Bug 1263628 - meta-refresh can use a relative URL, ensure base URI is included r=gijs
authorAndrzej Hunt <ahunt@mozilla.com>
Fri, 15 Apr 2016 13:53:19 -0700
changeset 331613 79ea010e10cd2c07c9a16700c85763d1346364ff
parent 331612 d4b74afcc60b937f25d54f365be46a8133980209
child 331614 4992cef658a669d514b3469c4b4449ac5826359d
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgijs
bugs1263628
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1263628 - meta-refresh can use a relative URL, ensure base URI is included r=gijs E.g. articles on facebook.com provide a meta-refresh containing "0; URL=/foo/bar?....", and we previously attempted to use just this URL component, instead of constructing it using the current page URL. MozReview-Commit-ID: 4vSoz5lc1e
toolkit/components/reader/ReaderMode.jsm
--- a/toolkit/components/reader/ReaderMode.jsm
+++ b/toolkit/components/reader/ReaderMode.jsm
@@ -204,33 +204,37 @@ this.ReaderMode = {
 
         // Manually follow a meta refresh tag if one exists.
         let meta = doc.querySelector("meta[http-equiv=refresh]");
         if (meta) {
           let content = meta.getAttribute("content");
           if (content) {
             let urlIndex = content.toUpperCase().indexOf("URL=");
             if (urlIndex > -1) {
-              let url = content.substring(urlIndex + 4);
+              let baseURI = Services.io.newURI(url, null, null);
+              let newURI = Services.io.newURI(content.substring(urlIndex + 4), null, baseURI);
+              let newURL = newURI.spec;
               let ssm = Services.scriptSecurityManager;
               let flags = ssm.LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
                           ssm.DISALLOW_INHERIT_PRINCIPAL;
               try {
-                ssm.checkLoadURIStrWithPrincipal(doc.nodePrincipal, url, flags);
+                ssm.checkLoadURIStrWithPrincipal(doc.nodePrincipal, newURL, flags);
               } catch (ex) {
                 let errorMsg = "Reader mode disallowed meta refresh (reason: " + ex + ").";
 
                 if (Services.prefs.getBoolPref("reader.errors.includeURLs"))
-                  errorMsg += " Refresh target URI: '" + url + "'.";
+                  errorMsg += " Refresh target URI: '" + newURL + "'.";
                 reject(errorMsg);
                 return;
               }
               // Otherwise, pass an object indicating our new URL:
-              reject({newURL: url});
-              return;
+              if (!baseURI.equalsExceptRef(newURI)) {
+                reject({newURL});
+                return;
+              }
             }
           }
         }
         let responseURL = xhr.responseURL;
         let givenURL = url;
         // Convert these to real URIs to make sure the escaping (or lack
         // thereof) is identical:
         try {