mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-25 13:51:41 +00:00
Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley
Differential Revision: https://phabricator.services.mozilla.com/D80601
This commit is contained in:
parent
7effeb6cde
commit
ed4fe6b936
@ -877,22 +877,29 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
|
||||
&targetURIIsUIResource);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (targetURIIsUIResource) {
|
||||
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
|
||||
// loads (since docshell loads run the loaded content with its origin
|
||||
// principal). We are effectively allowing resource:// and chrome://
|
||||
// URIs to load as long as they are content accessible and as long
|
||||
// they're not loading it as a document.
|
||||
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
|
||||
// Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
|
||||
// target if ALLOW_CHROME is set.
|
||||
//
|
||||
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
|
||||
// loads (since docshell loads run the loaded content with its origin
|
||||
// principal). So we're effectively allowing resource://, chrome://,
|
||||
// and moz-icon:// source URIs to load resource://, chrome://, and
|
||||
// moz-icon:// files, so long as they're not loading it as a document.
|
||||
bool sourceIsUIResource;
|
||||
bool sourceIsUIResource = false;
|
||||
rv = NS_URIChainHasFlags(aSourceBaseURI,
|
||||
nsIProtocolHandler::URI_IS_UI_RESOURCE,
|
||||
&sourceIsUIResource);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (sourceIsUIResource) {
|
||||
return NS_OK;
|
||||
// TODO Bug 1654488: Remove pref in CheckLoadURIFlags which
|
||||
// allows all UI resources to load
|
||||
if (StaticPrefs::
|
||||
security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) {
|
||||
return NS_OK;
|
||||
}
|
||||
// Special case for moz-icon URIs loaded by a local resources like
|
||||
// e.g. chrome: or resource:
|
||||
if (targetScheme.EqualsLiteral("moz-icon")) {
|
||||
return NS_OK;
|
||||
}
|
||||
}
|
||||
|
||||
if (targetScheme.EqualsLiteral("resource")) {
|
||||
|
@ -9053,6 +9053,14 @@
|
||||
value: 40
|
||||
mirror: always
|
||||
|
||||
# Allows loading ui resources in CheckLoadURIFlags
|
||||
# TODO Bug 1654488: Remove pref in CheckLoadURIFlags
|
||||
# which allows all UI resources to load
|
||||
- name: security.caps.allow_uri_is_ui_resource_in_checkloaduriflags
|
||||
type: bool
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# TODO: Bug 1324406: Treat 'data:' documents as unique, opaque origins
|
||||
# If true, data: URIs will be treated as unique opaque origins, hence will use
|
||||
# a NullPrincipal as the security context.
|
||||
|
Loading…
Reference in New Issue
Block a user