Issue #2402 - importScripts should be governed by script-src in Web Workers. https://bugzilla.mozilla.org/show_bug.cgi?id=1322111 Add TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS content policy. Update the Cache API schema to account for new nsIContentPolicy type.

2026-05-26 14:54:25 +00:00 · 2024-01-06 15:29:04 -06:00
parent f8a174e19f
commit 6979441734
8 changed files with 40 additions and 8 deletions
@@ -112,7 +112,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                     const nsAString& aScriptURL,
                     bool aIsMainScript,
                     WorkerScriptType aWorkerScriptType,
-                     nsContentPolicyType aContentPolicyType,
+                     nsContentPolicyType aMainScriptContentPolicyType,
                     nsLoadFlags aLoadFlags,
                     bool aDefaultURIEncoding,
                     nsIChannel** aChannel)
@@ -169,6 +169,10 @@ ChannelFromScriptURL(nsIPrincipal* principal,
    secFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL;
  }

+  nsContentPolicyType contentPolicyType =
+    aIsMainScript ? aMainScriptContentPolicyType
+                  : nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS;
+
  nsCOMPtr<nsIChannel> channel;
  // If we have the document, use it. Unfortunately, for dedicated workers
  // 'parentDoc' ends up being the parent document, which is not the document
@@ -179,7 +183,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                       uri,
                       parentDoc,
                       secFlags,
-                       aContentPolicyType,
+                       contentPolicyType,
                       loadGroup,
                       nullptr, // aCallbacks
                       aLoadFlags,
@@ -194,7 +198,7 @@ ChannelFromScriptURL(nsIPrincipal* principal,
                       uri,
                       principal,
                       secFlags,
-                       aContentPolicyType,
+                       contentPolicyType,
                       loadGroup,
                       nullptr, // aCallbacks
                       aLoadFlags,
@@ -2165,7 +2169,7 @@ ChannelFromScriptURLMainThread(nsIPrincipal* aPrincipal,
                               nsIDocument* aParentDoc,
                               nsILoadGroup* aLoadGroup,
                               const nsAString& aScriptURL,
-                               nsContentPolicyType aContentPolicyType,
+                               nsContentPolicyType aMainScriptContentPolicyType,
                               bool aDefaultURIEncoding,
                               nsIChannel** aChannel)
 {
@@ -2178,8 +2182,9 @@ ChannelFromScriptURLMainThread(nsIPrincipal* aPrincipal,

  return ChannelFromScriptURL(aPrincipal, aBaseURI, aParentDoc, aLoadGroup,
                              ios, secMan, aScriptURL, true, WorkerScript,
-                              aContentPolicyType, nsIRequest::LOAD_NORMAL,
-                              aDefaultURIEncoding, aChannel);
+                              aMainScriptContentPolicyType,
+                              nsIRequest::LOAD_NORMAL, aDefaultURIEncoding,
+                              aChannel);
 }

 nsresult