Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc

content/base/src/nsDataDocumentContentPolicy.cpp

@@ -42,6 +42,8 @@
  */
 
 #include "nsDataDocumentContentPolicy.h"
+#include "nsNetUtil.h"
+#include "nsScriptSecurityManager.h"
 #include "nsIDocument.h"
 #include "nsINode.h"
 #include "nsIDOMWindow.h"
@@ -84,6 +86,32 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
     return NS_OK;
   }
 
+  // Allow local resources for SVG-as-an-image documents, but disallow
+  // everything else, to prevent data leakage
+  if (doc->IsBeingUsedAsImage()) {
+    PRBool hasFlags;
+    nsresult rv = NS_URIChainHasFlags(aContentLocation,
+                                      nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
+                                      &hasFlags);
+    if (NS_FAILED(rv) || !hasFlags) {
+      // resource is not local (or we couldn't tell) - reject!
+      *aDecision = nsIContentPolicy::REJECT_TYPE;
+
+      // report error, if we can.
+      if (node) {
+        nsIPrincipal* requestingPrincipal = node->NodePrincipal();
+        nsRefPtr<nsIURI> principalURI;
+        rv = requestingPrincipal->GetURI(getter_AddRefs(principalURI));
+        if (NS_SUCCEEDED(rv) && principalURI) {
+          nsScriptSecurityManager::ReportError(
+            nsnull, NS_LITERAL_STRING("CheckSameOriginError"), principalURI,
+            aContentLocation);
+        }
+      }
+    }
+    return NS_OK;
+  }
+
   // Allow all loads for non-external-resource documents
   if (!doc->GetDisplayDocument()) {
     return NS_OK;

layout/reftests/svg/as-image/blue100x100.svg

@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" version="1.1"
+     width="100" height="100">
+  <rect width="100%" height="100%" fill="blue"/>
+</svg>

layout/reftests/svg/as-image/reftest.list

@@ -88,3 +88,13 @@ random-if(cocoaWidget&&layersGPUAccelerated) random-if(d2d) == img-width-slice-2
 == svg-image-recursive-1b.svg  svg-image-recursive-1-ref.svg
 == svg-image-recursive-2a.svg  svg-image-recursive-2-ref.svg
 == svg-image-recursive-2b.html svg-image-recursive-2-ref.svg
+
+# tests for external resources vs. data URIs in SVG as an image
+== svg-image-datauri-1.html            lime100x100.svg
+HTTP == svg-image-datauri-1.html       lime100x100.svg
+== svg-image-external-1.html           lime100x100.svg
+HTTP == svg-image-external-1.html      blue100x100.svg
+== svg-stylesheet-datauri-1.html       lime100x100.svg
+HTTP == svg-stylesheet-datauri-1.html  lime100x100.svg
+== svg-stylesheet-external-1.html      lime100x100.svg
+HTTP == svg-stylesheet-external-1.html blue100x100.svg

layout/reftests/svg/as-image/svg-image-datauri-1.html

@@ -0,0 +1,5 @@
+<html>
+<body style="margin: 0">
+  <img src="svg-image-datauri.svg">
+</body>
+</html>

layout/reftests/svg/as-image/svg-image-datauri.svg

@@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg"
+     xmlns:xlink="http://www.w3.org/1999/xlink"
+     width="100" height="100">
+  <!-- This blue rect should always be covered up by the <image>: -->
+  <circle cx="50" cy="50" r="50" fill="blue"/>
+  <image width="100" height="100"
+         xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAYAAABw4pVUAAAAAXNSR0IArs4c6QAAAKJJREFUeNrt0QENAAAIw7CDf89gg5BOwlqZTHSmtgCIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAgIEAERECACAkRAvrfrTQLGaH3qbAAAAABJRU5ErkJggg%3D%3D"/>
+</svg>

layout/reftests/svg/as-image/svg-image-external-1.html

@@ -0,0 +1,5 @@
+<html>
+<body style="margin: 0">
+  <img src="svg-image-external.svg">
+</body>
+</html>

layout/reftests/svg/as-image/svg-image-external.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg"
+     xmlns:xlink="http://www.w3.org/1999/xlink"
+     width="100" height="100">
+  <!-- This blue rect should be covered up by the <image> when this SVG is
+       loaded as an image by a local document, but not when the document is
+       served over HTTP: -->
+  <rect width="100" height="100" fill="blue"/>
+  <image width="100" height="100"
+         xlink:href="lime100x100.png"/>
+</svg>

layout/reftests/svg/as-image/svg-stylesheet-datauri-1.html

@@ -0,0 +1,5 @@
+<html>
+<body style="margin: 0">
+  <img src="svg-stylesheet-datauri.svg">
+</body>
+</html>

layout/reftests/svg/as-image/svg-stylesheet-datauri.svg

@@ -0,0 +1,8 @@
+<?xml-stylesheet href="data:text/css,rect%20%7B%20fill%3A%20lime%20%7D%0A"
+                 type="text/css"?>
+<svg xmlns="http://www.w3.org/2000/svg"
+     xmlns:xlink="http://www.w3.org/1999/xlink"
+     width="100" height="100">
+  <!-- This blue rect should always be styled as lime by the stylesheet: -->
+  <rect width="100" height="100" fill="blue"/>
+</svg>

layout/reftests/svg/as-image/svg-stylesheet-external-1.html

@@ -0,0 +1,5 @@
+<html>
+<body style="margin: 0">
+  <img src="svg-stylesheet-external.svg">
+</body>
+</html>

layout/reftests/svg/as-image/svg-stylesheet-external.css

@@ -0,0 +1 @@
+rect { fill: lime }

layout/reftests/svg/as-image/svg-stylesheet-external.svg

@@ -0,0 +1,9 @@
+<?xml-stylesheet href="svg-stylesheet-external.css" type="text/css"?>
+<svg xmlns="http://www.w3.org/2000/svg"
+     xmlns:xlink="http://www.w3.org/1999/xlink"
+     width="100" height="100">
+  <!-- This blue rect should be styled as lime by the stylesheet when this SVG
+       is loaded as an image by a local document, but not when the document is
+       served over HTTP: -->
+  <rect width="100" height="100" fill="blue"/>
+</svg>