Bug 1523706 - Consider strictly enforcing MIME checks for Worker scripts. r=ckerschb

No test changes yet. Differential Revision: https://phabricator.services.mozilla.com/D32806 --HG-- extra : moz-landing-system : lando
2024-10-21 17:25:36 +00:00 · 2019-07-16 20:40:03 +00:00 · 2019-07-16 20:40:03 +00:00 · a207353360
commit a207353360
parent cb6719040b
3 changed files with 27 additions and 0 deletions
--- a/dom/locales/en-US/chrome/security/security.properties
+++ b/dom/locales/en-US/chrome/security/security.properties
@ -90,6 +90,7 @@ BlockScriptWithWrongMimeType2=Script from “%1$S” was blocked because of a di
 WarnScriptWithWrongMimeType=The script from “%1$S” was loaded even though its MIME type (“%2$S”) is not a valid JavaScript MIME type.
 # LOCALIZATION NOTE: Do not translate "importScripts()"
 BlockImportScriptsWithWrongMimeType=Loading script from “%1$S” with importScripts() was blocked because of a disallowed MIME type (“%2$S”).
+BlockWorkerWithWrongMimeType=Loading Worker from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
 BlockModuleWithWrongMimeType=Loading module from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).

 # LOCALIZATION NOTE: Do not translate "data: URI".
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2478,6 +2478,9 @@ pref("security.block_script_with_wrong_mime", true);
 // Block scripts with wrong MIME type when loading via importScripts() in workers.
 pref("security.block_importScripts_with_wrong_mime", true);

+// Block Worker scripts with wrong MIME type.
+pref("security.block_Worker_with_wrong_mime", true);
+
 // OCSP must-staple
 pref("security.ssl.enable_ocsp_must_staple", true);

--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -1655,6 +1655,29 @@ nsresult EnsureMIMEOfScript(nsHttpChannel* aChannel, nsIURI* aURI,
    return NS_ERROR_CORRUPTED_CONTENT;
  }

+  if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER ||
+      internalType == nsIContentPolicy::TYPE_INTERNAL_SHARED_WORKER) {
+    // Instead of consulting Preferences::GetBool() all the time we
+    // can cache the result to speed things up.
+    static bool sCachedBlockWorkerWithWrongMime = false;
+    static bool sIsInited = false;
+    if (!sIsInited) {
+      sIsInited = true;
+      Preferences::AddBoolVarCache(&sCachedBlockWorkerWithWrongMime,
+                                   "security.block_Worker_with_wrong_mime",
+                                   true);
+    }
+
+    // Do not block the load if the feature is not enabled.
+    if (!sCachedBlockWorkerWithWrongMime) {
+      return NS_OK;
+    }
+
+    ReportMimeTypeMismatch(aChannel, "BlockWorkerWithWrongMimeType", aURI,
+                           contentType, Report::Error);
+    return NS_ERROR_CORRUPTED_CONTENT;
+  }
+
  // ES6 modules require a strict MIME type check.
  if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {