From ed4fe6b936bb461e13233d8c5f970fd0414c52f0 Mon Sep 17 00:00:00 2001 From: Christoph Kerschbaumer Date: Tue, 15 Sep 2020 07:30:26 +0000 Subject: [PATCH] Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley Differential Revision: https://phabricator.services.mozilla.com/D80601 --- caps/nsScriptSecurityManager.cpp | 27 +++++++++++++++--------- modules/libpref/init/StaticPrefList.yaml | 8 +++++++ 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index f145ceaad34f..5d0431e190fa 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -877,22 +877,29 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags( &targetURIIsUIResource); NS_ENSURE_SUCCESS(rv, rv); if (targetURIIsUIResource) { + // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell + // loads (since docshell loads run the loaded content with its origin + // principal). We are effectively allowing resource:// and chrome:// + // URIs to load as long as they are content accessible and as long + // they're not loading it as a document. if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { - // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE - // target if ALLOW_CHROME is set. - // - // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell - // loads (since docshell loads run the loaded content with its origin - // principal). So we're effectively allowing resource://, chrome://, - // and moz-icon:// source URIs to load resource://, chrome://, and - // moz-icon:// files, so long as they're not loading it as a document. - bool sourceIsUIResource; + bool sourceIsUIResource = false; rv = NS_URIChainHasFlags(aSourceBaseURI, nsIProtocolHandler::URI_IS_UI_RESOURCE, &sourceIsUIResource); NS_ENSURE_SUCCESS(rv, rv); if (sourceIsUIResource) { - return NS_OK; + // TODO Bug 1654488: Remove pref in CheckLoadURIFlags which + // allows all UI resources to load + if (StaticPrefs:: + security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) { + return NS_OK; + } + // Special case for moz-icon URIs loaded by a local resources like + // e.g. chrome: or resource: + if (targetScheme.EqualsLiteral("moz-icon")) { + return NS_OK; + } } if (targetScheme.EqualsLiteral("resource")) { diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml index b6b8df824c30..e3dbe90e7a0e 100644 --- a/modules/libpref/init/StaticPrefList.yaml +++ b/modules/libpref/init/StaticPrefList.yaml @@ -9053,6 +9053,14 @@ value: 40 mirror: always +# Allows loading ui resources in CheckLoadURIFlags +# TODO Bug 1654488: Remove pref in CheckLoadURIFlags +# which allows all UI resources to load +- name: security.caps.allow_uri_is_ui_resource_in_checkloaduriflags + type: bool + value: false + mirror: always + # TODO: Bug 1324406: Treat 'data:' documents as unique, opaque origins # If true, data: URIs will be treated as unique opaque origins, hence will use # a NullPrincipal as the security context.