зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1633710 - principal.URI in Sanitizer.jsm r=ckerschb,johannh
Differential Revision: https://phabricator.services.mozilla.com/D75801
This commit is contained in:
Родитель
2f7bc0f0ff
Коммит
147fdbb684
|
@ -782,8 +782,7 @@ class PrincipalsCollector {
|
||||||
let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin(
|
let principal = Services.scriptSecurityManager.createContentPrincipalFromOrigin(
|
||||||
origin
|
origin
|
||||||
);
|
);
|
||||||
let uri = principal.URI;
|
if (isSupportedPrincipal(principal)) {
|
||||||
if (isSupportedURI(uri)) {
|
|
||||||
list.push(principal);
|
list.push(principal);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -951,13 +950,13 @@ async function sanitizeOnShutdown(progress) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// We consider just permissions set for http, https and file URLs.
|
// We consider just permissions set for http, https and file URLs.
|
||||||
if (!isSupportedURI(permission.principal.URI)) {
|
if (!isSupportedPrincipal(permission.principal)) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
log(
|
log(
|
||||||
"Custom session cookie permission detected for: " +
|
"Custom session cookie permission detected for: " +
|
||||||
permission.principal.URI.spec
|
permission.principal.asciiSpec
|
||||||
);
|
);
|
||||||
exceptions++;
|
exceptions++;
|
||||||
|
|
||||||
|
@ -965,7 +964,7 @@ async function sanitizeOnShutdown(progress) {
|
||||||
let principals = await principalsCollector.getAllPrincipals(progress);
|
let principals = await principalsCollector.getAllPrincipals(progress);
|
||||||
let selectedPrincipals = extractMatchingPrincipals(
|
let selectedPrincipals = extractMatchingPrincipals(
|
||||||
principals,
|
principals,
|
||||||
permission.principal.URI
|
permission.principal.host
|
||||||
);
|
);
|
||||||
await maybeSanitizeSessionPrincipals(progress, selectedPrincipals);
|
await maybeSanitizeSessionPrincipals(progress, selectedPrincipals);
|
||||||
}
|
}
|
||||||
|
@ -974,9 +973,9 @@ async function sanitizeOnShutdown(progress) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extracts the principals matching matchUri as root domain.
|
// Extracts the principals matching matchUri as root domain.
|
||||||
function extractMatchingPrincipals(principals, matchUri) {
|
function extractMatchingPrincipals(principals, matchHost) {
|
||||||
return principals.filter(principal => {
|
return principals.filter(principal => {
|
||||||
return Services.eTLD.hasRootDomain(matchUri.host, principal.URI.host);
|
return Services.eTLD.hasRootDomain(matchHost, principal.host);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1003,7 +1002,7 @@ async function maybeSanitizeSessionPrincipals(progress, principals) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function cookiesAllowedForDomainOrSubDomain(principal) {
|
function cookiesAllowedForDomainOrSubDomain(principal) {
|
||||||
log("Checking principal: " + principal.URI.spec);
|
log("Checking principal: " + principal.asciispec);
|
||||||
|
|
||||||
// If we have the 'cookie' permission for this principal, let's return
|
// If we have the 'cookie' permission for this principal, let's return
|
||||||
// immediately.
|
// immediately.
|
||||||
|
@ -1033,15 +1032,13 @@ function cookiesAllowedForDomainOrSubDomain(principal) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// We consider just permissions set for http, https and file URLs.
|
// We consider just permissions set for http, https and file URLs.
|
||||||
if (!isSupportedURI(perm.principal.URI)) {
|
if (!isSupportedPrincipal(perm.principal)) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
// We don't care about scheme, port, and anything else.
|
// We don't care about scheme, port, and anything else.
|
||||||
if (
|
if (Services.eTLD.hasRootDomain(perm.principal.host, principal.host)) {
|
||||||
Services.eTLD.hasRootDomain(perm.principal.URI.host, principal.URI.host)
|
log("Recursive cookie check on principal: " + perm.principal.asciiSpec);
|
||||||
) {
|
|
||||||
log("Recursive cookie check on principal: " + perm.principal.URI.spec);
|
|
||||||
return cookiesAllowedForDomainOrSubDomain(perm.principal);
|
return cookiesAllowedForDomainOrSubDomain(perm.principal);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1051,7 +1048,7 @@ function cookiesAllowedForDomainOrSubDomain(principal) {
|
||||||
}
|
}
|
||||||
|
|
||||||
async function sanitizeSessionPrincipal(progress, principal) {
|
async function sanitizeSessionPrincipal(progress, principal) {
|
||||||
log("Sanitizing principal: " + principal.URI.spec);
|
log("Sanitizing principal: " + principal.asciispec);
|
||||||
|
|
||||||
await new Promise(resolve => {
|
await new Promise(resolve => {
|
||||||
progress.sanitizePrincipal = "started";
|
progress.sanitizePrincipal = "started";
|
||||||
|
@ -1161,6 +1158,6 @@ async function clearData(range, flags) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function isSupportedURI(uri) {
|
function isSupportedPrincipal(principal) {
|
||||||
return uri.scheme == "http" || uri.scheme == "https" || uri.scheme == "file";
|
return ["http", "https", "file"].some(scheme => principal.schemeIs(scheme));
|
||||||
}
|
}
|
||||||
|
|
|
@ -255,7 +255,7 @@ interface nsIPrincipal : nsISerializable
|
||||||
* Returns the "host" portion of the
|
* Returns the "host" portion of the
|
||||||
* Principals URI, if any.
|
* Principals URI, if any.
|
||||||
*/
|
*/
|
||||||
[noscript] readonly attribute ACString host;
|
readonly attribute ACString host;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the prepath of the principals uri
|
* Returns the prepath of the principals uri
|
||||||
|
@ -277,7 +277,7 @@ interface nsIPrincipal : nsISerializable
|
||||||
* WARNING: DO NOT USE FOR SECURITY CHECKS.
|
* WARNING: DO NOT USE FOR SECURITY CHECKS.
|
||||||
* just for logging purposes!
|
* just for logging purposes!
|
||||||
*/
|
*/
|
||||||
[noscript] readonly attribute ACString asciiSpec;
|
readonly attribute ACString asciiSpec;
|
||||||
|
|
||||||
/* Returns the Pre Path of the Principals URI with
|
/* Returns the Pre Path of the Principals URI with
|
||||||
* user:pass stripped for privacy and spoof prevention
|
* user:pass stripped for privacy and spoof prevention
|
||||||
|
|
Загрузка…
Ссылка в новой задаче