ma1 pushed to branch mullvad-browser-115.13.0esr-13.5-1 at The Tor Project / Applications / Mullvad Browser Commits: 55b8abf1 by Edgar Chen at 2024-07-09T16:29:04+02:00 Bug 1743329 - Handle ESC key to release pointer lock in parent process; r=smaug Differential Revision: https://phabricator.services.mozilla.com/D211621 - - - - - 0019972d by Edgar Chen at 2024-07-09T16:31:30+02:00 Bug 1743329 - Release pointer lock when xul popup is open; r=smaug,pbz Differential Revision: https://phabricator.services.mozilla.com/D211620 - - - - - 84063db0 by Edgar Chen at 2024-07-09T16:31:36+02:00 Bug 1743329 - Use nsMenuPopupFrame in GetVisiblePopups(); r=smaug Differential Revision: https://phabricator.services.mozilla.com/D211619 A further change was needed in nsCaret.cpp, see https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/... - - - - - f77f91b1 by Otto Länd at 2024-07-09T16:31:37+02:00 Bug 1743329: apply code formatting via Lando # ignore-this-changeset - - - - - d2415441 by edgul at 2024-07-09T16:31:37+02:00 Bug 1879952 - Fix test expectations with samesite=lax turned on r=tschuster Differential Revision: https://phabricator.services.mozilla.com/D201639 - - - - - 4f7651bf by edgul at 2024-07-09T16:31:38+02:00 Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=cookie-reviewers,valentin,bvandersloot a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D204074 - - - - - 2e663f7b by Ed at 2024-07-09T16:31:38+02:00 Bug 1844827 - Update the cookie test expectations for iframe samesite r=cookie-reviewers,valentin a=RyanVM Depends on D199770 Differential Revision: https://phabricator.services.mozilla.com/D199772 - - - - - bb413ac1 by Julian Descottes at 2024-07-09T16:31:39+02:00 Bug 1880374 - Disable DNS prefetching if document nodePrincipal is systemPrincipal r=valentin Differential Revision: https://phabricator.services.mozilla.com/D210830 - - - - - 4e320ce3 by Edgar Chen at 2024-07-09T16:31:39+02:00 Bug 1883396 - Exit fullscreen when two Escape keyup events occur in a short time; r=smaug Differential Revision: https://phabricator.services.mozilla.com/D209667 - - - - - 0c986a88 by Jan de Mooij at 2024-07-09T16:31:40+02:00 Bug 1900523 - Don't use bailout data for JSJitToWasm frames. r=iain Differential Revision: https://phabricator.services.mozilla.com/D212554 - - - - - 3716357a by Jan de Mooij at 2024-07-09T16:31:40+02:00 Bug 1902983 - Don't use bailout data after iterating Wasm frames. a=RyanVM This is similar to bug 1900523, but the fix there was incomplete because the `JSJitToWasm` frame type is only used when we go through the Wasm JIT entry trampoline. Ion can also call Wasm functions directly and in that case the type will be `FrameType::Exit`. Original Revision: https://phabricator.services.mozilla.com/D214098 Differential Revision: https://phabricator.services.mozilla.com/D214375 - - - - - 22 changed files: - browser/base/content/test/popupNotifications/browser_popupNotification_security_delay.js - dom/base/PointerLockManager.cpp - dom/base/PointerLockManager.h - dom/html/HTMLDNSPrefetch.cpp - dom/ipc/BrowserChild.cpp - dom/ipc/BrowserChild.h - dom/ipc/BrowserParent.cpp - dom/ipc/PBrowser.ipdl - + js/src/jit-test/tests/ion/bug1900523.js - + js/src/jit-test/tests/ion/bug1902983.js - js/src/jit/JSJitFrameIter.cpp - js/src/jit/JSJitFrameIter.h - layout/base/PresShell.cpp - layout/base/PresShell.h - layout/base/nsCaret.cpp - layout/base/nsLayoutUtils.cpp - layout/xul/nsXULPopupManager.cpp - layout/xul/nsXULPopupManager.h - modules/libpref/init/StaticPrefList.yaml - netwerk/cookie/CookieService.cpp - netwerk/cookie/CookieServiceChild.cpp - testing/web-platform/meta/cookies/samesite/setcookie-navigation.https.html.ini Changes: ===================================== browser/base/content/test/popupNotifications/browser_popupNotification_security_delay.js ===================================== @@ -558,5 +558,7 @@ add_task(async function test_notificationDuringFullScreenTransition() { info("Wait for full screen transition end."); await promiseFullScreenTransitionEnd; info("Full screen transition end"); + + await SpecialPowers.popPrefEnv(); }); }); ===================================== dom/base/PointerLockManager.cpp ===================================== @@ -17,8 +17,10 @@ #include "mozilla/dom/BrowsingContext.h" #include "mozilla/dom/Document.h" #include "mozilla/dom/Element.h" +#include "mozilla/dom/PointerEventHandler.h" #include "mozilla/dom/WindowContext.h" #include "nsCOMPtr.h" +#include "nsMenuPopupFrame.h" #include "nsSandboxFlags.h" namespace mozilla { @@ -86,6 +88,25 @@ static void DispatchPointerLockError(Document* aTarget, const char* aMessage) { aMessage); } +static bool IsPopupOpened() { + // Check if any popup is open. + nsXULPopupManager* pm = nsXULPopupManager::GetInstance(); + if (!pm) { + return false; + } + + nsTArray<nsMenuPopupFrame*> popups; + pm->GetVisiblePopups(popups, true); + + for (nsMenuPopupFrame* popup : popups) { + if (popup->GetPopupType() != widget::PopupType::Tooltip) { + return true; + } + } + + return false; +} + static const char* GetPointerLockError(Element* aElement, Element* aCurrentLock, bool aNoFocusCheck = false) { // Check if pointer lock pref is enabled @@ -136,6 +157,10 @@ static const char* GetPointerLockError(Element* aElement, Element* aCurrentLock, } } + if (IsPopupOpened()) { + return "PointerLockDeniedFailedToLock"; + } + return nullptr; } @@ -167,6 +192,14 @@ void PointerLockManager::RequestLock(Element* aElement, /* static */ void PointerLockManager::Unlock(Document* aDoc) { + if (sLockedRemoteTarget) { + MOZ_ASSERT(XRE_IsParentProcess()); + MOZ_ASSERT(!sIsLocked); + Unused << sLockedRemoteTarget->SendReleasePointerLock(); + sLockedRemoteTarget = nullptr; + return; + } + if (!sIsLocked) { return; } @@ -311,14 +344,24 @@ bool PointerLockManager::IsInLockContext(BrowsingContext* aContext) { } /* static */ -bool PointerLockManager::SetLockedRemoteTarget(BrowserParent* aBrowserParent) { +void PointerLockManager::SetLockedRemoteTarget(BrowserParent* aBrowserParent, + nsACString& aError) { MOZ_ASSERT(XRE_IsParentProcess()); if (sLockedRemoteTarget) { - return sLockedRemoteTarget == aBrowserParent; + if (sLockedRemoteTarget != aBrowserParent) { + aError = "PointerLockDeniedInUse"_ns; + } + return; + } + + // Check if any popup is open. + if (IsPopupOpened()) { + aError = "PointerLockDeniedFailedToLock"_ns; + return; } sLockedRemoteTarget = aBrowserParent; - return true; + PointerEventHandler::ReleaseAllPointerCaptureRemoteTarget(); } /* static */ ===================================== dom/base/PointerLockManager.h ===================================== @@ -47,7 +47,8 @@ class PointerLockManager final { // Set/release pointer lock remote target. Should only be called in parent // process. - static bool SetLockedRemoteTarget(dom::BrowserParent* aBrowserParent); + static void SetLockedRemoteTarget(dom::BrowserParent* aBrowserParent, + nsACString& aError); static void ReleaseLockedRemoteTarget(dom::BrowserParent* aBrowserParent); private: ===================================== dom/html/HTMLDNSPrefetch.cpp ===================================== @@ -180,6 +180,13 @@ static bool EnsureDNSService() { } bool HTMLDNSPrefetch::IsAllowed(Document* aDocument) { + // Do not use prefetch if the document's node principal is the system + // principal. + nsCOMPtr<nsIPrincipal> principal = aDocument->NodePrincipal(); + if (principal->IsSystemPrincipal()) { + return false; + } + // There is no need to do prefetch on non UI scenarios such as XMLHttpRequest. return aDocument->IsDNSPrefetchAllowed() && aDocument->GetWindow(); } ===================================== dom/ipc/BrowserChild.cpp ===================================== @@ -39,6 +39,7 @@ #include "mozilla/MouseEvents.h" #include "mozilla/NativeKeyBindingsType.h" #include "mozilla/NullPrincipal.h" +#include "mozilla/PointerLockManager.h" #include "mozilla/Preferences.h" #include "mozilla/PresShell.h" #include "mozilla/ProcessHangMonitor.h" @@ -3184,6 +3185,11 @@ mozilla::ipc::IPCResult BrowserChild::RecvReleaseAllPointerCapture() { return IPC_OK(); } +mozilla::ipc::IPCResult BrowserChild::RecvReleasePointerLock() { + PointerLockManager::Unlock(); + return IPC_OK(); +} + PPaymentRequestChild* BrowserChild::AllocPPaymentRequestChild() { MOZ_CRASH( "We should never be manually allocating PPaymentRequestChild actors"); ===================================== dom/ipc/BrowserChild.h ===================================== @@ -696,6 +696,8 @@ class BrowserChild final : public nsMessageManagerScriptExecutor, mozilla::ipc::IPCResult RecvReleaseAllPointerCapture(); + mozilla::ipc::IPCResult RecvReleasePointerLock(); + private: void HandleDoubleTap(const CSSPoint& aPoint, const Modifiers& aModifiers, const ScrollableLayerGuid& aGuid); ===================================== dom/ipc/BrowserParent.cpp ===================================== @@ -4067,15 +4067,14 @@ static BrowserParent* GetTopLevelBrowserParent(BrowserParent* aBrowserParent) { mozilla::ipc::IPCResult BrowserParent::RecvRequestPointerLock( RequestPointerLockResolver&& aResolve) { - nsCString error; if (sTopLevelWebFocus != GetTopLevelBrowserParent(this)) { - error = "PointerLockDeniedNotFocused"; - } else if (!PointerLockManager::SetLockedRemoteTarget(this)) { - error = "PointerLockDeniedInUse"; - } else { - PointerEventHandler::ReleaseAllPointerCaptureRemoteTarget(); + aResolve("PointerLockDeniedNotFocused"_ns); + return IPC_OK(); } - aResolve(error); + + nsCString error; + PointerLockManager::SetLockedRemoteTarget(this, error); + aResolve(std::move(error)); return IPC_OK(); } ===================================== dom/ipc/PBrowser.ipdl ===================================== @@ -557,18 +557,18 @@ parent: async ImageLoadComplete(nsresult aResult); - /** - * Child informs the parent that a pointer lock has requested/released. - */ - async RequestPointerLock() returns (nsCString error); - async ReleasePointerLock(); - /** * Child informs the parent that a pointer capture has requested/released. */ async RequestPointerCapture(uint32_t aPointerId) returns (bool aSuccess); async ReleasePointerCapture(uint32_t aPointerId); +both: + /** + * informs that a pointer lock has released. + */ + async ReleasePointerLock(); + child: async NativeSynthesisResponse(uint64_t aObserverId, nsCString aResponse); async UpdateSHistory(); ===================================== js/src/jit-test/tests/ion/bug1900523.js ===================================== @@ -0,0 +1,28 @@ +// |jit-test| --fast-warmup; --no-threads; skip-if: !wasmIsSupported() +function f1() { + Promise.allSettled().catch(e => null); + do { + f2(10n, -1n); + try { + f2(-2147483648n); + } catch {} + } while (!inIon()); +} +function f2(x, y) { + const z = x >> x; + z <= z ? z : z; + y ^ y; +} +const binary = wasmTextToBinary(` + (module + (import "m" "f" (func $f)) + (func (export "test") + (call $f) + ) + ) +`); +const mod = new WebAssembly.Module(binary); +const inst = new WebAssembly.Instance(mod, {"m": {"f": f1}}); +for (let i = 0; i < 6; i++) { + inst.exports.test(); +} ===================================== js/src/jit-test/tests/ion/bug1902983.js ===================================== @@ -0,0 +1,24 @@ +// |jit-test| --fast-warmup; --gc-zeal=21,100; skip-if: !wasmIsSupported() +let counter = 0; +function g() { + counter++; + const y = BigInt.asIntN(counter, -883678545n); + const z = y >> y; + BigInt.asUintN(2 ** counter, 883678545n); + try { g(); } catch (e) { } +} +function f() { + for (let i = 0; i < 5; i++) { + for (let j = 0; j < 30; j++) { } + Promise.allSettled().catch(e => null); + counter = 0; + g(); + } +} +const binary = wasmTextToBinary(`(module (import "m" "f" (func $f)) (func (export "test") (call $f)))`); +const mod = new WebAssembly.Module(binary); +const inst = new WebAssembly.Instance(mod, { m: { f: f } }); +for (let i = 0; i < 100; i++) { } +for (let i = 0; i < 5; i++) { + inst.exports.test(); +} ===================================== js/src/jit/JSJitFrameIter.cpp ===================================== @@ -26,22 +26,29 @@ using namespace js; using namespace js::jit; JSJitFrameIter::JSJitFrameIter(const JitActivation* activation) - : JSJitFrameIter(activation, FrameType::Exit, activation->jsExitFP()) {} - -JSJitFrameIter::JSJitFrameIter(const JitActivation* activation, - FrameType frameType, uint8_t* fp) - : current_(fp), - type_(frameType), - resumePCinCurrentFrame_(nullptr), - cachedSafepointIndex_(nullptr), + : current_(activation->jsExitFP()), + type_(FrameType::Exit), activation_(activation) { - MOZ_ASSERT(type_ == FrameType::JSJitToWasm || type_ == FrameType::Exit); + // If we're currently performing a bailout, we have to use the activation's + // bailout data when we start iterating over the activation's frames. if (activation_->bailoutData()) { current_ = activation_->bailoutData()->fp(); type_ = FrameType::Bailout; - } else { - MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI); } + MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI); +} + +JSJitFrameIter::JSJitFrameIter(const JitActivation* activation, + FrameType frameType, uint8_t* fp) + : current_(fp), type_(frameType), activation_(activation) { + // This constructor is only used when resuming iteration after iterating Wasm + // frames in the same JitActivation so ignore activation_->bailoutData(). + // + // Note: FrameType::JSJitToWasm is used for JIT => Wasm calls through the Wasm + // JIT entry trampoline. FrameType::Exit is used for direct Ion => Wasm calls. + MOZ_ASSERT(fp > activation->jsOrWasmExitFP()); + MOZ_ASSERT(type_ == FrameType::JSJitToWasm || type_ == FrameType::Exit); + MOZ_ASSERT(!TlsContext.get()->inUnsafeCallWithABI); } bool JSJitFrameIter::checkInvalidation() const { ===================================== js/src/jit/JSJitFrameIter.h ===================================== @@ -111,14 +111,14 @@ class JSJitFrameIter { protected: uint8_t* current_; FrameType type_; - uint8_t* resumePCinCurrentFrame_; + uint8_t* resumePCinCurrentFrame_ = nullptr; // Size of the current Baseline frame. Equivalent to // BaselineFrame::debugFrameSize_ in debug builds. mozilla::Maybe<uint32_t> baselineFrameSize_; private: - mutable const SafepointIndex* cachedSafepointIndex_; + mutable const SafepointIndex* cachedSafepointIndex_ = nullptr; const JitActivation* activation_; void dumpBaseline() const; ===================================== layout/base/PresShell.cpp ===================================== @@ -8463,24 +8463,46 @@ void PresShell::EventHandler::MaybeHandleKeyboardEventBeforeDispatch( // The event listeners in chrome can prevent this ESC behavior by // calling prevent default on the preceding keydown/press events. - if (!mPresShell->mIsLastChromeOnlyEscapeKeyConsumed && - aKeyboardEvent->mMessage == eKeyUp) { - // ESC key released while in DOM fullscreen mode. - // Fully exit all browser windows and documents from - // fullscreen mode. - Document::AsyncExitFullscreen(nullptr); + if (aKeyboardEvent->mMessage == eKeyUp) { + bool shouldExitFullscreen = + !mPresShell->mIsLastChromeOnlyEscapeKeyConsumed; + if (!shouldExitFullscreen) { + if (mPresShell->mLastConsumedEscapeKeyUpForFullscreen && + (aKeyboardEvent->mTimeStamp - + mPresShell->mLastConsumedEscapeKeyUpForFullscreen) <= + TimeDuration::FromMilliseconds( + StaticPrefs:: + dom_fullscreen_force_exit_on_multiple_escape_interval())) { + shouldExitFullscreen = true; + mPresShell->mLastConsumedEscapeKeyUpForFullscreen = TimeStamp(); + } else { + mPresShell->mLastConsumedEscapeKeyUpForFullscreen = + aKeyboardEvent->mTimeStamp; + } + } + + if (shouldExitFullscreen) { + // ESC key released while in DOM fullscreen mode. + // Fully exit all browser windows and documents from + // fullscreen mode. + Document::AsyncExitFullscreen(nullptr); + } } } - nsCOMPtr<Document> pointerLockedDoc = PointerLockManager::GetLockedDocument(); - if (!mPresShell->mIsLastChromeOnlyEscapeKeyConsumed && pointerLockedDoc) { - // XXX See above comment to understand the reason why this needs - // to claim that the Escape key event is consumed by content - // even though it will be dispatched only into chrome. - aKeyboardEvent->PreventDefaultBeforeDispatch(CrossProcessForwarding::eStop); - aKeyboardEvent->mFlags.mOnlyChromeDispatch = true; - if (aKeyboardEvent->mMessage == eKeyUp) { - PointerLockManager::Unlock(); + if (XRE_IsParentProcess() && + !mPresShell->mIsLastChromeOnlyEscapeKeyConsumed) { + if (PointerLockManager::GetLockedRemoteTarget() || + PointerLockManager::IsLocked()) { + // XXX See above comment to understand the reason why this needs + // to claim that the Escape key event is consumed by content + // even though it will be dispatched only into chrome. + aKeyboardEvent->PreventDefaultBeforeDispatch( + CrossProcessForwarding::eStop); + aKeyboardEvent->mFlags.mOnlyChromeDispatch = true; + if (aKeyboardEvent->mMessage == eKeyUp) { + PointerLockManager::Unlock(); + } } } } ===================================== layout/base/PresShell.h ===================================== @@ -3209,6 +3209,10 @@ class PresShell final : public nsStubDocumentObserver, bool mProcessingReflowCommands : 1; bool mPendingDidDoReflow : 1; + // The last TimeStamp when the keyup event did not exit fullscreen because it + // was consumed. + TimeStamp mLastConsumedEscapeKeyUpForFullscreen; + struct CapturingContentInfo final { CapturingContentInfo() : mRemoteTarget(nullptr), ===================================== layout/base/nsCaret.cpp ===================================== @@ -855,7 +855,7 @@ size_t nsCaret::SizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf) const { bool nsCaret::IsMenuPopupHidingCaret() { // Check if there are open popups. nsXULPopupManager* popMgr = nsXULPopupManager::GetInstance(); - nsTArray<nsIFrame*> popups; + nsTArray<nsMenuPopupFrame*> popups; popMgr->GetVisiblePopups(popups); if (popups.Length() == 0) @@ -873,7 +873,7 @@ bool nsCaret::IsMenuPopupHidingCaret() { // If there's a menu popup open before the popup with // the caret, don't show the caret. for (uint32_t i = 0; i < popups.Length(); i++) { - nsMenuPopupFrame* popupFrame = static_cast<nsMenuPopupFrame*>(popups[i]); + nsMenuPopupFrame* popupFrame = popups[i]; nsIContent* popupContent = popupFrame->GetContent(); if (caretContent->IsInclusiveDescendantOf(popupContent)) { ===================================== layout/base/nsLayoutUtils.cpp ===================================== @@ -138,6 +138,7 @@ #include "nsIScrollableFrame.h" #include "nsIWidget.h" #include "nsListControlFrame.h" +#include "nsMenuPopupFrame.h" #include "nsPIDOMWindow.h" #include "nsPlaceholderFrame.h" #include "nsPresContext.h" @@ -1757,10 +1758,10 @@ nsIFrame* nsLayoutUtils::GetPopupFrameForPoint( if (!pm) { return nullptr; } - nsTArray<nsIFrame*> popups; + nsTArray<nsMenuPopupFrame*> popups; pm->GetVisiblePopups(popups); // Search from top to bottom - for (nsIFrame* popup : popups) { + for (nsMenuPopupFrame* popup : popups) { if (popup->PresContext()->GetRootPresContext() != aRootPresContext) { continue; } ===================================== layout/xul/nsXULPopupManager.cpp ===================================== @@ -53,6 +53,7 @@ #include "mozilla/EventStateManager.h" #include "mozilla/LookAndFeel.h" #include "mozilla/MouseEvents.h" +#include "mozilla/PointerLockManager.h" #include "mozilla/PresShell.h" #include "mozilla/Services.h" #include "mozilla/StaticPrefs_layout.h" @@ -987,6 +988,7 @@ bool nsXULPopupManager::ShowPopupAsNativeMenu(Element* aPopup, int32_t aXPos, EventStateManager::ClearGlobalActiveContent(activeESM); activeESM->StopTrackingDragGesture(true); } + PointerLockManager::Unlock(); PresShell::ReleaseCapturingContent(); return true; @@ -1201,6 +1203,10 @@ void nsXULPopupManager::ShowPopupCallback(Element* aPopup, // Caret visibility may have been affected, ensure that // the caret isn't now drawn when it shouldn't be. CheckCaretDrawingState(); + + if (popupType != PopupType::Tooltip) { + PointerLockManager::Unlock(); + } } nsMenuChainItem* nsXULPopupManager::FindPopup(Element* aPopup) const { @@ -1851,8 +1857,17 @@ nsIContent* nsXULPopupManager::GetTopActiveMenuItemContent() { return nullptr; } -void nsXULPopupManager::GetVisiblePopups(nsTArray<nsIFrame*>& aPopups) { +void nsXULPopupManager::GetVisiblePopups(nsTArray<nsMenuPopupFrame*>& aPopups, + bool aIncludeNativeMenu) { aPopups.Clear(); + if (aIncludeNativeMenu && mNativeMenu) { + nsCOMPtr<nsIContent> popup = mNativeMenu->Element(); + nsMenuPopupFrame* popupFrame = GetPopupFrameForContent(popup, true); + if (popupFrame && popupFrame->IsVisible() && + !popupFrame->IsMouseTransparent()) { + aPopups.AppendElement(popupFrame); + } + } for (nsMenuChainItem* item = mPopups.get(); item; item = item->GetParent()) { // Skip panels which are not visible as well as popups that are transparent // to mouse events. ===================================== layout/xul/nsXULPopupManager.h ===================================== @@ -184,10 +184,10 @@ using HidePopupOptions = mozilla::EnumSet<HidePopupOption>; */ extern const nsNavigationDirection DirectionFromKeyCodeTable[2][6]; -#define NS_DIRECTION_FROM_KEY_CODE(frame, keycode) \ - (DirectionFromKeyCodeTable[static_cast<uint8_t>( \ - (frame)->StyleVisibility()->mDirection)][( \ - keycode)-mozilla::dom::KeyboardEvent_Binding::DOM_VK_END]) +#define NS_DIRECTION_FROM_KEY_CODE(frame, keycode) \ + (DirectionFromKeyCodeTable \ + [static_cast<uint8_t>((frame)->StyleVisibility()->mDirection)] \ + [(keycode) - mozilla::dom::KeyboardEvent_Binding::DOM_VK_END]) // Used to hold information about a popup that is about to be opened. struct PendingPopup { @@ -601,8 +601,10 @@ class nsXULPopupManager final : public nsIDOMEventListener, /** * Return an array of all the open and visible popup frames for * menus, in order from top to bottom. + * XXX should we always include native menu? */ - void GetVisiblePopups(nsTArray<nsIFrame*>& aPopups); + void GetVisiblePopups(nsTArray<nsMenuPopupFrame*>& aPopups, + bool aIncludeNativeMenu = false); /** * Get the node that last triggered a popup or tooltip in the document ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -2701,6 +2701,13 @@ value: false mirror: always +# The interval in milliseconds between two Escape key events where the second +# key event will exit fullscreen, even if it is consumed. +- name: dom.fullscreen.force_exit_on_multiple_escape_interval + type: uint32_t + value: 500 + mirror: always + # Whether fullscreen should make the rest of the document inert. # This matches other browsers but historically not Gecko. - name: dom.fullscreen.modal @@ -11417,6 +11424,11 @@ value: false mirror: always +- name: network.cookie.sameSite.crossSiteIframeSetCheck + type: bool + value: true + mirror: always + - name: network.cookie.thirdparty.sessionOnly type: bool value: false ===================================== netwerk/cookie/CookieService.cpp ===================================== @@ -675,6 +675,18 @@ CookieService::SetCookieStringFromHttp(nsIURI* aHostURI, if (!addonAllowsLoad) { mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI, &isForeignAndNotAddon); + + // include sub-document navigations from cross-site to same-site + // wrt top-level in our check for thirdparty-ness + if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() && + !isForeignAndNotAddon && + loadInfo->GetExternalContentPolicyType() == + ExtContentPolicy::TYPE_SUBDOCUMENT) { + bool triggeringPrincipalIsThirdParty = false; + BasePrincipal::Cast(loadInfo->TriggeringPrincipal()) + ->IsThirdPartyURI(channelURI, &triggeringPrincipalIsThirdParty); + isForeignAndNotAddon |= triggeringPrincipalIsThirdParty; + } } nsCString cookieHeader(aCookieHeader); ===================================== netwerk/cookie/CookieServiceChild.cpp ===================================== @@ -517,6 +517,18 @@ CookieServiceChild::SetCookieStringFromHttp(nsIURI* aHostURI, if (!addonAllowsLoad) { mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI, &isForeignAndNotAddon); + + // include sub-document navigations from cross-site to same-site + // wrt top-level in our check for thirdparty-ness + if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() && + !isForeignAndNotAddon && + loadInfo->GetExternalContentPolicyType() == + ExtContentPolicy::TYPE_SUBDOCUMENT) { + bool triggeringPrincipalIsThirdParty = false; + BasePrincipal::Cast(loadInfo->TriggeringPrincipal()) + ->IsThirdPartyURI(finalChannelURI, &triggeringPrincipalIsThirdParty); + isForeignAndNotAddon |= triggeringPrincipalIsThirdParty; + } } bool moreCookies; ===================================== testing/web-platform/meta/cookies/samesite/setcookie-navigation.https.html.ini ===================================== @@ -1,11 +1,4 @@ [setcookie-navigation.https.html] + prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true] expected: if (os == "android") and fission: [OK, TIMEOUT] - [Cross-site to same-site iframe navigation should only be able to set SameSite=None cookies.] - expected: FAIL - - [Same-site to cross-site-site iframe navigation should only be able to set SameSite=None cookies.] - expected: FAIL - - [Cross-site to cross-site iframe navigation should only be able to set SameSite=None cookies.] - expected: FAIL View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/0b8... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/compare/0b8... You're receiving this email because of your account on gitlab.torproject.org.