Bug 1460538, r=valentin

Differential Revision: https://phabricator.services.mozilla.com/D4469 --HG-- extra : rebase_source : 8653345c4029df4a9b80b268f1f23b628b158f77
2018-08-29 14:43:37 +01:00 · 2018-08-29 14:43:37 +01:00 · a7895c75ea
--- a/modules/libjar/nsJARChannel.cpp
+++ b/modules/libjar/nsJARChannel.cpp
@ -1122,6 +1122,25 @@ nsJARChannel::OnStartRequest(nsIRequest *req, nsISupports *ctx)
    mRequest = req;
    nsresult rv = mListener->OnStartRequest(this, mListenerContext);
    mRequest = nullptr;
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // Restrict loadable content types.
+    nsAutoCString contentType;
+    GetContentType(contentType);
+    auto contentPolicyType = mLoadInfo->GetExternalContentPolicyType();
+    if (contentType.Equals(APPLICATION_HTTP_INDEX_FORMAT) &&
+        contentPolicyType != nsIContentPolicy::TYPE_DOCUMENT &&
+        contentPolicyType != nsIContentPolicy::TYPE_FETCH) {
+      return NS_ERROR_CORRUPTED_CONTENT;
+    }
+    if (contentPolicyType == nsIContentPolicy::TYPE_STYLESHEET &&
+        !contentType.EqualsLiteral(TEXT_CSS)) {
+      return NS_ERROR_CORRUPTED_CONTENT;
+    }
+    if (contentPolicyType == nsIContentPolicy::TYPE_SCRIPT &&
+        !nsContentUtils::IsJavascriptMIMEType(NS_ConvertUTF8toUTF16(contentType))) {
+      return NS_ERROR_CORRUPTED_CONTENT;
+    }

    return rv;
 }