Bug 1754066 - Prevent chrome and resource protocols for sourcemap helper r=ochameau

Differential Revision: https://phabricator.services.mozilla.com/D138773
2024-11-24 21:31:04 +00:00 · 2022-02-21 16:34:06 +00:00 · 2022-02-21 16:34:06 +00:00 · b138ba1676
commit b138ba1676
parent fc71dac9e3
12 changed files with 89 additions and 2 deletions
--- a/devtools/client/debugger/bin/module-manifest.json
+++ b/devtools/client/debugger/bin/module-manifest.json
@ -2405,7 +2405,7 @@
        "byName": {},
        "byBlocks": {},
        "usedIds": {
-          "1": 1
+          "0": 0
        }
      }
    }
@ -2426,7 +2426,7 @@
        "byName": {},
        "byBlocks": {},
        "usedIds": {
-          "1": 1
+          "0": 0
        }
      }
    }
--- a/devtools/client/debugger/dist/parser-worker.js
+++ b/devtools/client/debugger/dist/parser-worker.js
@ -7930,6 +7930,12 @@ exports.compareByGeneratedPositionsInflated = compareByGeneratedPositionsInflate
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/debugger/dist/pretty-print-worker.js
+++ b/devtools/client/debugger/dist/pretty-print-worker.js
@ -527,6 +527,12 @@ exports.compareByGeneratedPositionsInflated = compareByGeneratedPositionsInflate
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/debugger/dist/search-worker.js
+++ b/devtools/client/debugger/dist/search-worker.js
@ -103,6 +103,12 @@ module.exports = {
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/debugger/dist/vendors.js
+++ b/devtools/client/debugger/dist/vendors.js
@ -117,6 +117,12 @@ module.exports = {
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/debugger/packages/devtools-utils/src/privileged-network-request.js
+++ b/devtools/client/debugger/packages/devtools-utils/src/privileged-network-request.js
@ -3,6 +3,11 @@
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */

 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache",
  }).then(res => {
--- a/devtools/client/shared/source-map/index.js
+++ b/devtools/client/shared/source-map/index.js
@ -103,6 +103,12 @@ module.exports = {
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/shared/source-map/worker.js
+++ b/devtools/client/shared/source-map/worker.js
@ -151,6 +151,12 @@ module.exports = {
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
 function networkRequest(url, opts) {
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+
+  if (UNSUPPORTED_PROTOCOLS.some(protocol => url.startsWith(protocol))) {
+    return Promise.reject(`unsupported protocol for sourcemap request ${url}`);
+  }
+
  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache"
  }).then(res => {
--- a/devtools/client/styleeditor/test/browser.ini
+++ b/devtools/client/styleeditor/test/browser.ini
@ -40,6 +40,7 @@ support-files =
  sjs_huge-css-server.sjs
  sourcemap-css/contained.css
  sourcemap-css/sourcemaps.css
+  sourcemap-css/sourcemaps_chrome.css
  sourcemap-css/sourcemaps.css.map
  # add nosniff header to test against Bug 1330383
  sourcemap-css/sourcemaps.css.map^headers^
@ -63,6 +64,7 @@ support-files =
  doc_long_string.css
  doc_long.css
  doc_short_string.css
+  doc_sourcemap_chrome.html
  doc_xulpage.xhtml
  sync.html
  sync_with_csp.css
@ -116,6 +118,7 @@ skip-if = !debug && (os == "win") || (os == "linux" && os_version == "18.04") #b
 [browser_styleeditor_selectstylesheet.js]
 [browser_styleeditor_sourcemaps.js]
 [browser_styleeditor_sourcemaps_inline.js]
+[browser_styleeditor_sourcemap_chrome.js]
 [browser_styleeditor_sourcemap_large.js]
 [browser_styleeditor_sourcemap_watching.js]
 [browser_styleeditor_sync.js]
--- a/devtools/client/styleeditor/test/browser_styleeditor_sourcemap_chrome.js
+++ b/devtools/client/styleeditor/test/browser_styleeditor_sourcemap_chrome.js
@ -0,0 +1,25 @@
+/* Any copyright is dedicated to the Public Domain.
+ http://creativecommons.org/publicdomain/zero/1.0/ */
+"use strict";
+
+const TEST_URI = URL_ROOT_SSL + "doc_sourcemap_chrome.html";
+const CSS_NAME = "sourcemaps_chrome.css";
+
+/**
+ * Test that a sourcemap served by a chrome URL will not be resolved
+ */
+add_task(async function() {
+  const { ui } = await openStyleEditorForURL(TEST_URI);
+  const editor = ui.editors[0];
+
+  // The CSS file contains a link to a sourcemap called which should map this
+  // CSS file to "sourcemaps.scss". If the CSS is still listed as CSS_NAME, it
+  // means the sourcemapped file was not resolved.
+  is(getStylesheetNameFor(editor), CSS_NAME, "The sourcemap was not resolved");
+});
+
+function getStylesheetNameFor(editor) {
+  return editor.summary
+    .querySelector(".stylesheet-name > label")
+    .getAttribute("value");
+}
--- a/devtools/client/styleeditor/test/doc_sourcemap_chrome.html
+++ b/devtools/client/styleeditor/test/doc_sourcemap_chrome.html
@ -0,0 +1,11 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Testcase for sourcemap URLs pointing to unsupported protocols</title>
+  <link rel="stylesheet" type="text/css" href="sourcemap-css/sourcemaps_chrome.css"/>
+</head>
+<body>
+  <div>Protocol test</div>
+</body>
+</html>
--- a/devtools/client/styleeditor/test/sourcemap-css/sourcemaps_chrome.css
+++ b/devtools/client/styleeditor/test/sourcemap-css/sourcemaps_chrome.css
@ -0,0 +1,7 @@
+div {
+  color: #ff0066; }
+
+span {
+  background-color: #EEE; }
+
+/*# sourceMappingURL=chrome://mochitests/content/browser/devtools/client/styleeditor/test/sourcemap-css/sourcemaps.css.map */