Bug 1735117 - Restrict systemprincipal from loading type *STYLESHEET* via HTTP, HTTPS r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D128057

dom/security/nsContentSecurityManager.cpp

@@ -1121,6 +1121,16 @@ nsresult nsContentSecurityManager::CheckAllowLoadInSystemPrivilegedContext(
       return NS_ERROR_CONTENT_BLOCKED;
     }
   }
+  if (contentPolicyType == ExtContentPolicy::TYPE_STYLESHEET) {
+    if (StaticPrefs::security_disallow_privileged_https_stylesheet_loads() &&
+        (finalURI->SchemeIs("http") || finalURI->SchemeIs("https"))) {
+#ifdef DEBUG
+      MOZ_CRASH("Disallowing SystemPrincipal load of stylesheets on HTTP(S).");
+#endif
+      aChannel->Cancel(NS_ERROR_CONTENT_BLOCKED);
+      return NS_ERROR_CONTENT_BLOCKED;
+    }
+  }
 
   if (cancelNonLocalSystemPrincipal) {
     MOZ_ASSERT(false, "SystemPrincipal must not load remote documents.");

modules/libpref/init/StaticPrefList.yaml

@@ -10948,6 +10948,13 @@
   value: true
   mirror: always
 
+# Cancel outgoing requests from SystemPrincipal:
+# but only with scheme http(s) and contentpolicytype stylesheet
+- name: security.disallow_privileged_https_stylesheet_loads
+  type: bool
+  value: true
+  mirror: always
+
 # Disable preloaded static key pins by default.
 - name: security.cert_pinning.enforcement_level
   type: ReleaseAcquireAtomicUint32