From 0fea5c58c8024abcd3df7d34776b20accced1f7f Mon Sep 17 00:00:00 2001
From: roytam1 <roytam@gmail.com>
Date: Fri, 29 Apr 2022 23:28:18 +0800
Subject: [PATCH] import from UXP: [devtools] Restrict sourcemap URLs
 (168e8beb)

---
 devtools/client/framework/source-map-worker.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js
index c68732f38..b6ac2c121 100644
--- a/devtools/client/framework/source-map-worker.js
+++ b/devtools/client/framework/source-map-worker.js
@@ -23,6 +23,19 @@ function enableSourceMaps() {
 
 function _resolveSourceMapURL(source) {
   const { url = "", sourceMapURL = "" } = source;
+  
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+  if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) {
+    // If it's an internal protocol, don't allow it and return empty.
+    return "";
+  }
+  if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) {
+    // Only allow file:// source maps from file:// docs
+    if (!url.startsWith("file://")) {
+      return "";
+    }
+  }
+  
   if (path.isURL(sourceMapURL) || url == "") {
     // If it's already a full URL or the source doesn't have a URL,
     // don't resolve anything.