[Git][tpo/applications/tor-browser][tor-browser-115.13.0esr-13.5-1] 11 commits: Bug 1743329 - Handle ESC key to release pointer lock in parent process; r=smaug - tor-commits

9 Jul 2024


      ma1 pushed to branch tor-browser-115.13.0esr-13.5-1 at The Tor Project / Applications / Tor Browser


Commits:
cf5b43c4 by Edgar Chen at 2024-07-08T17:07:59+02:00
Bug 1743329 - Handle ESC key to release pointer lock in parent process; r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D211621
- - - - -
0405b9bc by Edgar Chen at 2024-07-09T10:30:51+02:00
Bug 1743329 - Release pointer lock when xul popup is open; r=smaug,pbz

Differential Revision: https://phabricator.services.mozilla.com/D211620

- - - - -
76ccec93 by Edgar Chen at 2024-07-09T14:55:38+02:00
Bug 1743329 - Use nsMenuPopupFrame in GetVisiblePopups(); r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D211619

A further change was needed in nsCaret.cpp, see
https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/...

- - - - -
facbce89 by Otto Länd at 2024-07-09T14:56:07+02:00
Bug 1743329: apply code formatting via Lando

# ignore-this-changeset
- - - - -
caf39658 by edgul at 2024-07-09T16:09:28+02:00
Bug 1879952 - Fix test expectations with samesite=lax turned on r=tschuster

Differential Revision: https://phabricator.services.mozilla.com/D201639
- - - - -
50a92664 by edgul at 2024-07-09T16:09:29+02:00
Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=cookie-reviewers,valentin,bvandersloot a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D204074
- - - - -
f7fe0408 by Ed at 2024-07-09T16:09:29+02:00
Bug 1844827 - Update the cookie test expectations for iframe samesite r=cookie-reviewers,valentin a=RyanVM

Depends on D199770

Differential Revision: https://phabricator.services.mozilla.com/D199772
- - - - -
d5c45977 by Julian Descottes at 2024-07-09T16:09:30+02:00
Bug 1880374 - Disable DNS prefetching if document nodePrincipal is systemPrincipal r=valentin

Differential Revision: https://phabricator.services.mozilla.com/D210830
- - - - -
f70cc12f by Edgar Chen at 2024-07-09T16:09:30+02:00
Bug 1883396 - Exit fullscreen when two Escape keyup events occur in a short time; r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D209667

- - - - -
956347dd by Jan de Mooij at 2024-07-09T16:09:31+02:00
Bug 1900523 - Don't use bailout data for JSJitToWasm frames. r=iain

Differential Revision: https://phabricator.services.mozilla.com/D212554
- - - - -
dd7037b5 by Jan de Mooij at 2024-07-09T16:09:31+02:00
Bug 1902983 - Don't use bailout data after iterating Wasm frames.  a=RyanVM

This is similar to bug 1900523, but the fix there was incomplete because the
`JSJitToWasm` frame type is only used when we go through the Wasm JIT entry
trampoline. Ion can also call Wasm functions directly and in that case the type
will be `FrameType::Exit`.

Original Revision: https://phabricator.services.mozilla.com/D214098

Differential Revision: https://phabricator.services.mozilla.com/D214375
- - - - -


22 changed files:

- browser/base/content/test/popupNotifications/browser_popupNotification_security_delay.js
- dom/base/PointerLockManager.cpp
- dom/base/PointerLockManager.h
- dom/html/HTMLDNSPrefetch.cpp
- dom/ipc/BrowserChild.cpp
- dom/ipc/BrowserChild.h
- dom/ipc/BrowserParent.cpp
- dom/ipc/PBrowser.ipdl
- + js/src/jit-test/tests/ion/bug1900523.js
- + js/src/jit-test/tests/ion/bug1902983.js
- js/src/jit/JSJitFrameIter.cpp
- js/src/jit/JSJitFrameIter.h
- layout/base/PresShell.cpp
- layout/base/PresShell.h
- layout/base/nsCaret.cpp
- layout/base/nsLayoutUtils.cpp
- layout/xul/nsXULPopupManager.cpp
- layout/xul/nsXULPopupManager.h
- modules/libpref/init/StaticPrefList.yaml
- netwerk/cookie/CookieService.cpp
- netwerk/cookie/CookieServiceChild.cpp
- testing/web-platform/meta/cookies/samesite/setcookie-navigation.https.html.ini


Changes:

=====================================
browser/base/content/test/popupNotifications/browser_popupNotification_security_delay.js
=====================================
@@ -558,5 +558,7 @@ add_task(async function test_notificationDuringFullScreenTransition() {
     info("Wait for full screen transition end.");
     await promiseFullScreenTransitionEnd;
     info("Full screen transition end");
+
+    await SpecialPowers.popPrefEnv();
   });
 });


=====================================
dom/base/PointerLockManager.cpp
=====================================
@@ -17,8 +17,10 @@
 #include "mozilla/dom/BrowsingContext.h"
 #include "mozilla/dom/Document.h"
 #include "mozilla/dom/Element.h"
+#include "mozilla/dom/PointerEventHandler.h"
 #include "mozilla/dom/WindowContext.h"
 #include "nsCOMPtr.h"
+#include "nsMenuPopupFrame.h"
 #include "nsSandboxFlags.h"
 
 namespace mozilla {
@@ -86,6 +88,25 @@ static void DispatchPointerLockError(Document* aTarget, const char* aMessage) {
                                   aMessage);
 }
 
+static bool IsPopupOpened() {
+  // Check if any popup is open.
+  nsXULPopupManager* pm = nsXULPopupManager::GetInstance();
+  if (!pm) {
+    return false;
+  }
+
+  nsTArray<nsMenuPopupFrame*> popups;
+  pm->GetVisiblePopups(popups, true);
+
+  for (nsMenuPopupFrame* popup : popups) {
+    if (popup->GetPopupType() != widget::PopupType::Tooltip) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 static const char* GetPointerLockError(Element* aElement, Element* aCurrentLock,
                                        bool aNoFocusCheck = false) {
   // Check if pointer lock pref is enabled
@@ -136,6 +157,10 @@ static const char* GetPointerLockError(Element* aElement, Element* aCurrentLock,
     }
   }
 
+  if (IsPopupOpened()) {
+    return "PointerLockDeniedFailedToLock";
+  }
+
   return nullptr;
 }
 
@@ -167,6 +192,14 @@ void PointerLockManager::RequestLock(Element* aElement,
 
 /* static */
 void PointerLockManager::Unlock(Document* aDoc) {
+  if (sLockedRemoteTarget) {
+    MOZ_ASSERT(XRE_IsParentProcess());
+    MOZ_ASSERT(!sIsLocked);
+    Unused << sLockedRemoteTarget->SendReleasePointerLock();
+    sLockedRemoteTarget = nullptr;
+    return;
+  }
+
   if (!sIsLocked) {
     return;
   }
@@ -311,14 +344,24 @@ bool PointerLockManager::IsInLockContext(BrowsingContext* aContext) {
 }
 
 /* static */
-bool PointerLockManager::SetLockedRemoteTarget(BrowserParent* aBrowserParent) {
+void PointerLockManager::SetLockedRemoteTarget(BrowserParent* aBrowserParent,
+                                               nsACString& aError) {
   MOZ_ASSERT(XRE_IsParentProcess());
   if (sLockedRemoteTarget) {
-    return sLockedRemoteTarget == aBrowserParent;
+    if (sLockedRemoteTarget != aBrowserParent) {
+      aError = "PointerLockDeniedInUse"_ns;
+    }
+    return;
+  }
+
+  // Check if any popup is open.
+  if (IsPopupOpened()) {
+    aError = "PointerLockDeniedFailedToLock"_ns;
+    return;
   }
 
   sLockedRemoteTarget = aBrowserParent;
-  return true;
+  PointerEventHandler::ReleaseAllPointerCaptureRemoteTarget();
 }
 
 /* static */


=====================================
dom/base/PointerLockManager.h
=====================================
@@ -47,7 +47,8 @@ class PointerLockManager final {
 
   // Set/release pointer lock remote target. Should only be called in parent
   // process.
-  static bool SetLockedRemoteTarget(dom::BrowserParent* aBrowserParent);
+  static void SetLockedRemoteTarget(dom::BrowserParent* aBrowserParent,
+                                    nsACString& aError);
   static void ReleaseLockedRemoteTarget(dom::BrowserParent* aBrowserParent);
 
  private:


=====================================
dom/html/HTMLDNSPrefetch.cpp
=====================================
@@ -180,6 +180,13 @@ static bool EnsureDNSService() {
 }
 
 bool HTMLDNSPrefetch::IsAllowed(Document* aDocument) {
+  // Do not use prefetch if the document's node principal is the system
+  // principal.
+  nsCOMPtr<nsIPrincipal> principal = aDocument->NodePrincipal();
+  if (principal->IsSystemPrincipal()) {
+    return false;
+  }
+
   // There is no need to do prefetch on non UI scenarios such as XMLHttpRequest.
   return aDocument->IsDNSPrefetchAllowed() && aDocument->GetWindow();
 }


=====================================
dom/ipc/BrowserChild.cpp
=====================================
@@ -39,6 +39,7 @@
 #include "mozilla/MouseEvents.h"
 #include "mozilla/NativeKeyBindingsType.h"
 #include "mozilla/NullPrincipal.h"
+#include "mozilla/PointerLockManager.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/PresShell.h"
 #include "mozilla/ProcessHangMonitor.h"
@@ -3184,6 +3185,11 @@ mozilla::ipc::IPCResult BrowserChild::RecvReleaseAllPointerCapture() {
   return IPC_OK();
 }
 
+mozilla::ipc::IPCResult BrowserChild::RecvReleasePointerLock() {
+  PointerLockManager::Unlock();
+  return IPC_OK();
+}
+
 PPaymentRequestChild* BrowserChild::AllocPPaymentRequestChild() {
   MOZ_CRASH(
       "We should never be manually allocating PPaymentRequestChild actors");


=====================================
dom/ipc/BrowserChild.h
=====================================
@@ -696,6 +696,8 @@ class BrowserChild final : public nsMessageManagerScriptExecutor,
 
   mozilla::ipc::IPCResult RecvReleaseAllPointerCapture();
 
+  mozilla::ipc::IPCResult RecvReleasePointerLock();
+
  private:
   void HandleDoubleTap(const CSSPoint& aPoint, const Modifiers& aModifiers,
                        const ScrollableLayerGuid& aGuid);


=====================================
dom/ipc/BrowserParent.cpp
=====================================
@@ -4088,15 +4088,14 @@ static BrowserParent* GetTopLevelBrowserParent(BrowserParent* aBrowserParent) {
 
 mozilla::ipc::IPCResult BrowserParent::RecvRequestPointerLock(
     RequestPointerLockResolver&& aResolve) {
-  nsCString error;
   if (sTopLevelWebFocus != GetTopLevelBrowserParent(this)) {
-    error = "PointerLockDeniedNotFocused";
-  } else if (!PointerLockManager::SetLockedRemoteTarget(this)) {
-    error = "PointerLockDeniedInUse";
-  } else {
-    PointerEventHandler::ReleaseAllPointerCaptureRemoteTarget();
+    aResolve("PointerLockDeniedNotFocused"_ns);
+    return IPC_OK();
   }
-  aResolve(error);
+
+  nsCString error;
+  PointerLockManager::SetLockedRemoteTarget(this, error);
+  aResolve(std::move(error));
   return IPC_OK();
 }
 


=====================================
dom/ipc/PBrowser.ipdl
=====================================
@@ -557,18 +557,17 @@ parent:
 
     async ImageLoadComplete(nsresult aResult);
 
-    /**
-     * Child informs the parent that a pointer lock has requested/released.
-     */
-    async RequestPointerLock() returns (nsCString error);
-    async ReleasePointerLock();
-
     /**
      * Child informs the parent that a pointer capture has requested/released.
      */
     async RequestPointerCapture(uint32_t aPointerId) returns (bool aSuccess);
     async ReleasePointerCapture(uint32_t aPointerId);
 
+    /**
+     * Child informs the parent that a pointer lock has requested.
+     */
+    async RequestPointerLock() returns (nsCString error);
+
     /**
      * This function is used to notify the parent that it should display a
      * onion services client authentication prompt.
@@ -578,6 +577,12 @@ parent:
      */
     async ShowOnionServicesAuthPrompt(nsCString aOnionHost, nsCString aTopic);
 
+both:
+    /**
+     * informs that a pointer lock has released.
+     */
+    async ReleasePointerLock();
+
 child:
     async NativeSynthesisResponse(uint64_t aObserverId, nsCString aResponse);
     async UpdateSHistory();


=====================================
js/src/jit-test/tests/ion/bug1900523.js
=====================================
@@ -0,0 +1,28 @@
+// |jit-test| --fast-warmup; --no-threads; skip-if: !wasmIsSupported()
+function f1() {
+  Promise.allSettled().catch(e => null);
+  do {
+    f2(10n, -1n);
+    try {
+      f2(-2147483648n);
+    } catch {}
+  } while (!inIon());
+}
+function f2(x, y) {
+  const z = x >> x;
+  z <= z ? z : z;
+  y ^ y;
+}
+const binary = wasmTextToBinary(`
+  (module
+    (import "m" "f" (func $f))
+    (func (export "test")
+      (call $f)
+    )
+  )
+`);
+const mod = new WebAssembly.Module(binary);
+const inst = new WebAssembly.Instance(mod, {"m": {"f": f1}});
+for (let i = 0; i < 6; i++) {
+  inst.exports.test();
+}


=====================================
js/src/jit-test/tests/ion/bug1902983.js
=====================================
@@ -0,0 +1,24 @@
+// |jit-test| --fast-warmup; --gc-zeal=21,100; skip-if: !wasmIsSupported()
+let counter = 0;
+function g() {
+    counter++;
+    const y = BigInt.asIntN(counter, -883678545n);
+    const z = y >> y;
+    BigInt.asUintN(2 ** counter, 883678545n);
+    try { g(); } catch (e) { }
+}
+function f() {
+    for (let i = 0; i < 5; i++) {
+        for (let j = 0; j < 30; j++) { }
+        Promise.allSettled().catch(e => null);
+        counter = 0;
+        g();
+    }
+}
+const binary = wasmTextToBinary(`(module (import "m" "f" (func $f)) (func (export "test") (call $f)))`);
+const mod = new WebAssembly.Module(binary);
+const inst = new WebAssembly.Instance(mod, { m: { f: f } });
+for (let i = 0; i < 100; i++) { }
+for (let i = 0; i < 5; i++) {
+    inst.exports.test();
+}


=====================================
js/src/jit/JSJitFrameIter.cpp
=====================================
@@ -26,22 +26,29 @@ using namespace js;
 using namespace js::jit;
 
 JSJitFrameIter::JSJitFrameIter(const JitActivation* activation)
-    : JSJitFrameIter(activation, FrameType::Exit, activation->jsExitFP()) {}
-
-JSJitFrameIter::JSJitFrameIter(const JitActivation* activation,
-                               FrameType frameType, uint8_t* fp)
-    : current_(fp),
-      type_(frameType),
-      resumePCinCurrentFrame_(nullptr),
-      cachedSafepointIndex_(nullptr),
+    : current_(activation->jsExitFP()),
+      type_(FrameType::Exit),
       activation_(activation) {
-  MOZ_ASSERT(type_ == FrameType::JSJitToWasm || type_ == FrameType::Exit);
+  // If we're currently performing a bailout, we have to use the activation's
+  // bailout data when we start iterating over the activation's frames.
   if (activation_->bailoutData()) {
     current_ = activation_->bailoutData()->fp();
     type_ = FrameType::Bailout;
-  } else {
-    MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI);
   }
+  MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI);
+}
+
+JSJitFrameIter::JSJitFrameIter(const JitActivation* activation,
+                               FrameType frameType, uint8_t* fp)
+    : current_(fp), type_(frameType), activation_(activation) {
+  // This constructor is only used when resuming iteration after iterating Wasm
+  // frames in the same JitActivation so ignore activation_->bailoutData().
+  //
+  // Note: FrameType::JSJitToWasm is used for JIT => Wasm calls through the Wasm
+  // JIT entry trampoline. FrameType::Exit is used for direct Ion => Wasm calls.
+  MOZ_ASSERT(fp > activation->jsOrWasmExitFP());
+  MOZ_ASSERT(type_ == FrameType::JSJitToWasm || type_ == FrameType::Exit);
+  MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI);
 }
 
 bool JSJitFrameIter::checkInvalidation() const {


=====================================
js/src/jit/JSJitFrameIter.h
=====================================
@@ -111,14 +111,14 @@ class JSJitFrameIter {
  protected:
   uint8_t* current_;
   FrameType type_;
-  uint8_t* resumePCinCurrentFrame_;
+  uint8_t* resumePCinCurrentFrame_ = nullptr;
 
   // Size of the current Baseline frame. Equivalent to
   // BaselineFrame::debugFrameSize_ in debug builds.
   mozilla::Maybe<uint32_t> baselineFrameSize_;
 
  private:
-  mutable const SafepointIndex* cachedSafepointIndex_;
+  mutable const SafepointIndex* cachedSafepointIndex_ = nullptr;
   const JitActivation* activation_;
 
   void dumpBaseline() const;


=====================================
layout/base/PresShell.cpp
=====================================
@@ -8463,24 +8463,46 @@ void PresShell::EventHandler::MaybeHandleKeyboardEventBeforeDispatch(
 
     // The event listeners in chrome can prevent this ESC behavior by
     // calling prevent default on the preceding keydown/press events.
-    if (!mPresShell->mIsLastChromeOnlyEscapeKeyConsumed &&
-        aKeyboardEvent->mMessage == eKeyUp) {
-      // ESC key released while in DOM fullscreen mode.
-      // Fully exit all browser windows and documents from
-      // fullscreen mode.
-      Document::AsyncExitFullscreen(nullptr);
+    if (aKeyboardEvent->mMessage == eKeyUp) {
+      bool shouldExitFullscreen =
+          !mPresShell->mIsLastChromeOnlyEscapeKeyConsumed;
+      if (!shouldExitFullscreen) {
+        if (mPresShell->mLastConsumedEscapeKeyUpForFullscreen &&
+            (aKeyboardEvent->mTimeStamp -
+             mPresShell->mLastConsumedEscapeKeyUpForFullscreen) <=
+                TimeDuration::FromMilliseconds(
+                    StaticPrefs::
+                        dom_fullscreen_force_exit_on_multiple_escape_interval())) {
+          shouldExitFullscreen = true;
+          mPresShell->mLastConsumedEscapeKeyUpForFullscreen = TimeStamp();
+        } else {
+          mPresShell->mLastConsumedEscapeKeyUpForFullscreen =
+              aKeyboardEvent->mTimeStamp;
+        }
+      }
+
+      if (shouldExitFullscreen) {
+        // ESC key released while in DOM fullscreen mode.
+        // Fully exit all browser windows and documents from
+        // fullscreen mode.
+        Document::AsyncExitFullscreen(nullptr);
+      }
     }
   }
 
-  nsCOMPtr<Document> pointerLockedDoc = PointerLockManager::GetLockedDocument();
-  if (!mPresShell->mIsLastChromeOnlyEscapeKeyConsumed && pointerLockedDoc) {
-    // XXX See above comment to understand the reason why this needs
-    //     to claim that the Escape key event is consumed by content
-    //     even though it will be dispatched only into chrome.
-    aKeyboardEvent->PreventDefaultBeforeDispatch(CrossProcessForwarding::eStop);
-    aKeyboardEvent->mFlags.mOnlyChromeDispatch = true;
-    if (aKeyboardEvent->mMessage == eKeyUp) {
-      PointerLockManager::Unlock();
+  if (XRE_IsParentProcess() &&
+      !mPresShell->mIsLastChromeOnlyEscapeKeyConsumed) {
+    if (PointerLockManager::GetLockedRemoteTarget() ||
+        PointerLockManager::IsLocked()) {
+      // XXX See above comment to understand the reason why this needs
+      //     to claim that the Escape key event is consumed by content
+      //     even though it will be dispatched only into chrome.
+      aKeyboardEvent->PreventDefaultBeforeDispatch(
+          CrossProcessForwarding::eStop);
+      aKeyboardEvent->mFlags.mOnlyChromeDispatch = true;
+      if (aKeyboardEvent->mMessage == eKeyUp) {
+        PointerLockManager::Unlock();
+      }
     }
   }
 }


=====================================
layout/base/PresShell.h
=====================================
@@ -3209,6 +3209,10 @@ class PresShell final : public nsStubDocumentObserver,
   bool mProcessingReflowCommands : 1;
   bool mPendingDidDoReflow : 1;
 
+  // The last TimeStamp when the keyup event did not exit fullscreen because it
+  // was consumed.
+  TimeStamp mLastConsumedEscapeKeyUpForFullscreen;
+
   struct CapturingContentInfo final {
     CapturingContentInfo()
         : mRemoteTarget(nullptr),


=====================================
layout/base/nsCaret.cpp
=====================================
@@ -855,7 +855,7 @@ size_t nsCaret::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const {
 bool nsCaret::IsMenuPopupHidingCaret() {
   // Check if there are open popups.
   nsXULPopupManager* popMgr = nsXULPopupManager::GetInstance();
-  nsTArray<nsIFrame*> popups;
+  nsTArray<nsMenuPopupFrame*> popups;
   popMgr->GetVisiblePopups(popups);
 
   if (popups.Length() == 0)
@@ -873,7 +873,7 @@ bool nsCaret::IsMenuPopupHidingCaret() {
   // If there's a menu popup open before the popup with
   // the caret, don't show the caret.
   for (uint32_t i = 0; i < popups.Length(); i++) {
-    nsMenuPopupFrame* popupFrame = static_cast<nsMenuPopupFrame*>(popups[i]);
+    nsMenuPopupFrame* popupFrame = popups[i];
     nsIContent* popupContent = popupFrame->GetContent();
 
     if (caretContent->IsInclusiveDescendantOf(popupContent)) {


=====================================
layout/base/nsLayoutUtils.cpp
=====================================
@@ -138,6 +138,7 @@
 #include "nsIScrollableFrame.h"
 #include "nsIWidget.h"
 #include "nsListControlFrame.h"
+#include "nsMenuPopupFrame.h"
 #include "nsPIDOMWindow.h"
 #include "nsPlaceholderFrame.h"
 #include "nsPresContext.h"
@@ -1757,10 +1758,10 @@ nsIFrame* nsLayoutUtils::GetPopupFrameForPoint(
   if (!pm) {
     return nullptr;
   }
-  nsTArray<nsIFrame*> popups;
+  nsTArray<nsMenuPopupFrame*> popups;
   pm->GetVisiblePopups(popups);
   // Search from top to bottom
-  for (nsIFrame* popup : popups) {
+  for (nsMenuPopupFrame* popup : popups) {
     if (popup->PresContext()->GetRootPresContext() != aRootPresContext) {
       continue;
     }


=====================================
layout/xul/nsXULPopupManager.cpp
=====================================
@@ -53,6 +53,7 @@
 #include "mozilla/EventStateManager.h"
 #include "mozilla/LookAndFeel.h"
 #include "mozilla/MouseEvents.h"
+#include "mozilla/PointerLockManager.h"
 #include "mozilla/PresShell.h"
 #include "mozilla/Services.h"
 #include "mozilla/StaticPrefs_layout.h"
@@ -987,6 +988,7 @@ bool nsXULPopupManager::ShowPopupAsNativeMenu(Element* aPopup, int32_t aXPos,
     EventStateManager::ClearGlobalActiveContent(activeESM);
     activeESM->StopTrackingDragGesture(true);
   }
+  PointerLockManager::Unlock();
   PresShell::ReleaseCapturingContent();
 
   return true;
@@ -1201,6 +1203,10 @@ void nsXULPopupManager::ShowPopupCallback(Element* aPopup,
   // Caret visibility may have been affected, ensure that
   // the caret isn't now drawn when it shouldn't be.
   CheckCaretDrawingState();
+
+  if (popupType != PopupType::Tooltip) {
+    PointerLockManager::Unlock();
+  }
 }
 
 nsMenuChainItem* nsXULPopupManager::FindPopup(Element* aPopup) const {
@@ -1851,8 +1857,17 @@ nsIContent* nsXULPopupManager::GetTopActiveMenuItemContent() {
   return nullptr;
 }
 
-void nsXULPopupManager::GetVisiblePopups(nsTArray<nsIFrame*>& aPopups) {
+void nsXULPopupManager::GetVisiblePopups(nsTArray<nsMenuPopupFrame*>& aPopups,
+                                         bool aIncludeNativeMenu) {
   aPopups.Clear();
+  if (aIncludeNativeMenu && mNativeMenu) {
+    nsCOMPtr<nsIContent> popup = mNativeMenu->Element();
+    nsMenuPopupFrame* popupFrame = GetPopupFrameForContent(popup, true);
+    if (popupFrame && popupFrame->IsVisible() &&
+        !popupFrame->IsMouseTransparent()) {
+      aPopups.AppendElement(popupFrame);
+    }
+  }
   for (nsMenuChainItem* item = mPopups.get(); item; item = item->GetParent()) {
     // Skip panels which are not visible as well as popups that are transparent
     // to mouse events.


=====================================
layout/xul/nsXULPopupManager.h
=====================================
@@ -184,10 +184,10 @@ using HidePopupOptions = mozilla::EnumSet<HidePopupOption>;
  */
 extern const nsNavigationDirection DirectionFromKeyCodeTable[2][6];
 
-#define NS_DIRECTION_FROM_KEY_CODE(frame, keycode) \
-  (DirectionFromKeyCodeTable[static_cast<uint8_t>( \
-      (frame)->StyleVisibility()->mDirection)][(   \
-      keycode)-mozilla::dom::KeyboardEvent_Binding::DOM_VK_END])
+#define NS_DIRECTION_FROM_KEY_CODE(frame, keycode)                    \
+  (DirectionFromKeyCodeTable                                          \
+       [static_cast<uint8_t>((frame)->StyleVisibility()->mDirection)] \
+       [(keycode) - mozilla::dom::KeyboardEvent_Binding::DOM_VK_END])
 
 // Used to hold information about a popup that is about to be opened.
 struct PendingPopup {
@@ -601,8 +601,10 @@ class nsXULPopupManager final : public nsIDOMEventListener,
   /**
    * Return an array of all the open and visible popup frames for
    * menus, in order from top to bottom.
+   * XXX should we always include native menu?
    */
-  void GetVisiblePopups(nsTArray<nsIFrame*>& aPopups);
+  void GetVisiblePopups(nsTArray<nsMenuPopupFrame*>& aPopups,
+                        bool aIncludeNativeMenu = false);
 
   /**
    * Get the node that last triggered a popup or tooltip in the document


=====================================
modules/libpref/init/StaticPrefList.yaml
=====================================
@@ -2709,6 +2709,13 @@
   value: false
   mirror: always
 
+# The interval in milliseconds between two Escape key events where the second
+# key event will exit fullscreen, even if it is consumed.
+- name: dom.fullscreen.force_exit_on_multiple_escape_interval
+  type: uint32_t
+  value: 500
+  mirror: always
+
 # Whether fullscreen should make the rest of the document inert.
 # This matches other browsers but historically not Gecko.
 - name: dom.fullscreen.modal
@@ -11425,6 +11432,11 @@
   value: false
   mirror: always
 
+- name: network.cookie.sameSite.crossSiteIframeSetCheck
+  type: bool
+  value: true
+  mirror: always
+
 - name: network.cookie.thirdparty.sessionOnly
   type: bool
   value: false


=====================================
netwerk/cookie/CookieService.cpp
=====================================
@@ -675,6 +675,18 @@ CookieService::SetCookieStringFromHttp(nsIURI* aHostURI,
   if (!addonAllowsLoad) {
     mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,
                                          &isForeignAndNotAddon);
+
+    // include sub-document navigations from cross-site to same-site
+    // wrt top-level in our check for thirdparty-ness
+    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&
+        !isForeignAndNotAddon &&
+        loadInfo->GetExternalContentPolicyType() ==
+            ExtContentPolicy::TYPE_SUBDOCUMENT) {
+      bool triggeringPrincipalIsThirdParty = false;
+      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
+          ->IsThirdPartyURI(channelURI, &triggeringPrincipalIsThirdParty);
+      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;
+    }
   }
 
   nsCString cookieHeader(aCookieHeader);


=====================================
netwerk/cookie/CookieServiceChild.cpp
=====================================
@@ -517,6 +517,18 @@ CookieServiceChild::SetCookieStringFromHttp(nsIURI* aHostURI,
   if (!addonAllowsLoad) {
     mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,
                                          &isForeignAndNotAddon);
+
+    // include sub-document navigations from cross-site to same-site
+    // wrt top-level in our check for thirdparty-ness
+    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&
+        !isForeignAndNotAddon &&
+        loadInfo->GetExternalContentPolicyType() ==
+            ExtContentPolicy::TYPE_SUBDOCUMENT) {
+      bool triggeringPrincipalIsThirdParty = false;
+      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
+          ->IsThirdPartyURI(finalChannelURI, &triggeringPrincipalIsThirdParty);
+      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;
+    }
   }
 
   bool moreCookies;


=====================================
testing/web-platform/meta/cookies/samesite/setcookie-navigation.https.html.ini
=====================================
@@ -1,11 +1,4 @@
 [setcookie-navigation.https.html]
+  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
   expected:
     if (os == "android") and fission: [OK, TIMEOUT]
-  [Cross-site to same-site iframe navigation should only be able to set SameSite=None cookies.]
-    expected: FAIL
-
-  [Same-site to cross-site-site iframe navigation should only be able to set SameSite=None cookies.]
-    expected: FAIL
-
-  [Cross-site to cross-site iframe navigation should only be able to set SameSite=None cookies.]
-    expected: FAIL



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/0629814...

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/0629814...
You're receiving this email because of your account on gitlab.torproject.org.

    

[Git][tpo/applications/tor-browser][tor-browser-115.13.0esr-13.5-1] 11 commits: Bug 1743329 - Handle ESC key to release pointer lock in parent process; r=smaug

ma1 (＠ma1)

tags

participants (1)