Bug 1525006 - Block ES6 modules with wrong MIME type r=ckerschb
authorTom Schuster <evilpies@gmail.com>
Tue, 12 Feb 2019 13:16:52 +0000
changeset 458733 67ac511f5c6c
parent 458732 64ba51db91e8
child 458734 248b41426bf2
push id35548
push useropoprus@mozilla.com
push dateWed, 13 Feb 2019 09:48:26 +0000
treeherdermozilla-central@93e37c529818 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1525006
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525006 - Block ES6 modules with wrong MIME type r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D19270
dom/locales/en-US/chrome/security/security.properties
netwerk/protocol/http/nsHttpChannel.cpp
--- a/dom/locales/en-US/chrome/security/security.properties
+++ b/dom/locales/en-US/chrome/security/security.properties
@@ -83,16 +83,17 @@ WeakCipherSuiteWarning=This site uses th
 MimeTypeMismatch2=The resource from “%1$S” was blocked due to MIME type (“%2$S”) mismatch (X-Content-Type-Options: nosniff).
 # LOCALIZATION NOTE: Do not translate "X-Content-Type-Options" and also do not trasnlate "nosniff".
 XCTOHeaderValueMissing=X-Content-Type-Options header warning: value was “%1$S”; did you mean to send “nosniff”?
 
 BlockScriptWithWrongMimeType2=Script from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
 WarnScriptWithWrongMimeType=The script from “%1$S” was loaded even though its MIME type (“%2$S”) is not a valid JavaScript MIME type.
 # LOCALIZATION NOTE: Do not translate "importScripts()"
 BlockImportScriptsWithWrongMimeType=Loading script from “%1$S” with importScripts() was blocked because of a disallowed MIME type (“%2$S”).
+BlockModuleWithWrongMimeType=Loading module from “%1$S” was blocked because of a disallowed MIME type (“%2$S”).
 
 # LOCALIZATION NOTE: Do not translate "data: URI".
 BlockTopLevelDataURINavigation=Navigation to toplevel data: URI not allowed (Blocked loading of: “%1$S”)
 BlockSubresourceRedirectToData=Redirecting to insecure data: URI not allowed (Blocked loading of: “%1$S”)
 
 BlockSubresourceFTP=Loading FTP subresource within http(s) page not allowed (Blocked loading of: “%1$S”)
 
 # LOCALIZATION NOTE (BrowserUpgradeInsecureDisplayRequest):
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -1529,18 +1529,18 @@ nsresult EnsureMIMEOfScript(nsHttpChanne
         Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::empty);
   } else {
     // script load has unknown type
     AccumulateCategorical(
         Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::unknown);
   }
 
   // We restrict importScripts() in worker code to JavaScript MIME types.
-  if (aLoadInfo->InternalContentPolicyType() ==
-      nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS) {
+  nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
+  if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS) {
     // Instead of consulting Preferences::GetBool() all the time we
     // can cache the result to speed things up.
     static bool sCachedBlockImportScriptsWithWrongMime = false;
     static bool sIsInited = false;
     if (!sIsInited) {
       sIsInited = true;
       Preferences::AddBoolVarCache(
           &sCachedBlockImportScriptsWithWrongMime,
@@ -1552,16 +1552,24 @@ nsresult EnsureMIMEOfScript(nsHttpChanne
       return NS_OK;
     }
 
     ReportMimeTypeMismatch(aChannel, "BlockImportScriptsWithWrongMimeType",
                            aURI, contentType, Report::Error);
     return NS_ERROR_CORRUPTED_CONTENT;
   }
 
+  // ES6 modules require a strict MIME type check.
+  if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
+      internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {
+    ReportMimeTypeMismatch(aChannel, "BlockModuleWithWrongMimeType", aURI,
+                           contentType, Report::Error);
+    return NS_ERROR_CORRUPTED_CONTENT;
+  }
+
   return NS_OK;
 }
 
 // Warn when a load of type script uses a wrong MIME type and
 // wasn't blocked by EnsureMIMEOfScript or ProcessXCTO.
 void WarnWrongMIMEOfScript(nsHttpChannel *aChannel, nsIURI *aURI,
                            nsHttpResponseHead *aResponseHead,
                            nsILoadInfo *aLoadInfo) {