Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D80601
2020-07-03 08:11:59 +00:00 · 2020-07-03 08:11:59 +00:00 · 356a1baeae
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@ -881,24 +881,12 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
                           &targetURIIsUIResource);
  NS_ENSURE_SUCCESS(rv, rv);
  if (targetURIIsUIResource) {
+    // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
+    // loads (since docshell loads run the loaded content with its origin
+    // principal). We are effectively allowing resource:// and chrome://
+    // URIs to load as long as they are content accessible and as long
+    // they're not loading it as a document.
    if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
-      // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
-      // target if ALLOW_CHROME is set.
-      //
-      // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
-      // loads (since docshell loads run the loaded content with its origin
-      // principal). So we're effectively allowing resource://, chrome://,
-      // and moz-icon:// source URIs to load resource://, chrome://, and
-      // moz-icon:// files, so long as they're not loading it as a document.
-      bool sourceIsUIResource;
-      rv = NS_URIChainHasFlags(aSourceBaseURI,
-                               nsIProtocolHandler::URI_IS_UI_RESOURCE,
-                               &sourceIsUIResource);
-      NS_ENSURE_SUCCESS(rv, rv);
-      if (sourceIsUIResource) {
-        return NS_OK;
-      }
-
      if (targetScheme.EqualsLiteral("resource")) {
        if (StaticPrefs::security_all_resource_uri_content_accessible()) {
          return NS_OK;