Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D80601
This commit is contained in:
Christoph Kerschbaumer 2020-07-03 08:11:59 +00:00
parent 4c5ca225c9
commit 356a1baeae

View File

@ -881,24 +881,12 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
&targetURIIsUIResource);
NS_ENSURE_SUCCESS(rv, rv);
if (targetURIIsUIResource) {
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
// loads (since docshell loads run the loaded content with its origin
// principal). We are effectively allowing resource:// and chrome://
// URIs to load as long as they are content accessible and as long
// they're not loading it as a document.
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
// Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
// target if ALLOW_CHROME is set.
//
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
// loads (since docshell loads run the loaded content with its origin
// principal). So we're effectively allowing resource://, chrome://,
// and moz-icon:// source URIs to load resource://, chrome://, and
// moz-icon:// files, so long as they're not loading it as a document.
bool sourceIsUIResource;
rv = NS_URIChainHasFlags(aSourceBaseURI,
nsIProtocolHandler::URI_IS_UI_RESOURCE,
&sourceIsUIResource);
NS_ENSURE_SUCCESS(rv, rv);
if (sourceIsUIResource) {
return NS_OK;
}
if (targetScheme.EqualsLiteral("resource")) {
if (StaticPrefs::security_all_resource_uri_content_accessible()) {
return NS_OK;