[torbutton/master] Bug 22457: Allow resources loaded by view-source:// - tor-commits

2 Jun 2017

commit 137c0527b1d152c5999db53894badc54ab9e34c9
Author: Georg Koppen gk@torproject.org
Date:   Thu Jun 1 09:26:11 2017 +0000
Bug 22457: Allow resources loaded by view-source://
Instead of whitelisting single resources for view-source requests that
    might allow platform detection we allow all of those that are needed by
    requests with a view-source origin. This should be safe now that
    https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 landed.
---
 src/components/content-policy.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/components/content-policy.js b/src/components/content-policy.js
index a63919c..b2fdff7 100644
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -83,8 +83,12 @@ ContentPolicy.prototype = {
       return Ci.nsIContentPolicy.ACCEPT;
     }
-    // Accept if no origin URI or if origin scheme is chrome/resource/about.
-    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
+    // Accept if no origin URI or if origin scheme is
+    // chrome/resource/about/view-source.
+    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') ||
+                           aRequestOrigin.schemeIs('chrome') ||
+                           aRequestOrigin.schemeIs('about') ||
+                           aRequestOrigin.schemeIs('view-source'))
       return Ci.nsIContentPolicy.ACCEPT;
// Accept if resource directly loaded into a tab.

    