Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D80601
This commit is contained in:
Christoph Kerschbaumer 2020-09-15 07:30:26 +00:00
parent 7effeb6cde
commit ed4fe6b936
2 changed files with 25 additions and 10 deletions

View File

@ -877,22 +877,29 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
&targetURIIsUIResource);
NS_ENSURE_SUCCESS(rv, rv);
if (targetURIIsUIResource) {
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
// loads (since docshell loads run the loaded content with its origin
// principal). We are effectively allowing resource:// and chrome://
// URIs to load as long as they are content accessible and as long
// they're not loading it as a document.
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
// Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
// target if ALLOW_CHROME is set.
//
// ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
// loads (since docshell loads run the loaded content with its origin
// principal). So we're effectively allowing resource://, chrome://,
// and moz-icon:// source URIs to load resource://, chrome://, and
// moz-icon:// files, so long as they're not loading it as a document.
bool sourceIsUIResource;
bool sourceIsUIResource = false;
rv = NS_URIChainHasFlags(aSourceBaseURI,
nsIProtocolHandler::URI_IS_UI_RESOURCE,
&sourceIsUIResource);
NS_ENSURE_SUCCESS(rv, rv);
if (sourceIsUIResource) {
return NS_OK;
// TODO Bug 1654488: Remove pref in CheckLoadURIFlags which
// allows all UI resources to load
if (StaticPrefs::
security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) {
return NS_OK;
}
// Special case for moz-icon URIs loaded by a local resources like
// e.g. chrome: or resource:
if (targetScheme.EqualsLiteral("moz-icon")) {
return NS_OK;
}
}
if (targetScheme.EqualsLiteral("resource")) {

View File

@ -9053,6 +9053,14 @@
value: 40
mirror: always
# Allows loading ui resources in CheckLoadURIFlags
# TODO Bug 1654488: Remove pref in CheckLoadURIFlags
# which allows all UI resources to load
- name: security.caps.allow_uri_is_ui_resource_in_checkloaduriflags
type: bool
value: false
mirror: always
# TODO: Bug 1324406: Treat 'data:' documents as unique, opaque origins
# If true, data: URIs will be treated as unique opaque origins, hence will use
# a NullPrincipal as the security context.