From e081721763fe6d0b67b6d4aaf77af265e48d1209 Mon Sep 17 00:00:00 2001 From: Tom Schuster Date: Mon, 6 May 2024 14:55:22 +0000 Subject: [PATCH] Bug 1850967 - Forbid data: and javascript: URLs in . r=emilio Differential Revision: https://phabricator.services.mozilla.com/D209357 --- dom/html/HTMLSharedElement.cpp | 12 ++++++++++-- parser/html/nsHtml5TreeOpExecutor.cpp | 7 +++++++ .../the-base-element/base-data.html.ini | 6 ------ .../the-base-element/base-javascript.html.ini | 6 ------ 4 files changed, 17 insertions(+), 14 deletions(-) delete mode 100644 testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini delete mode 100644 testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp index 85849f9f79bc..0dd151f473ff 100644 --- a/dom/html/HTMLSharedElement.cpp +++ b/dom/html/HTMLSharedElement.cpp @@ -85,15 +85,22 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument, getter_AddRefs(newBaseURI), href, aDocument, aDocument->GetFallbackBaseURI()); + // Vaguely based on + // + + if (newBaseURI && (newBaseURI->SchemeIs("data") || + newBaseURI->SchemeIs("javascript"))) { + newBaseURI = nullptr; + } + // Check if CSP allows this base-uri - nsresult rv = NS_OK; nsCOMPtr csp = aDocument->GetCsp(); if (csp && newBaseURI) { // base-uri is only enforced if explicitly defined in the // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src bool cspPermitsBaseURI = true; - rv = csp->Permits( + nsresult rv = csp->Permits( child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, true /* aSendViolationReports */, &cspPermitsBaseURI); @@ -101,6 +108,7 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument, newBaseURI = nullptr; } } + aDocument->SetBaseURI(newBaseURI); aDocument->SetChromeXHRDocBaseURI(nullptr); return; diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index f2c47c42a6b6..f25949e6cc90 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -1343,6 +1343,13 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) { return; } + // See + // https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url + // data: and javascript: base URLs are not allowed. + if (newBaseURI->SchemeIs("data") || newBaseURI->SchemeIs("javascript")) { + return; + } + // Check the document's CSP usually delivered via the CSP header. if (nsCOMPtr csp = mDocument->GetCsp()) { // base-uri should not fallback to the default-src and preloads should not diff --git a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini b/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini deleted file mode 100644 index 859fbc431bf2..000000000000 --- a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[base-data.html] - [First has a data: URL so fallback is used] - expected: FAIL - - [Dynamically inserted first has a data: URL so fallback is used] - expected: FAIL diff --git a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini b/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini deleted file mode 100644 index 0cd8cecf4fef..000000000000 --- a/testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[base-javascript.html] - [First has a javascript: URL so fallback is used] - expected: FAIL - - [Dynamically inserted first has a javascript: URL so fallback is used] - expected: FAIL