Bug 1145314: Lock down CheckLoadURIFlags by dropping the check that lets any URI_IS_UI_RESOURCE URL link to any other URL with that flag. r=bholley

Differential Revision: https://phabricator.services.mozilla.com/D80601
2020-09-15 07:30:26 +00:00 · 2020-09-15 07:30:26 +00:00 · ed4fe6b936
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@ -877,22 +877,29 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
                           &targetURIIsUIResource);
  NS_ENSURE_SUCCESS(rv, rv);
  if (targetURIIsUIResource) {
+    // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
+    // loads (since docshell loads run the loaded content with its origin
+    // principal). We are effectively allowing resource:// and chrome://
+    // URIs to load as long as they are content accessible and as long
+    // they're not loading it as a document.
    if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
-      // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
-      // target if ALLOW_CHROME is set.
-      //
-      // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
-      // loads (since docshell loads run the loaded content with its origin
-      // principal). So we're effectively allowing resource://, chrome://,
-      // and moz-icon:// source URIs to load resource://, chrome://, and
-      // moz-icon:// files, so long as they're not loading it as a document.
-      bool sourceIsUIResource;
+      bool sourceIsUIResource = false;
      rv = NS_URIChainHasFlags(aSourceBaseURI,
                               nsIProtocolHandler::URI_IS_UI_RESOURCE,
                               &sourceIsUIResource);
      NS_ENSURE_SUCCESS(rv, rv);
      if (sourceIsUIResource) {
-        return NS_OK;
+        // TODO Bug 1654488: Remove pref in CheckLoadURIFlags which
+        // allows all UI resources to load
+        if (StaticPrefs::
+                security_caps_allow_uri_is_ui_resource_in_checkloaduriflags()) {
+          return NS_OK;
+        }
+        // Special case for moz-icon URIs loaded by a local resources like
+        // e.g. chrome: or resource:
+        if (targetScheme.EqualsLiteral("moz-icon")) {
+          return NS_OK;
+        }
      }

      if (targetScheme.EqualsLiteral("resource")) {
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -9053,6 +9053,14 @@
  value: 40
  mirror: always

+# Allows loading ui resources in CheckLoadURIFlags
+# TODO Bug 1654488: Remove pref in CheckLoadURIFlags
+#      which allows all UI resources to load
+- name: security.caps.allow_uri_is_ui_resource_in_checkloaduriflags
+  type: bool
+  value: false
+  mirror: always
+
 # TODO: Bug 1324406: Treat 'data:' documents as unique, opaque origins
 # If true, data: URIs will be treated as unique opaque origins, hence will use
 # a NullPrincipal as the security context.