From 64191e15cb2ebd883cb833ba1227cda80b2a248d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 20 Jul 2019 14:56:26 +0200 Subject: [PATCH] Treat all file: URIs as having a unique origin. This prevents cross-file access from files loaded into the browser from the local file system, further restricting the origin policy of file: URIs. Added a pref to control this behavior for local file access if required for certain applications, since this change might break using the browser to run applications on the local file system that require access to local files. --- modules/libpref/init/all.js | 3 ++ netwerk/base/nsNetUtil.cpp | 56 +++++++++++++++++++++---------------- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index d67183387e..fb7c905b00 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -1331,6 +1331,9 @@ pref("image.animation_mode", "normal"); // Same-origin policy for file URIs, "false" is traditional pref("security.fileuri.strict_origin_policy", true); +// Treat all file URIs as having a unique origin. +pref("security.fileuri.unique_origin", true); + // If this pref is true, prefs in the logging.config branch will be cleared on // startup. This is done so that setting a log-file and log-modules at runtime // doesn't persist across restarts leading to huge logfile and low disk space. diff --git a/netwerk/base/nsNetUtil.cpp b/netwerk/base/nsNetUtil.cpp index 653a9003ee..2974e26b0e 100644 --- a/netwerk/base/nsNetUtil.cpp +++ b/netwerk/base/nsNetUtil.cpp @@ -10,6 +10,7 @@ #include "mozilla/LoadContext.h" #include "mozilla/LoadInfo.h" #include "mozilla/BasePrincipal.h" +#include "mozilla/Preferences.h" #include "mozilla/Telemetry.h" #include "nsNetUtil.h" #include "nsNetUtilInlines.h" @@ -1821,33 +1822,40 @@ NS_RelaxStrictFileOriginPolicy(nsIURI *aTargetURI, return false; } - // - // If the file to be loaded is in a subdirectory of the source - // (or same-dir if source is not a directory) then it will - // inherit its source principal and be scriptable by that source. - // - bool sourceIsDir; - bool allowed = false; - nsresult rv = sourceFile->IsDirectory(&sourceIsDir); - if (NS_SUCCEEDED(rv) && sourceIsDir) { - rv = sourceFile->Contains(targetFile, &allowed); - } else { - nsCOMPtr sourceParent; - rv = sourceFile->GetParent(getter_AddRefs(sourceParent)); - if (NS_SUCCEEDED(rv) && sourceParent) { - rv = sourceParent->Equals(targetFile, &allowed); - if (NS_FAILED(rv) || !allowed) { - rv = sourceParent->Contains(targetFile, &allowed); - } else { - MOZ_ASSERT(aAllowDirectoryTarget, - "sourceFile->Parent == targetFile, but targetFile " - "should've been disallowed if it is a directory"); + bool uniqueOrigin = true; + uniqueOrigin = Preferences::GetBool("security.fileuri.unique_origin"); + + // If treating all files as unique origins, we can skip this because + // it should always be refused. + if (!uniqueOrigin) { + // + // If the file to be loaded is in a subdirectory of the source + // (or same-dir if source is not a directory) then it will + // inherit its source principal and be scriptable by that source. + // + bool sourceIsDir; + bool allowed = false; + nsresult rv = sourceFile->IsDirectory(&sourceIsDir); + if (NS_SUCCEEDED(rv) && sourceIsDir) { + rv = sourceFile->Contains(targetFile, &allowed); + } else { + nsCOMPtr sourceParent; + rv = sourceFile->GetParent(getter_AddRefs(sourceParent)); + if (NS_SUCCEEDED(rv) && sourceParent) { + rv = sourceParent->Equals(targetFile, &allowed); + if (NS_FAILED(rv) || !allowed) { + rv = sourceParent->Contains(targetFile, &allowed); + } else { + MOZ_ASSERT(aAllowDirectoryTarget, + "sourceFile->Parent == targetFile, but targetFile " + "should've been disallowed if it is a directory"); + } } } - } - if (NS_SUCCEEDED(rv) && allowed) { - return true; + if (NS_SUCCEEDED(rv) && allowed) { + return true; + } } return false;