From d9aff90f06254a0b724a0ea9c21db39f74ff8fc6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sun, 14 Jul 2019 22:41:01 +0200 Subject: Add preference to allow the loading of FTP subresources for corner cases --- dom/security/nsContentSecurityManager.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'dom') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index f2cbc8fcf..12c55e8f6 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -98,6 +98,9 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) // We dissallow using FTP resources as a subresource everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + if (!mozilla::net::nsIOService::BlockFTPSubresources()) { + return NS_OK; + } nsCOMPtr loadInfo = aChannel->GetLoadInfo(); if (!loadInfo) { -- cgit v1.2.3 From 4491ec5eacd5ed501737c0db2c134fe1815c50a8 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 15 Jul 2019 12:51:23 +0200 Subject: Selectively allow ftp subresources in the blocked mode. - Allow "Save As..." downloads - Allow subresource use if the top-level document is also on FTP --- dom/security/nsContentSecurityManager.cpp | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) (limited to 'dom') diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 12c55e8f6..08fd9afd9 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -95,9 +95,11 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel) /* static */ nsresult nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) { - // We dissallow using FTP resources as a subresource everywhere. + // We dissallow using FTP resources as a subresource almost everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + + // Override blocking if the pref is set to allow. if (!mozilla::net::nsIOService::BlockFTPSubresources()) { return NS_OK; } @@ -108,6 +110,13 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) } nsContentPolicyType type = loadInfo->GetExternalContentPolicyType(); + + // Allow save-as download of FTP files on HTTP pages. + if (type == nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD) { + return NS_OK; + } + + // Allow direct document requests if (type == nsIContentPolicy::TYPE_DOCUMENT) { return NS_OK; } @@ -119,11 +128,22 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) return NS_OK; } + // Allow if it's not the FTP protocol bool isFtpURI = (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtpURI)) && isFtpURI); if (!isFtpURI) { return NS_OK; } + // Allow loading FTP subresources in top-level FTP documents. + nsIPrincipal* triggeringPrincipal = loadInfo->TriggeringPrincipal(); + nsCOMPtr tURI; + triggeringPrincipal->GetURI(getter_AddRefs(tURI)); + bool isTrigFtpURI = (NS_SUCCEEDED(tURI->SchemeIs("ftp", &isTrigFtpURI)) && isTrigFtpURI); + if (isTrigFtpURI) { + return NS_OK; + } + + // If we get here, the request is blocked and should be reported. nsCOMPtr doc; if (nsINode* node = loadInfo->LoadingNode()) { doc = node->OwnerDoc(); -- cgit v1.2.3