Bug 1330035 - Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz

2017-01-12 09:42:23 +01:00 · 2017-01-12 09:42:23 +01:00 · 0c9692f60f
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@ -73,19 +73,22 @@ subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
  if (NS_SUCCEEDED(rv) && match) {
    return true;
  }
-  // finally we have to whitelist "about:" which does not fall in
-  // any of the two categories underneath but is not subject to CSP.
+
+  // Finally we have to whitelist "about:" which does not fall into
+  // the category underneath and also "javascript:" which is not
+  // subject to CSP content loading rules.
  rv = aURI->SchemeIs("about", &match);
  if (NS_SUCCEEDED(rv) && match) {
    return false;
  }
+  rv = aURI->SchemeIs("javascript", &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return false;
+  }

  // Other protocols are not subject to CSP and can be whitelisted:
  // * URI_IS_LOCAL_RESOURCE
  //   e.g. chrome:, data:, blob:, resource:, moz-icon:
-  // * URI_INHERITS_SECURITY_CONTEXT
-  //   e.g. javascript:
-  //
  // Please note that it should be possible for websites to
  // whitelist their own protocol handlers with respect to CSP,
  // hence we use protocol flags to accomplish that.
@ -93,10 +96,6 @@ subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
  if (NS_SUCCEEDED(rv) && match) {
    return false;
  }
-  rv = NS_URIChainHasFlags(aURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT, &match);
-  if (NS_SUCCEEDED(rv) && match) {
-    return false;
-  }
  // all other protocols are subject To CSP.
  return true;
 }