[tor-commits] [torbutton/master] Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.

[mikeperry at torproject.org]

commit ace11cd8020aaf0136ee58aa074666f10c14abb9
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Fri Jun 17 01:27:14 2016 +0000

    Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.
    
    Most addons do not set `contentaccessible=yes`, however behavior should
    be consistent even if such addons are installed.
    
    This does not affect any of the standard addons shipped with Tor Browser, but
    will break user installed addons that depend on actually being able to
    access `chrome://` URLs in this manner.
---
 src/components/content-policy.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/components/content-policy.js b/src/components/content-policy.js
index b4b33a7..c6c8aa9 100644
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -24,12 +24,12 @@ ContentPolicy.prototype = {
   _xpcom_categories: [{category: "content-policy"}],
 
   shouldLoad: function(aContentType, aContentLocation, aRequestOrigin, aContext, aMimeTypeGuess, aExtra) {
-    // Accept if no content URI or scheme is not a resource.
-    if (!aContentLocation || !aContentLocation.schemeIs('resource'))
+    // Accept if no content URI or scheme is not a resource/chrome.
+    if (!aContentLocation || !(aContentLocation.schemeIs('resource') || aContentLocation.schemeIs('chrome')))
       return Ci.nsIContentPolicy.ACCEPT;
 
-    // Accept if no origin URI, or if the origin URI scheme is chrome/resource.
-    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome'))
+    // Accept if no origin URI or if origin scheme is chrome/resource/about.
+    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
       return Ci.nsIContentPolicy.ACCEPT;
 
     // Accept if resource directly loaded into a tab.