[X2Go-Commits] [pale-moon] 09/22: Restrict web access to moz-icon:// scheme

git-admin at x2go.org git-admin at x2go.org
Sat Sep 29 03:25:21 CEST 2018


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch upstream/palemoon-master
in repository pale-moon.

commit 1ffd7ba7ac061d94f2cdd3c99dde954cebd5376b
Author: Pale Moon <git-repo at palemoon.org>
Date:   Sun Jun 24 11:11:30 2018 +0200

    Restrict web access to moz-icon:// scheme
    
    This resolves #1685
---
 caps/nsScriptSecurityManager.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
index 5cef6cb..abd1d5a 100644
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -723,6 +723,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
         }
         return NS_OK;
     }
+    else if ((!sourceScheme.LowerCaseEqualsLiteral("http") &&
+              !sourceScheme.LowerCaseEqualsLiteral("https")) &&
+             targetScheme.LowerCaseEqualsLiteral("moz-icon"))
+    {
+        // Exception for linking to moz-icon://
+        return NS_OK;
+    }
 
     // If the schemes don't match, the policy is specified by the protocol
     // flags on the target URI.  Note that the order of policy checks here is
@@ -750,9 +757,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     if (hasFlags) {
         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
 
-            // For now, don't change behavior for resource:// or moz-icon:// and
-            // just allow them.
-            if (!targetScheme.EqualsLiteral("chrome")) {
+            // For now, don't change behavior for resource:// and
+            // just allow it. This is required for extensions injecting
+            // extension-internal resource URLs in snippets in pages, e.g.
+            // Adding custom controls in-page.
+            if (!targetScheme.EqualsLiteral("chrome") &&
+                !targetScheme.EqualsLiteral("moz-icon")) {
                 return NS_OK;
             }
 

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/pale-moon.git


More information about the x2go-commits mailing list