaught exception that i
  ["browser_bug1869938.js"]
  support-files = ["helper1869938.html"]
 +["browser_bug1899180.js"]
 +support-files = ["helper1899180.html"]
++
  ["browser_docshell_type_editor.js"]
  ["browser_image.js"]

 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
 +/*
 + * This test opens a private browsing window, then opens a content page in it
 + * that loads an svg image that contains an image to an external protocol.
 + * This tests that we don't hit an assert in this situation.
 + */
++
 +add_task(async function test() {
 +  function httpURL(filename) {
 +    let chromeURL = getRootDirectory(gTestPath) + filename;
 +    return chromeURL.replace(
 +      "chrome://mochitests/content/",
 +      "http://mochi.test:8888/"
 +    );
 +  }
++
 +  let win = await BrowserTestUtils.openNewBrowserWindow({ private: true });
++
 +  let tab = (win.gBrowser.selectedTab = BrowserTestUtils.addTab(
 +    win.gBrowser,
 +    "about:blank"
 +  ));
++
 +  await BrowserTestUtils.browserLoaded(tab.linkedBrowser);
++
 +  const pageUrl = httpURL("helper1899180.html");
++
 +  BrowserTestUtils.startLoadingURIString(tab.linkedBrowser, pageUrl);
++
 +  await BrowserTestUtils.browserLoaded(tab.linkedBrowser);
++
 +  await new Promise(resolve => {
 +    waitForFocus(resolve, win);
 +  });
++
 +  // do a couple rafs here to ensure its loaded and displayed
 +  await new Promise(r => requestAnimationFrame(r));
 +  await new Promise(r => requestAnimationFrame(r));
++
 +  await BrowserTestUtils.closeWindow(win);
++
 +  win = null;
 +  tab = null;
++
 +  ok(true, "we got here and didn't crash/assert");
 +});

 +<!DOCTYPE html>
 +<html>
 +<!-- just an svg that contains an image whose src points to a protocol that firefox doesn't support -->
 +<img src='data:image/svg+xml;charset=UTF-8,<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 120 120"><image width="10" height="10" xlink:href="C:\doesntmatter.png"/></svg>'/>
 +</html>

@@ -906,7 +906,13 @@ void Zone::clearScriptCounts(Realm* realm) {
    // Clear all hasScriptCounts_ flags of BaseScript, in order to release all
    // ScriptCounts entries of the given realm.
    for (auto i = scriptCountsMap->modIter(); !i.done(); i.next()) {
 -    BaseScript* script = i.get().key();
 +    const HeapPtr<BaseScript*>& script = i.get().key();
 +    if (IsAboutToBeFinalized(script)) {
 +      // Dead scripts may be present during incremental GC until script
 +      // finalizers have been run.
 +      continue;
 +    }
++
      if (script->realm() != realm) {
        continue;
+     }
@@ -927,7 +933,13 @@ void Zone::clearScriptLCov(Realm* realm) {
+   }
    for (auto i = scriptLCovMap->modIter(); !i.done(); i.next()) {
 -    BaseScript* script = i.get().key();
 +    const HeapPtr<BaseScript*>& script = i.get().key();
 +    if (IsAboutToBeFinalized(script)) {
 +      // Dead scripts may be present during incremental GC until script
 +      // finalizers have been run.
 +      continue;
 +    }
++
      if (script->realm() == realm) {
        i.remove();
+     }

 +// |jit-test| --fuzzing-safe; --ion-offthread-compile=off
 +gczeal(0);
++
 +let g = newGlobal({newCompartment: true});
 +let dbg = new Debugger(g);
++
 +dbg.collectCoverageInfo = true;
 +g.eval("0");
++
 +// Start a GC in the debugger's zone and yield after sweeping objects.
 +schedulezone(g);
 +gczeal(22);
 +startgc(100);
++
 +dbg.collectCoverageInfo = false;

ma1 pushed to branch base-browser-128.1.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

6 changed files:

Changes:

@@ -447,7 +447,7 @@ bool StoragePrincipalHelper::GetOriginAttributes(
    nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
    loadInfo->GetOriginAttributes(&aAttributes);
 -  bool isPrivate = false;
 +  bool isPrivate = aAttributes.mPrivateBrowsingId > 0;
    nsCOMPtr<nsIPrivateBrowsingChannel> pbChannel = do_QueryInterface(aChannel);
    if (pbChannel) {
      nsresult rv = pbChannel->GetIsChannelPrivate(&isPrivate);
@@ -456,7 +456,9 @@ bool StoragePrincipalHelper::GetOriginAttributes(
      // Some channels may not implement nsIPrivateBrowsingChannel
      nsCOMPtr<nsILoadContext> loadContext;
      NS_QueryNotificationCallbacks(aChannel, loadContext);
 -    isPrivate = loadContext && loadContext->UsePrivateBrowsing();
 +    if (loadContext) {
 +      isPrivate = loadContext->UsePrivateBrowsing();
 +    }
+   }
    aAttributes.SyncAttributesWithPrivateBrowsing(isPrivate);