diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2017-08-15 21:10:10 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-06 09:03:16 +0100 |
| commit | 13e9a0c06d35bb02d211df873c105a350aeab8eb (patch) | |
| tree | 7a02bdb0992080b231c190c383bc12fac1607cd4 /dom/security/nsCSPUtils.cpp | |
| parent | a9b44dbcb33cd98b163f8a21223643f2cf3829cd (diff) | |
| download | UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.gz UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.lz UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.xz UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.zip | |
CSP should only check host (not including path) when performing frame ancestors checks.
This has been explicitly stated in the CSP-3 spec.
Diffstat (limited to 'dom/security/nsCSPUtils.cpp')
| -rw-r--r-- | dom/security/nsCSPUtils.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index 63b4aae2c..b074a980c 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -503,6 +503,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost) : mHost(aHost) + , mWithinFrameAncstorsDir(false) { ToLowerCase(mHost); } @@ -686,6 +687,11 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected rv = url->GetFilePath(uriPath); NS_ENSURE_SUCCESS(rv, false); + if (mWithinFrameAncstorsDir) { + // no path matching for frame-ancestors to not leak any path information. + return true; + } + nsString decodedUriPath; CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriPath), decodedUriPath); |