77 lines
3.4 KiB
Diff
77 lines
3.4 KiB
Diff
From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
|
|
From: Boris Zbarsky <bzbarsky@mit.edu>
|
|
Date: Thu, 19 Mar 2015 18:58:44 -0400
|
|
Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
|
|
URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
|
|
doesn't have the same scheme. r=bholley, a=abillings
|
|
|
|
---
|
|
caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
|
|
1 file changed, 27 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
|
|
index 3587358..6577b95 100644
|
|
--- a/caps/src/nsScriptSecurityManager.cpp
|
|
+++ b/caps/src/nsScriptSecurityManager.cpp
|
|
@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
if (hasFlags) {
|
|
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
|
|
+
|
|
+ // For now, don't change behavior for resource:// or moz-icon:// and
|
|
+ // just allow them.
|
|
if (!targetScheme.EqualsLiteral("chrome")) {
|
|
- // for now don't change behavior for resource: or moz-icon:
|
|
return NS_OK;
|
|
}
|
|
|
|
- // allow load only if chrome package is whitelisted
|
|
+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
|
|
+ // target if ALLOW_CHROME is set.
|
|
+ //
|
|
+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
|
|
+ // loads (since docshell loads run the loaded content with its origin
|
|
+ // principal). So we're effectively allowing resource://, chrome://,
|
|
+ // and moz-icon:// source URIs to load resource://, chrome://, and
|
|
+ // moz-icon:// files, so long as they're not loading it as a document.
|
|
+ bool sourceIsUIResource;
|
|
+ rv = NS_URIChainHasFlags(sourceBaseURI,
|
|
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
|
|
+ &sourceIsUIResource);
|
|
+ NS_ENSURE_SUCCESS(rv, rv);
|
|
+ if (sourceIsUIResource) {
|
|
+ return NS_OK;
|
|
+ }
|
|
+
|
|
+ // Allow the load only if the chrome package is whitelisted.
|
|
nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
|
|
NS_CHROMEREGISTRY_CONTRACTID));
|
|
if (reg) {
|
|
@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
|
|
}
|
|
}
|
|
|
|
- // resource: and chrome: are equivalent, securitywise
|
|
- // That's bogus!! Fix this. But watch out for
|
|
- // the view-source stylesheet?
|
|
- bool sourceIsChrome;
|
|
- rv = NS_URIChainHasFlags(sourceBaseURI,
|
|
- nsIProtocolHandler::URI_IS_UI_RESOURCE,
|
|
- &sourceIsChrome);
|
|
- NS_ENSURE_SUCCESS(rv, rv);
|
|
- if (sourceIsChrome) {
|
|
+ // Special-case the hidden window: it's allowed to load
|
|
+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
|
|
+ nsAutoCString sourceSpec;
|
|
+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
|
|
+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
|
|
return NS_OK;
|
|
}
|
|
+
|
|
if (reportErrors) {
|
|
ReportError(nullptr, errorTag, sourceURI, aTargetURI);
|
|
}
|
|
--
|
|
2.2.1
|
|
|