Merge commit '50d3e596bbe89c95615f96eb71f6bc5be737a1db' into Basilisk-releasev2018.07.18

# Conflicts: # browser/app/profile/firefox.js # browser/components/preferences/jar.mn
author: wolfbeast <mcwerewolf@gmail.com> 2018-07-18 08:24:24 +0200
committer: wolfbeast <mcwerewolf@gmail.com> 2018-07-18 08:24:24 +0200
commit: fc61780b35af913801d72086456f493f63197da6 (patch)
tree: f85891288a7bd988da9f0f15ae64e5c63f00d493 /caps
parent: 69f7f9e5f1475891ce11cc4f431692f965b0cd30 (diff)
parent: 50d3e596bbe89c95615f96eb71f6bc5be737a1db (diff)
download: UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar
UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.gz
UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.lz
UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.xz
UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.zip
1 files changed, 16 insertions, 3 deletions
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
index a219dcaed..0277f771d 100644
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -836,6 +836,16 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
         // exception for foo: linking to view-source:foo for reftests...
         return NS_OK;
     }
+    else if ((!sourceScheme.EqualsIgnoreCase("http") &&
+              !sourceScheme.EqualsIgnoreCase("https")) &&
+             targetScheme.EqualsIgnoreCase("moz-icon"))
+    {
+        // Exception for linking to moz-icon://.ext?size=...
+        // Note that because targetScheme is the base (innermost) URI scheme,
+        // this does NOT allow e.g. file -> moz-icon:file:///... links.
+        // This is intentional.
+        return NS_OK;
+    }
 
     // If we get here, check all the schemes can link to each other, from the top down:
     nsCaseInsensitiveCStringComparator stringComparator;
@@ -976,9 +986,12 @@ nsScriptSecurityManager::CheckLoadURIFlags(nsIURI *aSourceURI,
     if (hasFlags) {
         if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
 
-            // For now, don't change behavior for resource:// or moz-icon:// and
-            // just allow them.
-            if (!targetScheme.EqualsLiteral("chrome")) {
+            // For now, don't change behavior for resource:// and
+            // just allow it. This is required for extensions injecting
+            // extension-internal resource URLs in snippets in pages, e.g.
+            // Adding custom controls in-page.
+            if (!targetScheme.EqualsLiteral("chrome") &&
+                !targetScheme.EqualsLiteral("moz-icon")) {
                 return NS_OK;
             }
author	wolfbeast <mcwerewolf@gmail.com>	2018-07-18 08:24:24 +0200
committer	wolfbeast <mcwerewolf@gmail.com>	2018-07-18 08:24:24 +0200
commit	fc61780b35af913801d72086456f493f63197da6 (patch)
tree	f85891288a7bd988da9f0f15ae64e5c63f00d493 /caps
parent	69f7f9e5f1475891ce11cc4f431692f965b0cd30 (diff)
parent	50d3e596bbe89c95615f96eb71f6bc5be737a1db (diff)
download	UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.gz UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.lz UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.tar.xz UXP-9ccb235f04529c1ec345d87dad6521cb567d20bb.zip