[X2Go-Commits] [pale-moon] 09/22: Restrict web access to moz-icon:// scheme
git-admin at x2go.org
git-admin at x2go.org
Sat Sep 29 03:25:21 CEST 2018
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch upstream/palemoon-master
in repository pale-moon.
commit 1ffd7ba7ac061d94f2cdd3c99dde954cebd5376b
Author: Pale Moon <git-repo at palemoon.org>
Date: Sun Jun 24 11:11:30 2018 +0200
Restrict web access to moz-icon:// scheme
This resolves #1685
---
caps/nsScriptSecurityManager.cpp | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
index 5cef6cb..abd1d5a 100644
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -723,6 +723,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
}
return NS_OK;
}
+ else if ((!sourceScheme.LowerCaseEqualsLiteral("http") &&
+ !sourceScheme.LowerCaseEqualsLiteral("https")) &&
+ targetScheme.LowerCaseEqualsLiteral("moz-icon"))
+ {
+ // Exception for linking to moz-icon://
+ return NS_OK;
+ }
// If the schemes don't match, the policy is specified by the protocol
// flags on the target URI. Note that the order of policy checks here is
@@ -750,9 +757,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
if (hasFlags) {
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
- // For now, don't change behavior for resource:// or moz-icon:// and
- // just allow them.
- if (!targetScheme.EqualsLiteral("chrome")) {
+ // For now, don't change behavior for resource:// and
+ // just allow it. This is required for extensions injecting
+ // extension-internal resource URLs in snippets in pages, e.g.
+ // Adding custom controls in-page.
+ if (!targetScheme.EqualsLiteral("chrome") &&
+ !targetScheme.EqualsLiteral("moz-icon")) {
return NS_OK;
}
--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/pale-moon.git
More information about the x2go-commits
mailing list