ma1 pushed to branch tor-browser-115.26.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 5bf16ee7 by Tom Schuster at 2025-07-19T00:29:10+02:00 Bug 1808979 - Disable security.csp.truncate_blocked_uri_for_frame_navigations by default. r=freddyb Differential Revision: https://phabricator.services.mozilla.com/D253304 - - - - - 8f1a16c0 by Tom Schuster at 2025-07-19T00:29:21+02:00 Bug 1808979 - WPT for frame-src path matching after replacing the URL. r=freddyb Differential Revision: https://phabricator.services.mozilla.com/D253638 - - - - - cd18dbf5 by Hubert Boma Manilla at 2025-07-21T20:07:18+02:00 Bug 1968414 - [devtools] Escape carriage return character properly a=pascalc Original Revision: https://phabricator.services.mozilla.com/D254323 Differential Revision: https://phabricator.services.mozilla.com/D256090 - - - - - 449e7d2c by vyv03354 at 2025-07-21T23:13:43+02:00 Bug 1970658 - Apply YouTube embed URL replacement to the path component. a=dmeehan Original Revision: https://phabricator.services.mozilla.com/D252841 Differential Revision: https://phabricator.services.mozilla.com/D253651 - - - - - 96d7c8c5 by Andreas Pehrson at 2025-07-21T23:24:28+02:00 Bug 1971116 - For global mute events, iterate on copies of containers. r=dbaker Mute/unmute events are fired synchronously to content, which if it stops an (event target) track in the event handler, may call back into and mutate the containers we're iterating over. Differential Revision: https://phabricator.services.mozilla.com/D254352 - - - - - c3a28639 by Pier Angelo Vendrame at 2025-07-22T00:43:11+02:00 Bug 1972282 - Check for spoof English in xsl:sort. r=smaug Differential Revision: https://phabricator.services.mozilla.com/D254784 - - - - - 8 changed files: - devtools/client/netmonitor/test/browser_net_curl-utils.js - devtools/client/shared/curl.js - dom/base/nsObjectLoadingContent.cpp - dom/media/MediaManager.cpp - dom/xslt/xpath/txXPathNode.h - dom/xslt/xslt/txNodeSorter.cpp - modules/libpref/init/StaticPrefList.yaml - + testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked-path-matching.sub.html Changes: ===================================== devtools/client/netmonitor/test/browser_net_curl-utils.js ===================================== @@ -344,7 +344,7 @@ function testEscapeStringWin() { const newLines = "line1\r\nline2\r\rline3\n\nline4"; is( CurlUtils.escapeStringWin(newLines), - '^"line1^\n\nline2\r\rline3^\n\n^\n\nline4^"', + '^\"line1^\n\nline2^\n\n^\n\nline3^\n\n^\n\nline4^\"', "Newlines should be escaped." ); @@ -365,7 +365,7 @@ function testEscapeStringWin() { const evilCommand = `query=evil\r\rcmd" /c timeout /t 3 & calc.exe\r\r`; is( CurlUtils.escapeStringWin(evilCommand), - '^"query=evil\r\rcmd\\" /c timeout /t 3 & calc.exe\r\r^"', + '^\"query=evil^\n\n^\n\ncmd\\\" /c timeout /t 3 & calc.exe^\n\n^\n\n^\"', "The evil command is escaped properly" ); } ===================================== devtools/client/shared/curl.js ===================================== @@ -484,7 +484,7 @@ const CurlUtils = { // Lastly we replace new lines with ^ and TWO new lines because the first // new line is there to enact the escape command the second is the character // to escape (in this case new line). - .replace(/\r?\n/g, "^\n\n") + + .replace(/\r?\n|\r/g, "^\n\n") + encapsChars ); }, ===================================== dom/base/nsObjectLoadingContent.cpp ===================================== @@ -750,8 +750,8 @@ void nsObjectLoadingContent::MaybeRewriteYoutubeEmbed(nsIURI* aURI, } // See if requester is planning on using the JS API. - nsAutoCString uri; - nsresult rv = aURI->GetSpec(uri); + nsAutoCString prePath; + nsresult rv = aURI->GetPrePath(prePath); if (NS_FAILED(rv)) { return; } @@ -762,10 +762,10 @@ void nsObjectLoadingContent::MaybeRewriteYoutubeEmbed(nsIURI* aURI, // URLs, convert the parameters to query in order to make the video load // correctly as an iframe. In either case, warn about it in the // developer console. - int32_t ampIndex = uri.FindChar('&', 0); + int32_t ampIndex = path.FindChar('&', 0); bool replaceQuery = false; if (ampIndex != -1) { - int32_t qmIndex = uri.FindChar('?', 0); + int32_t qmIndex = path.FindChar('?', 0); if (qmIndex == -1 || qmIndex > ampIndex) { replaceQuery = true; } @@ -776,21 +776,23 @@ void nsObjectLoadingContent::MaybeRewriteYoutubeEmbed(nsIURI* aURI, return; } - nsAutoString utf16OldURI = NS_ConvertUTF8toUTF16(uri); + NS_ConvertUTF8toUTF16 utf16OldURI(prePath); + AppendUTF8toUTF16(path, utf16OldURI); // If we need to convert the URL, it means an ampersand comes first. // Use the index we found earlier. if (replaceQuery) { // Replace question marks with ampersands. - uri.ReplaceChar('?', '&'); + path.ReplaceChar('?', '&'); // Replace the first ampersand with a question mark. - uri.SetCharAt('?', ampIndex); + path.SetCharAt('?', ampIndex); } // Switch out video access url formats, which should possibly allow HTML5 // video loading. - uri.ReplaceSubstring("/v/"_ns, "/embed/"_ns); - nsAutoString utf16URI = NS_ConvertUTF8toUTF16(uri); - rv = nsContentUtils::NewURIWithDocumentCharset( - aRewrittenURI, utf16URI, thisContent->OwnerDoc(), aBaseURI); + path.ReplaceSubstring("/v/"_ns, "/embed/"_ns); + NS_ConvertUTF8toUTF16 utf16URI(prePath); + AppendUTF8toUTF16(path, utf16URI); + rv = nsContentUtils::NewURIWithDocumentCharset(aRewrittenURI, utf16URI, doc, + aBaseURI); if (NS_FAILED(rv)) { return; } ===================================== dom/media/MediaManager.cpp ===================================== @@ -3143,7 +3143,9 @@ void MediaManager::OnCameraMute(bool aMute) { mCamerasMuted = aMute; // This is safe since we're on main-thread, and the windowlist can only // be added to from the main-thread - for (const auto& window : mActiveWindows.Values()) { + for (const auto& window : + ToTArray<AutoTArray<RefPtr<GetUserMediaWindowListener>, 2>>( + mActiveWindows.Values())) { window->MuteOrUnmuteCameras(aMute); } } @@ -3154,7 +3156,9 @@ void MediaManager::OnMicrophoneMute(bool aMute) { mMicrophonesMuted = aMute; // This is safe since we're on main-thread, and the windowlist can only // be added to from the main-thread - for (const auto& window : mActiveWindows.Values()) { + for (const auto& window : + ToTArray<AutoTArray<RefPtr<GetUserMediaWindowListener>, 2>>( + mActiveWindows.Values())) { window->MuteOrUnmuteMicrophones(aMute); } } @@ -4340,7 +4344,7 @@ void GetUserMediaWindowListener::MuteOrUnmuteCameras(bool aMute) { } mCamerasAreMuted = aMute; - for (auto& l : mActiveListeners) { + for (auto& l : mActiveListeners.Clone()) { if (l->GetDevice()->Kind() == MediaDeviceKind::Videoinput) { l->MuteOrUnmuteCamera(aMute); } @@ -4355,7 +4359,7 @@ void GetUserMediaWindowListener::MuteOrUnmuteMicrophones(bool aMute) { } mMicrophonesAreMuted = aMute; - for (auto& l : mActiveListeners) { + for (auto& l : mActiveListeners.Clone()) { if (l->GetDevice()->Kind() == MediaDeviceKind::Audioinput) { l->MuteOrUnmuteMicrophone(aMute); } ===================================== dom/xslt/xpath/txXPathNode.h ===================================== @@ -66,6 +66,8 @@ class txXPathNode { bool operator!=(const txXPathNode& aNode) const { return !(*this == aNode); } ~txXPathNode() { MOZ_COUNT_DTOR(txXPathNode); } + mozilla::dom::Document* OwnerDoc() const { return mNode->OwnerDoc(); } + private: friend class txXPathNativeNode; friend class txXPathNodeUtils; ===================================== dom/xslt/xslt/txNodeSorter.cpp ===================================== @@ -14,10 +14,13 @@ #include "mozilla/CheckedInt.h" #include "mozilla/UniquePtrExtensions.h" +#include "nsRFPService.h" using mozilla::CheckedUint32; using mozilla::MakeUnique; using mozilla::MakeUniqueFallible; +using mozilla::nsRFPService; +using mozilla::RFPTarget; using mozilla::UniquePtr; /* @@ -75,6 +78,10 @@ nsresult txNodeSorter::addSortElement(Expr* aSelectExpr, Expr* aLangExpr, if (aLangExpr) { rv = aLangExpr->evaluateToString(aContext, lang); NS_ENSURE_SUCCESS(rv, rv); + } else if (aContext->getContextNode() + .OwnerDoc() + ->ShouldResistFingerprinting(RFPTarget::JSLocale)) { + CopyUTF8toUTF16(nsRFPService::GetSpoofedJSLocale(), lang); } // Case-order ===================================== modules/libpref/init/StaticPrefList.yaml ===================================== @@ -13671,7 +13671,7 @@ - name: security.csp.truncate_blocked_uri_for_frame_navigations type: bool - value: true + value: false mirror: always # If true, all toplevel data: URI navigations will be blocked. ===================================== testing/web-platform/tests/content-security-policy/frame-src/frame-src-blocked-path-matching.sub.html ===================================== @@ -0,0 +1,53 @@ +<!DOCTYPE html> +<html> +<head> + <!-- Make sure frame-src does path matching --> + <meta http-equiv="Content-Security-Policy" content="frame-src data: https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/;"> + <title>frame-src-blocked-path-matching</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> +<body> + <script> + async_test(t => { + let frame = document.createElement("iframe"); + frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html"; + + window.addEventListener('message', t.step_func(e => { + if (e.source === frame.contentWindow) { + assert_equals(e.data, "PASS"); + t.done(); + } + })); + + document.body.append(frame); + }, "Cross-origin frame with allowed path loads"); + + async_test(t => { + let frame = document.createElement("iframe"); + frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/"; + + window.addEventListener('securitypolicyviolation', t.step_func_done(e => { + assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}"); + assert_equals(e.effectiveDirective, "frame-src"); + }), { once: true }); + + document.body.append(frame); + }, "Cross-origin frame with other path is blocked"); + + async_test(t => { + let frame = document.createElement("iframe"); + frame.src = "data:text/html,<h1>Hello World</h1>" + frame.onload = t.step_func(() => { + frame.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/resource/"; + + window.addEventListener('securitypolicyviolation', t.step_func_done(e => { + assert_equals(e.blockedURI, "https://{{hosts[][www1]}}:{{ports[https][0]}}"); + assert_equals(e.effectiveDirective, "frame-src"); + }), { once: true }); + }); + document.body.append(frame); + }, "Cross-origin frame with other path is blocked even after replacing the already loaded URL"); + </script> + </body> +</html> View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/e36091a... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/e36091a... You're receiving this email because of your account on gitlab.torproject.org.