commit 61b395a433c821bd4b17f69b956eb149f12f525e Author: Yawning Angel yawning@schwanenlied.me Date: Mon Aug 15 18:53:05 2016 +0000
Bug 19837: Whitelist internal URLs that Firefox requires for media.
Firefox requires being able to load chrome:// and resource:// URLs for things like the media player, with the origin set to the remote URL that triggered the load.
This is unfortunate in that there's no way to disambiguate malicious JS versus someone opening a video file (for example).
See https://trac.torproject.org/projects/tor/ticket/19837#comment:5 for why this is a huge nightmare and will eventually require C++ code. --- src/components/content-policy.js | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
diff --git a/src/components/content-policy.js b/src/components/content-policy.js index e025ecd..3379eb7 100644 --- a/src/components/content-policy.js +++ b/src/components/content-policy.js @@ -21,7 +21,26 @@ ContentPolicy.prototype = { contractID: "@torproject.org/content-policy;1", QueryInterface: XPCOMUtils.generateQI([Ci.nsIContentPolicy]),
+ uriWhitelist: { + // Video playback. + "chrome://global/content/TopLevelVideoDocument.js": Ci.nsIContentPolicy.TYPE_SCRIPT, + "resource://gre/res/TopLevelVideoDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET, + "chrome://global/skin/media/TopLevelVideoDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET, + "chrome://global/content/bindings/videocontrols.xml": Ci.nsIContentPolicy.TYPE_XBL, + "chrome://global/content/bindings/scale.xml": Ci.nsIContentPolicy.TYPE_XBL, + "chrome://global/content/bindings/progressmeter.xml": Ci.nsIContentPolicy.TYPE_XBL, + + // Image display. + "resource://gre/res/ImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET, + "resource://gre/res/TopLevelImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET, + "chrome://global/skin/media/TopLevelImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET, + + // Resizing text boxes. + "chrome://global/content/bindings/resizer.xml": Ci.nsIContentPolicy.TYPE_XBL, + }, + shouldLoad: function(aContentType, aContentLocation, aRequestOrigin, aContext, aMimeTypeGuess, aExtra) { + // Accept if no content URI or scheme is not a resource/chrome. if (!aContentLocation || !(aContentLocation.schemeIs('resource') || aContentLocation.schemeIs('chrome'))) return Ci.nsIContentPolicy.ACCEPT; @@ -34,6 +53,16 @@ ContentPolicy.prototype = { if (Ci.nsIContentPolicy.TYPE_DOCUMENT === aContentType) return Ci.nsIContentPolicy.ACCEPT;
+ // There's certain things that break horribly if they aren't allowed to + // access URIs with proscribed schemes, with `aContentOrigin` basically + // set to arbibrary URIs. + // + // XXX: Feature gate this behind the security slider or something, I don't + // give a fuck. + if (aContentLocation.spec in this.uriWhitelist) + if (this.uriWhitelist[aContentLocation.spec] == aContentType) + return Ci.nsIContentPolicy.ACCEPT; + return Ci.nsIContentPolicy.REJECT_REQUEST; },