зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1573720
- Convert security.view-source.reachable-from-inner-protocol to a static pref. r=bzbarsky
Differential Revision: https://phabricator.services.mozilla.com/D41912 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
28020e4832
Коммит
5e22e64603
|
@ -676,24 +676,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
|
|||
rv = sourceBaseURI->GetScheme(sourceScheme);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
// When comparing schemes, if the relevant pref is set, view-source URIs
|
||||
// are reachable from same-protocol (so e.g. file: can link to
|
||||
// view-source:file). This is required for reftests.
|
||||
static bool sViewSourceReachableFromInner = false;
|
||||
static bool sCachedViewSourcePref = false;
|
||||
if (!sCachedViewSourcePref) {
|
||||
sCachedViewSourcePref = true;
|
||||
mozilla::Preferences::AddBoolVarCache(
|
||||
&sViewSourceReachableFromInner,
|
||||
"security.view-source.reachable-from-inner-protocol");
|
||||
}
|
||||
|
||||
if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
|
||||
// A null principal can target its own URI.
|
||||
if (sourceURI == aTargetURI) {
|
||||
return NS_OK;
|
||||
}
|
||||
} else if (sViewSourceReachableFromInner &&
|
||||
} else if (StaticPrefs::
|
||||
security_view_source_reachable_from_inner_protocol() &&
|
||||
sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
|
||||
aTargetURI->SchemeIs("view-source")) {
|
||||
// exception for foo: linking to view-source:foo for reftests...
|
||||
|
|
|
@ -6295,6 +6295,14 @@
|
|||
mirror: always
|
||||
#endif
|
||||
|
||||
# When comparing schemes, if this pref is set, view-source URIs are reachable
|
||||
# from same-protocol (so e.g. file: can link to view-source:file). This is
|
||||
# required for reftests.
|
||||
- name: security.view-source.reachable-from-inner-protocol
|
||||
type: bool
|
||||
value: false
|
||||
mirror: always
|
||||
|
||||
# Hardware Origin-bound Second Factor Support
|
||||
- name: security.webauth.webauthn
|
||||
type: bool
|
||||
|
|
|
@ -2596,10 +2596,6 @@ pref("security.cert_pinning.enforcement_level", 0);
|
|||
// for tests.
|
||||
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
|
||||
|
||||
// If set to true, allow view-source URIs to be opened from URIs that share
|
||||
// their protocol with the inner URI of the view-source URI
|
||||
pref("security.view-source.reachable-from-inner-protocol", false);
|
||||
|
||||
// If set to true strict checks will happen on the triggering principal for loads.
|
||||
// Android is disabled at the moment pending Bug 1504968
|
||||
#if !defined(RELEASE_OR_BETA) && !defined(ANDROID)
|
||||
|
|
Загрузка…
Ссылка в новой задаче