[tor-commits] [tor-browser/tor-browser-78.7.1esr-10.5-1] Bug 1673237 - Always allow SVGs on about: pages r=acat, tjr, emilio

sysrqb at torproject.org sysrqb at torproject.org
Fri Feb 5 17:25:48 UTC 2021


commit 6cd70d7c4475897b7ae3512b55daa365c9aecd86
Author: sanketh <me at snkth.com>
Date:   Tue Nov 3 17:34:20 2020 +0000

    Bug 1673237 - Always allow SVGs on about: pages r=acat,tjr,emilio
    
    - Updated layout/svg/tests/test_disabled.html to ensure that this doesn't allow
      rendering SVGs on about:blank and about:srcdoc.
    
    Differential Revision: https://phabricator.services.mozilla.com/D95139
---
 dom/base/nsNodeInfoManager.cpp             | 18 ++++++++++-------
 layout/svg/tests/file_disabled_iframe.html | 31 +++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/dom/base/nsNodeInfoManager.cpp b/dom/base/nsNodeInfoManager.cpp
index b0534b661a23..8bc6b0ba2bd6 100644
--- a/dom/base/nsNodeInfoManager.cpp
+++ b/dom/base/nsNodeInfoManager.cpp
@@ -352,9 +352,12 @@ void nsNodeInfoManager::RemoveNodeInfo(NodeInfo* aNodeInfo) {
   MOZ_ASSERT(ret, "Can't find mozilla::dom::NodeInfo to remove!!!");
 }
 
-static bool IsSystemOrAddonPrincipal(nsIPrincipal* aPrincipal) {
+static bool IsSystemOrAddonOrAboutPrincipal(nsIPrincipal* aPrincipal) {
   return aPrincipal->IsSystemPrincipal() ||
-         BasePrincipal::Cast(aPrincipal)->AddonPolicy();
+         BasePrincipal::Cast(aPrincipal)->AddonPolicy() ||
+         // NOTE: about:blank and about:srcdoc inherit the principal of their
+         // parent, so aPrincipal->SchemeIs("about") returns false for them.
+         aPrincipal->SchemeIs("about");
 }
 
 bool nsNodeInfoManager::InternalSVGEnabled() {
@@ -375,17 +378,18 @@ bool nsNodeInfoManager::InternalSVGEnabled() {
   }
 
   // We allow SVG (regardless of the pref) if this is a system or add-on
-  // principal, or if this load was requested for a system or add-on principal
-  // (e.g. a remote image being served as part of system or add-on UI)
+  // principal or about: page, or if this load was requested for a system or
+  // add-on principal or about: page (e.g. a remote image being served as part
+  // of system or add-on UI or about: page)
   bool conclusion =
-      (SVGEnabled || IsSystemOrAddonPrincipal(mPrincipal) ||
+      (SVGEnabled || IsSystemOrAddonOrAboutPrincipal(mPrincipal) ||
        (loadInfo &&
         (loadInfo->GetExternalContentPolicyType() ==
              nsIContentPolicy::TYPE_IMAGE ||
          loadInfo->GetExternalContentPolicyType() ==
              nsIContentPolicy::TYPE_OTHER) &&
-        (IsSystemOrAddonPrincipal(loadInfo->GetLoadingPrincipal()) ||
-         IsSystemOrAddonPrincipal(loadInfo->TriggeringPrincipal()))));
+        (IsSystemOrAddonOrAboutPrincipal(loadInfo->GetLoadingPrincipal()) ||
+         IsSystemOrAddonOrAboutPrincipal(loadInfo->TriggeringPrincipal()))));
   mSVGEnabled = Some(conclusion);
   return conclusion;
 }
diff --git a/layout/svg/tests/file_disabled_iframe.html b/layout/svg/tests/file_disabled_iframe.html
index 6feae3024730..55eda75fdefb 100644
--- a/layout/svg/tests/file_disabled_iframe.html
+++ b/layout/svg/tests/file_disabled_iframe.html
@@ -48,5 +48,34 @@
   t.firstChild.firstChild.textContent = "1&2<3>4\xA0";
   is(t.innerHTML, '<svg><style>1&2<3>4 \u003C/style></svg>');
 
-  SimpleTest.finish();
+  //
+  // Tests for Bug 1673237
+  //
+
+  // This test fails if about:blank renders SVGs
+  t.innerHTML = null;
+  var iframe = document.createElement("iframe");
+  iframe.setAttribute("src", "about:blank")
+  t.appendChild(iframe);
+  iframe.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg:svg"));
+  iframe.firstChild.textContent = "<foo>";
+  is(iframe.innerHTML, "<svg:svg><foo></svg:svg>");
+
+  // This test fails if about:blank renders SVGs
+  var win = window.open("about:blank");
+  win.document.body.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg:svg"))
+  win.document.body.firstChild.textContent = "<foo>";
+  is(win.document.body.innerHTML, "<svg:svg><foo></svg:svg>");
+  win.close();
+
+  // This test fails if about:srcdoc renders SVGs
+  t.innerHTML = null;
+  iframe = document.createElement("iframe");
+  iframe.srcdoc = "<svg:svg></svg:svg>";
+  iframe.onload = function() {
+    iframe.contentDocument.body.firstChild.textContent = "<foo>";
+    is(iframe.contentDocument.body.innerHTML, "<svg:svg><foo></svg:svg>");
+    SimpleTest.finish();
+  }
+  t.appendChild(iframe);
 </script>



More information about the tor-commits mailing list