Pier Angelo Vendrame pushed to branch mullvad-browser-149.0a1-16.0-2 at The Tor Project / Applications / Mullvad Browser Commits: 1beb74fb by Pier Angelo Vendrame at 2026-04-16T19:38:10+02:00 BB 44865: Block requests to chrome://*/locale. - - - - - 1 changed file: - caps/nsScriptSecurityManager.cpp Changes: ===================================== caps/nsScriptSecurityManager.cpp ===================================== @@ -1104,6 +1104,12 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags( return NS_OK; } } else if (targetScheme.EqualsLiteral("chrome")) { + nsAutoCString path; + if (NS_SUCCEEDED(aTargetURI->GetPathQueryRef(path)) && + StringBeginsWith(path, "/locale/"_ns)) { + return NS_ERROR_DOM_BAD_URI; + } + // Allow the load only if the chrome package is allowlisted. nsCOMPtr<nsIXULChromeRegistry> reg( do_GetService(NS_CHROMEREGISTRY_CONTRACTID)); View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/1beb... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/1beb... You're receiving this email because of your account on gitlab.torproject.org. Manage all notifications: https://gitlab.torproject.org/-/profile/notifications | Help: https://gitlab.torproject.org/help