roytam1/palemoon27
1
0
Fork 0
mirror of https://github.com/roytam1/palemoon27.git synced 2026-05-26 14:18:48 +00:00
Code Issues Projects Releases Wiki Activity

Restrict web access to moz-icon:// scheme

Browse Source 
This resolves #1685
This commit is contained in:
Pale Moon
2018-06-24 11:11:30 +02:00
committed by Roy Tam
parent 28f09ed8b0
commit 5117679368
1 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
caps/nsScriptSecurityManager.cpp
+13 -3
View File
@@ -723,6 +723,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
}
return NS_OK;
}
else if ((!sourceScheme.LowerCaseEqualsLiteral("http") &&
!sourceScheme.LowerCaseEqualsLiteral("https")) &&
targetScheme.LowerCaseEqualsLiteral("moz-icon"))
{
// Exception for linking to moz-icon://
return NS_OK;
}
// If the schemes don't match, the policy is specified by the protocol
// flags on the target URI. Note that the order of policy checks here is
@@ -750,9 +757,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
if (hasFlags) {
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
// For now, don't change behavior for resource:// or moz-icon:// and
// just allow them.
if (!targetScheme.EqualsLiteral("chrome")) {
// For now, don't change behavior for resource:// and
// just allow it. This is required for extensions injecting
// extension-internal resource URLs in snippets in pages, e.g.
// Adding custom controls in-page.
if (!targetScheme.EqualsLiteral("chrome") &&
!targetScheme.EqualsLiteral("moz-icon")) {
return NS_OK;
}