From 378ee2cb3cb2907f8e2c1363d2541f4a276bdd95 Mon Sep 17 00:00:00 2001 From: Christoph Kerschbaumer Date: Thu, 2 Jul 2020 08:17:17 +0000 Subject: [PATCH] Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley Differential Revision: https://phabricator.services.mozilla.com/D80601 --- caps/nsScriptSecurityManager.cpp | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp index 99742118c8ee..511a2e71f59b 100644 --- a/caps/nsScriptSecurityManager.cpp +++ b/caps/nsScriptSecurityManager.cpp @@ -881,24 +881,12 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags( &targetURIIsUIResource); NS_ENSURE_SUCCESS(rv, rv); if (targetURIIsUIResource) { + // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell + // loads (since docshell loads run the loaded content with its origin + // principal). We are effectively allowing resource:// and chrome:// + // URIs to load as long as they are content accessible and as long + // they're not loading it as a document. if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { - // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE - // target if ALLOW_CHROME is set. - // - // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell - // loads (since docshell loads run the loaded content with its origin - // principal). So we're effectively allowing resource://, chrome://, - // and moz-icon:// source URIs to load resource://, chrome://, and - // moz-icon:// files, so long as they're not loading it as a document. - bool sourceIsUIResource; - rv = NS_URIChainHasFlags(aSourceBaseURI, - nsIProtocolHandler::URI_IS_UI_RESOURCE, - &sourceIsUIResource); - NS_ENSURE_SUCCESS(rv, rv); - if (sourceIsUIResource) { - return NS_OK; - } - if (targetScheme.EqualsLiteral("resource")) { if (StaticPrefs::security_all_resource_uri_content_accessible()) { return NS_OK;