[tbb-commits] [torbutton/master] Bug 22457: Allow resources loaded by view-source://

gk at torproject.org gk at torproject.org
Fri Jun 2 08:40:43 UTC 2017


commit 137c0527b1d152c5999db53894badc54ab9e34c9
Author: Georg Koppen <gk at torproject.org>
Date:   Thu Jun 1 09:26:11 2017 +0000

    Bug 22457: Allow resources loaded by view-source://
    
    Instead of whitelisting single resources for view-source requests that
    might allow platform detection we allow all of those that are needed by
    requests with a view-source origin. This should be safe now that
    https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 landed.
---
 src/components/content-policy.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/components/content-policy.js b/src/components/content-policy.js
index a63919c..b2fdff7 100644
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -83,8 +83,12 @@ ContentPolicy.prototype = {
       return Ci.nsIContentPolicy.ACCEPT;
     }
 
-    // Accept if no origin URI or if origin scheme is chrome/resource/about.
-    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
+    // Accept if no origin URI or if origin scheme is
+    // chrome/resource/about/view-source.
+    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') ||
+                           aRequestOrigin.schemeIs('chrome') ||
+                           aRequestOrigin.schemeIs('about') ||
+                           aRequestOrigin.schemeIs('view-source'))
       return Ci.nsIContentPolicy.ACCEPT;
 
     // Accept if resource directly loaded into a tab.



More information about the tbb-commits mailing list