Bug 1850967 - Forbid data: and javascript: URLs in <base>. r=emilio

Differential Revision: https://phabricator.services.mozilla.com/D209357
2024-11-23 04:41:11 +00:00 · 2024-05-06 14:55:22 +00:00 · 2024-05-06 14:55:22 +00:00 · e081721763
commit e081721763
parent 5763261d80
4 changed files with 17 additions and 14 deletions
--- a/dom/html/HTMLSharedElement.cpp
+++ b/dom/html/HTMLSharedElement.cpp
@ -85,15 +85,22 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
          getter_AddRefs(newBaseURI), href, aDocument,
          aDocument->GetFallbackBaseURI());

+      // Vaguely based on
+      // <https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url>
+
+      if (newBaseURI && (newBaseURI->SchemeIs("data") ||
+                         newBaseURI->SchemeIs("javascript"))) {
+        newBaseURI = nullptr;
+      }
+
      // Check if CSP allows this base-uri
-      nsresult rv = NS_OK;
      nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
      if (csp && newBaseURI) {
        // base-uri is only enforced if explicitly defined in the
        // policy - do *not* consult default-src, see:
        // http://www.w3.org/TR/CSP2/#directive-default-src
        bool cspPermitsBaseURI = true;
-        rv = csp->Permits(
+        nsresult rv = csp->Permits(
            child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI,
            nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
            true /* aSendViolationReports */, &cspPermitsBaseURI);
@ -101,6 +108,7 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
          newBaseURI = nullptr;
        }
      }
+
      aDocument->SetBaseURI(newBaseURI);
      aDocument->SetChromeXHRDocBaseURI(nullptr);
      return;
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@ -1343,6 +1343,13 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) {
    return;
  }

+  // See
+  // https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url
+  // data: and javascript: base URLs are not allowed.
+  if (newBaseURI->SchemeIs("data") || newBaseURI->SchemeIs("javascript")) {
+    return;
+  }
+
  // Check the document's CSP usually delivered via the CSP header.
  if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) {
    // base-uri should not fallback to the default-src and preloads should not
--- a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini
+++ b/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini
@ -1,6 +0,0 @@
-[base-data.html]
-  [First <base> has a data: URL so fallback is used]
-    expected: FAIL
-
-  [Dynamically inserted first <base> has a data: URL so fallback is used]
-    expected: FAIL
--- a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini
+++ b/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini
@ -1,6 +0,0 @@
-[base-javascript.html]
-  [First <base> has a javascript: URL so fallback is used]
-    expected: FAIL
-
-  [Dynamically inserted first <base> has a javascript: URL so fallback is used]
-    expected: FAIL