diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-08-18 16:25:15 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-08-18 16:26:16 +0200 |
| commit | 202296d02aa99afa90581333ab059c050b9c3ade (patch) | |
| tree | 6ed8a1289bed1bb06d2703ea77cba5fccd3bdffa /dom/security/nsContentSecurityManager.cpp | |
| parent | 1530f48c27fb13d7cbd2708c9f0fcf2dabc6ed6a (diff) | |
| parent | ab6242a93b849b0a3c7525b16bc01dd3172fc167 (diff) | |
| download | UXP-202296d02aa99afa90581333ab059c050b9c3ade.tar UXP-202296d02aa99afa90581333ab059c050b9c3ade.tar.gz UXP-202296d02aa99afa90581333ab059c050b9c3ade.tar.lz UXP-202296d02aa99afa90581333ab059c050b9c3ade.tar.xz UXP-202296d02aa99afa90581333ab059c050b9c3ade.zip | |
Pull Basilisk-release forward.
Diffstat (limited to 'dom/security/nsContentSecurityManager.cpp')
| -rw-r--r-- | dom/security/nsContentSecurityManager.cpp | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index f2cbc8fcf..5c6701992 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -10,6 +10,7 @@ #include "nsIStreamListener.h" #include "nsCDefaultURIFixup.h" #include "nsIURIFixup.h" +#include "nsIImageLoadingContent.h" #include "mozilla/dom/Element.h" #include "mozilla/dom/TabChild.h" @@ -95,9 +96,14 @@ nsContentSecurityManager::AllowTopLevelNavigationToDataURI(nsIChannel* aChannel) /* static */ nsresult nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) { - // We dissallow using FTP resources as a subresource everywhere. + // We dissallow using FTP resources as a subresource almost everywhere. // The only valid way to use FTP resources is loading it as // a top level document. + + // Override blocking if the pref is set to allow. + if (!mozilla::net::nsIOService::BlockFTPSubresources()) { + return NS_OK; + } nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo(); if (!loadInfo) { @@ -105,22 +111,40 @@ nsContentSecurityManager::CheckFTPSubresourceLoad(nsIChannel* aChannel) } nsContentPolicyType type = loadInfo->GetExternalContentPolicyType(); + + // Allow save-as download of FTP files on HTTP pages. + if (type == nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD) { + return NS_OK; + } + + // Allow direct document requests if (type == nsIContentPolicy::TYPE_DOCUMENT) { return NS_OK; } nsCOMPtr<nsIURI> uri; nsresult rv = NS_GetFinalChannelURI(aChannel, getter_AddRefs(uri)); - NS_ENSURE_SUCCESS(rv, rv); + NS_ENSURE_SUCCESS(rv, rv); if (!uri) { return NS_OK; } + // Allow if it's not the FTP protocol bool isFtpURI = (NS_SUCCEEDED(uri->SchemeIs("ftp", &isFtpURI)) && isFtpURI); if (!isFtpURI) { return NS_OK; } + // Allow loading FTP subresources in top-level FTP documents. + nsIPrincipal* triggeringPrincipal = loadInfo->TriggeringPrincipal(); + nsCOMPtr<nsIURI> tURI; + triggeringPrincipal->GetURI(getter_AddRefs(tURI)); + bool isTrigFtpURI = (NS_SUCCEEDED(tURI->SchemeIs("ftp", &isTrigFtpURI)) && isTrigFtpURI); + if (isTrigFtpURI) { + return NS_OK; + } + + // If we get here, the request is blocked and should be reported. nsCOMPtr<nsIDocument> doc; if (nsINode* node = loadInfo->LoadingNode()) { doc = node->OwnerDoc(); @@ -778,6 +802,8 @@ nsContentSecurityManager::CheckChannel(nsIChannel* aChannel) // within nsCorsListenerProxy rv = DoCheckLoadURIChecks(uri, loadInfo); NS_ENSURE_SUCCESS(rv, rv); + // TODO: Bug 1371237 + // consider calling SetBlockedRequest in nsContentSecurityManager::CheckChannel } return NS_OK; |