mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-21 17:25:36 +00:00
Bug 1523706 - Consider strictly enforcing MIME checks for Worker scripts. r=ckerschb
No test changes yet. Differential Revision: https://phabricator.services.mozilla.com/D32806 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
cb6719040b
commit
a207353360
@ -90,6 +90,7 @@ BlockScriptWithWrongMimeType2=Script from “%1$S” was blocked because of a di
|
||||
WarnScriptWithWrongMimeType=The script from “%1$S” was loaded even though its MIME type (“%2$S”) is not a valid JavaScript MIME type.
|
||||
# LOCALIZATION NOTE: Do not translate "importScripts()"
|
||||
BlockImportScriptsWithWrongMimeType=Loading script from “%1$S” with importScripts() was blocked because of a disallowed MIME type (“%2$S”).
|
||||
BlockWorkerWithWrongMimeType=Loading Worker from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
|
||||
BlockModuleWithWrongMimeType=Loading module from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
|
||||
|
||||
# LOCALIZATION NOTE: Do not translate "data: URI".
|
||||
|
@ -2478,6 +2478,9 @@ pref("security.block_script_with_wrong_mime", true);
|
||||
// Block scripts with wrong MIME type when loading via importScripts() in workers.
|
||||
pref("security.block_importScripts_with_wrong_mime", true);
|
||||
|
||||
// Block Worker scripts with wrong MIME type.
|
||||
pref("security.block_Worker_with_wrong_mime", true);
|
||||
|
||||
// OCSP must-staple
|
||||
pref("security.ssl.enable_ocsp_must_staple", true);
|
||||
|
||||
|
@ -1655,6 +1655,29 @@ nsresult EnsureMIMEOfScript(nsHttpChannel* aChannel, nsIURI* aURI,
|
||||
return NS_ERROR_CORRUPTED_CONTENT;
|
||||
}
|
||||
|
||||
if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER ||
|
||||
internalType == nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER) {
|
||||
// Instead of consulting Preferences::GetBool() all the time we
|
||||
// can cache the result to speed things up.
|
||||
static bool sCachedBlockWorkerWithWrongMime = false;
|
||||
static bool sIsInited = false;
|
||||
if (!sIsInited) {
|
||||
sIsInited = true;
|
||||
Preferences::AddBoolVarCache(&sCachedBlockWorkerWithWrongMime,
|
||||
"security.block_Worker_with_wrong_mime",
|
||||
true);
|
||||
}
|
||||
|
||||
// Do not block the load if the feature is not enabled.
|
||||
if (!sCachedBlockWorkerWithWrongMime) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
ReportMimeTypeMismatch(aChannel, "BlockWorkerWithWrongMimeType", aURI,
|
||||
contentType, Report::Error);
|
||||
return NS_ERROR_CORRUPTED_CONTENT;
|
||||
}
|
||||
|
||||
// ES6 modules require a strict MIME type check.
|
||||
if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
|
||||
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {
|
||||
|
Loading…
Reference in New Issue
Block a user