Bug 1909022 - Allow more recursive load checks. r=smaug,necko-reviewe…

…rs,valentin

Don't limit recursive checks to only happen for original src
loads. They're very likely to be loads of 'about:blank' and later
followed by the actual load. Make sure to check the following loads as
well.

Differential Revision: https://phabricator.services.mozilla.com/D222485

docshell/test/navigation/frame_recursive_dynamic.html

@@ -0,0 +1,8 @@
+<script>
+  addEventListener("load", () => {
+    let e = document.createElement("iframe");
+    e.id = "dynamic";
+    document.body.appendChild(e); // append before setting source, forcing load of about:blank
+    e.src = window.location.href; // set src to ourselves to start recursing
+  }, { once: true });
+</script>

docshell/test/navigation/mochitest.toml

@@ -86,6 +86,7 @@ support-files = [
   "frame_5_out_of_6.html",
   "frame_6_out_of_6.html",
   "frame_recursive.html",
+  "frame_recursive_dynamic.html",
   "object_recursive_load.html",
   "file_nested_srcdoc.html",
 ]

docshell/test/navigation/test_recursive_frames.html

@@ -97,10 +97,20 @@
         "about:srcdoc",
       ],
     },
+    { // too many recursive dynamically created iframes
+      frameId: "dynamicrecursive",
+      expectedLocations: [
+        // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+        "http://example.com/tests/docshell/test/navigation/frame_recursive_dynamic.html",
+        // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+        "http://example.com/tests/docshell/test/navigation/frame_recursive_dynamic.html",
+        "about:blank"
+      ],
+    },
   ];
 
   async function checkRecursiveLoad(level) {
-    let el = content.document.getElementById("static");
+    let el = content.document.getElementById("static") || content.document.getElementById("dynamic");
     let documentURI = await SpecialPowers.spawn(
       el,
       [],
@@ -152,16 +162,16 @@
       );
     }
   });
-
   </script>
 </pre>
 <div>
   <iframe style="height: 100vh; width:25%;" id="recursiveFrame" src="http://example.com/tests/docshell/test/navigation/frame_recursive.html"></iframe>
   <iframe style="height: 100vh; width:25%;" id="twoRecursiveIframes" src="http://example.com/tests/docshell/test/navigation/frame_load_as_example_com.html"></iframe>
   <iframe style="height: 100vh; width:25%;" id="threeRecursiveIframes" src="http://sub1.test1.mochi.test:8888/tests/docshell/test/navigation/frame_load_as_host1.html"></iframe>
   <iframe style="height: 100vh; width:25%;" id="sixRecursiveIframes" src="http://example.com/tests/docshell/test/navigation/frame_1_out_of_6.html"></iframe>
-  <object width="400" height="300" id="recursiveObject" data="http://sub2.xn--lt-uia.mochi.test:8888/tests/docshell/test/navigation/object_recursive_load.html"></object> 
+  <object width="400" height="300" id="recursiveObject" data="http://sub2.xn--lt-uia.mochi.test:8888/tests/docshell/test/navigation/object_recursive_load.html"></object>
   <iframe id="nestedSrcdoc" srcdoc="Srcdoc that will embed an iframe &lt;iframe id=&quot;static&quot; src=&quot;http://example.com/tests/docshell/test/navigation/file_nested_srcdoc.html&quot;&gt;&lt;/iframe&gt;"></iframe>
+  <iframe style="height: 100vh; width:25%;" id="dynamicrecursive" src="http://example.com/tests/docshell/test/navigation/frame_recursive_dynamic.html"></iframe>
 </div>
 </body>
 </html>

dom/tests/browser/browser_hasbeforeunload.js

@@ -154,7 +154,11 @@ function navigateSubframe(browser, url, frameDepth = 0) {
     name: "Navigate",
     url,
   });
-  let subframeLoad = BrowserTestUtils.browserLoaded(browser, true);
+  let subframeLoad = BrowserTestUtils.browserLoaded(
+    browser,
+    true,
+    new URL(url).href
+  );
   return Promise.all([navigatePromise, subframeLoad]);
 }
 
@@ -368,7 +372,7 @@ async function prepareSubframes(browser, options) {
     [{ options, PAGE_URL }],
     async function (args) {
       let { options: allSubframeOptions, PAGE_URL: contentPageURL } = args;
-      function loadBeforeUnloadHelper(doc, subframeOptions) {
+      function loadBeforeUnloadHelper(doc, url, subframeOptions) {
         let subframe = doc.getElementById("subframe");
         subframe.remove();
         if (subframeOptions.sandboxAttributes === null) {
@@ -377,15 +381,23 @@ async function prepareSubframes(browser, options) {
           subframe.setAttribute("sandbox", subframeOptions.sandboxAttributes);
         }
         doc.body.appendChild(subframe);
-        subframe.contentWindow.location = contentPageURL;
+        subframe.contentWindow.location = url;
         return ContentTaskUtils.waitForEvent(subframe, "load").then(() => {
           return subframe.contentDocument;
         });
       }
 
       let currentDoc = content.document;
+      let depth = 1;
       for (let subframeOptions of allSubframeOptions) {
-        currentDoc = await loadBeforeUnloadHelper(currentDoc, subframeOptions);
+        // Circumvent recursive load checks.
+        let url = new URL(contentPageURL);
+        url.search = `depth=${depth++}`;
+        currentDoc = await loadBeforeUnloadHelper(
+          currentDoc,
+          url.href,
+          subframeOptions
+        );
       }
     }
   );

netwerk/ipc/DocumentLoadListener.cpp

@@ -655,12 +655,10 @@ auto DocumentLoadListener::Open(nsDocShellLoadState* aLoadState,
   mHTTPSFirstDowngradeData = aLoadState->GetHttpsFirstDowngradeData().forget();
 
   // Check for infinite recursive object or iframe loads
-  if (aLoadState->OriginalFrameSrc() || !mIsDocumentLoad) {
-    if (!CheckRecursiveLoad(loadingContext, aLoadState, mIsDocumentLoad)) {
-      *aRv = NS_ERROR_RECURSIVE_DOCUMENT_LOAD;
-      mParentChannelListener = nullptr;
-      return nullptr;
-    }
+  if (!CheckRecursiveLoad(loadingContext, aLoadState, mIsDocumentLoad)) {
+    *aRv = NS_ERROR_RECURSIVE_DOCUMENT_LOAD;
+    mParentChannelListener = nullptr;
+    return nullptr;
   }
 
   auto* documentContext = GetDocumentBrowsingContext();