| ... |
... |
@@ -1044,6 +1044,48 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags( |
|
1044
|
1044
|
}
|
|
1045
|
1045
|
}
|
|
1046
|
1046
|
|
|
|
1047
|
+ // Only allow some "about:" pages to have access to contentaccessible
|
|
|
1048
|
+ // "chrome://branding/" assets. Otherwise web pages could easily and
|
|
|
1049
|
+ // consistently detect the differences between channels when their
|
|
|
1050
|
+ // branding differs. See tor-browser#43308 and tor-browser#42319.
|
|
|
1051
|
+ // NOTE: The same assets under the alternative URI
|
|
|
1052
|
+ // "resource:///chrome/browser/content/branding/" should already be
|
|
|
1053
|
+ // inaccessible to web content, so we only add a condition for the chrome
|
|
|
1054
|
+ // path.
|
|
|
1055
|
+ if (targetScheme.EqualsLiteral("chrome")) {
|
|
|
1056
|
+ nsAutoCString targetHost;
|
|
|
1057
|
+ rv = aTargetBaseURI->GetHost(targetHost);
|
|
|
1058
|
+ NS_ENSURE_SUCCESS(rv, rv);
|
|
|
1059
|
+ if (targetHost.EqualsLiteral("branding")) {
|
|
|
1060
|
+ // Disallow any Principal whose scheme is not "about", or is a
|
|
|
1061
|
+ // contentaccessible "about" URI ("about:blank" or "about:srcdoc").
|
|
|
1062
|
+ // NOTE: "about:blank" and "about:srcdoc" would be unexpected here
|
|
|
1063
|
+ // since such a document spawned by a web document should inherit the
|
|
|
1064
|
+ // same Principal URI. I.e. they would be "http:" or "https:" schemes.
|
|
|
1065
|
+ // But we add this condition for extra assurances.
|
|
|
1066
|
+ // NOTE: Documents with null Principals, like "about:blank" typed by
|
|
|
1067
|
+ // the user, would also be excluded since the Principal URI would be
|
|
|
1068
|
+ // "moz-nullprincipal:".
|
|
|
1069
|
+ if (!aSourceBaseURI->SchemeIs("about") ||
|
|
|
1070
|
+ NS_IsContentAccessibleAboutURI(aSourceBaseURI)) {
|
|
|
1071
|
+ return NS_ERROR_DOM_BAD_URI;
|
|
|
1072
|
+ }
|
|
|
1073
|
+ // Also exclude "about:reader" from accessing branding assets. I.e. if
|
|
|
1074
|
+ // a web page includes `<img src="chrome://branding/..." />` we do not
|
|
|
1075
|
+ // want it to render within "about:reader" either.
|
|
|
1076
|
+ // Though it is unknown whether the information within "about:reader"
|
|
|
1077
|
+ // would be exploitable by a web page, we also want to exclude
|
|
|
1078
|
+ // "about:reader" for consistency: if it does not display in the
|
|
|
1079
|
+ // original web page, it should not display in "about:reader" either.
|
|
|
1080
|
+ nsAutoCString sourcePath;
|
|
|
1081
|
+ rv = aSourceBaseURI->GetFilePath(sourcePath);
|
|
|
1082
|
+ NS_ENSURE_SUCCESS(rv, rv);
|
|
|
1083
|
+ if (sourcePath.EqualsLiteral("reader")) {
|
|
|
1084
|
+ return NS_ERROR_DOM_BAD_URI;
|
|
|
1085
|
+ }
|
|
|
1086
|
+ }
|
|
|
1087
|
+ }
|
|
|
1088
|
+
|
|
1047
|
1089
|
if (targetScheme.EqualsLiteral("resource")) {
|
|
1048
|
1090
|
if (StaticPrefs::security_all_resource_uri_content_accessible()) {
|
|
1049
|
1091
|
return NS_OK;
|