commit 137c0527b1d152c5999db53894badc54ab9e34c9 Author: Georg Koppen <gk@torproject.org> Date: Thu Jun 1 09:26:11 2017 +0000 Bug 22457: Allow resources loaded by view-source:// Instead of whitelisting single resources for view-source requests that might allow platform detection we allow all of those that are needed by requests with a view-source origin. This should be safe now that https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 landed. --- src/components/content-policy.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/components/content-policy.js b/src/components/content-policy.js index a63919c..b2fdff7 100644 --- a/src/components/content-policy.js +++ b/src/components/content-policy.js @@ -83,8 +83,12 @@ ContentPolicy.prototype = { return Ci.nsIContentPolicy.ACCEPT; } - // Accept if no origin URI or if origin scheme is chrome/resource/about. - if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about')) + // Accept if no origin URI or if origin scheme is + // chrome/resource/about/view-source. + if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || + aRequestOrigin.schemeIs('chrome') || + aRequestOrigin.schemeIs('about') || + aRequestOrigin.schemeIs('view-source')) return Ci.nsIContentPolicy.ACCEPT; // Accept if resource directly loaded into a tab.