From b827a3a9cd60b10526e3bc99274a1465f1b6f2d1 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@gmail.com>
Date: Thu, 8 Feb 2018 11:37:12 +0100
Subject: Perform LoadURL checks for WebExtensions.

---
 browser/components/extensions/ext-pageAction.js | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'browser/components/extensions/ext-pageAction.js')

diff --git a/browser/components/extensions/ext-pageAction.js b/browser/components/extensions/ext-pageAction.js
index 153f05d7a..5bf3a9c70 100644
--- a/browser/components/extensions/ext-pageAction.js
+++ b/browser/components/extensions/ext-pageAction.js
@@ -273,6 +273,9 @@ extensions.registerSchemaAPI("pageAction", "addon_parent", context => {
         // For internal consistency, we currently resolve both relative to the
         // calling context.
         let url = details.popup && context.uri.resolve(details.popup);
+        if (url && !context.checkLoadURL(url)) {
+          return Promise.reject({message: `Access denied for URL ${url}`});
+        }
         PageAction.for(extension).setProperty(tab, "popup", url);
       },
 
-- 
cgit v1.2.3