summaryrefslogtreecommitdiffstats
path: root/dom/security/nsCSPUtils.cpp
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2017-08-15 21:10:10 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-06 09:03:16 +0100
commit13e9a0c06d35bb02d211df873c105a350aeab8eb (patch)
tree7a02bdb0992080b231c190c383bc12fac1607cd4 /dom/security/nsCSPUtils.cpp
parenta9b44dbcb33cd98b163f8a21223643f2cf3829cd (diff)
downloadUXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.gz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.lz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.tar.xz
UXP-13e9a0c06d35bb02d211df873c105a350aeab8eb.zip
CSP should only check host (not including path) when performing frame ancestors checks.
This has been explicitly stated in the CSP-3 spec.
Diffstat (limited to 'dom/security/nsCSPUtils.cpp')
-rw-r--r--dom/security/nsCSPUtils.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp
index 63b4aae2c..b074a980c 100644
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -503,6 +503,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const
nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost)
: mHost(aHost)
+ , mWithinFrameAncstorsDir(false)
{
ToLowerCase(mHost);
}
@@ -686,6 +687,11 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
rv = url->GetFilePath(uriPath);
NS_ENSURE_SUCCESS(rv, false);
+ if (mWithinFrameAncstorsDir) {
+ // no path matching for frame-ancestors to not leak any path information.
+ return true;
+ }
+
nsString decodedUriPath;
CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriPath), decodedUriPath);