Bug 1330035 - Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Thu, 12 Jan 2017 09:42:23 +0100
changeset 374133 4a1f0be6fa1d318be2799b5066a098a9c931fa70
parent 374132 8f927b0973bc2c90fdb65ea4574fff24525484db
child 374134 311a9929ce5baae9f383eacc8109b60f6f472987
push id6996
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 20:48:21 +0000
treeherdermozilla-beta@d89512dab048 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1330035
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1330035 - Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz
dom/security/nsCSPService.cpp
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -68,40 +68,39 @@ subjectToCSP(nsIURI* aURI, nsContentPoli
   rv = aURI->SchemeIs("blob", &match);
   if (NS_SUCCEEDED(rv) && match) {
     return true;
   }
   rv = aURI->SchemeIs("filesystem", &match);
   if (NS_SUCCEEDED(rv) && match) {
     return true;
   }
-  // finally we have to whitelist "about:" which does not fall in
-  // any of the two categories underneath but is not subject to CSP.
+
+  // Finally we have to whitelist "about:" which does not fall into
+  // the category underneath and also "javascript:" which is not
+  // subject to CSP content loading rules.
   rv = aURI->SchemeIs("about", &match);
   if (NS_SUCCEEDED(rv) && match) {
     return false;
   }
+  rv = aURI->SchemeIs("javascript", &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return false;
+  }
 
   // Other protocols are not subject to CSP and can be whitelisted:
   // * URI_IS_LOCAL_RESOURCE
   //   e.g. chrome:, data:, blob:, resource:, moz-icon:
-  // * URI_INHERITS_SECURITY_CONTEXT
-  //   e.g. javascript:
-  //
   // Please note that it should be possible for websites to
   // whitelist their own protocol handlers with respect to CSP,
   // hence we use protocol flags to accomplish that.
   rv = NS_URIChainHasFlags(aURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &match);
   if (NS_SUCCEEDED(rv) && match) {
     return false;
   }
-  rv = NS_URIChainHasFlags(aURI, nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT, &match);
-  if (NS_SUCCEEDED(rv) && match) {
-    return false;
-  }
   // all other protocols are subject To CSP.
   return true;
 }
 
 /* nsIContentPolicy implementation */
 NS_IMETHODIMP
 CSPService::ShouldLoad(uint32_t aContentType,
                        nsIURI *aContentLocation,