301119 allow error pages to load favicons

xpfe: dveditz: second-review+ benjamin: first-review+ asa: approval1.8b4+ toolkit: benjamin: first-review+ benjamin: approval1.8b4+ patch by me, ported to toolkit by Henrik Skupin <hskupin@gmail.com>
2025-11-12 06:08:24 +02:00 · 2005-08-08 16:25:11 +00:00 · 2005-08-08 16:25:11 +00:00 · 1367551f57
commit 1367551f57
parent 73ca7ae764
2 changed files with 14 additions and 4 deletions
--- a/toolkit/content/widgets/tabbrowser.xml
+++ b/toolkit/content/widgets/tabbrowser.xml
@ -783,8 +783,13 @@
              Components.interfaces.nsIScriptSecurityManager;

            try {
-              secMan.checkLoadURI(origURI, uri,
-                                  nsIScriptSecMan.DISALLOW_SCRIPT);
+              // error pages can load their favicon
+              // to be on the safe side, only allow chrome:// favicons
+              const aboutNeterr = "about:neterror?";
+              if (origURI.spec.substr(0, aboutNeterr.length) != aboutNeterr ||
+                  !uri.schemeIs("chrome"))
+                secMan.checkLoadURI(origURI, uri,
+                                    nsIScriptSecMan.DISALLOW_SCRIPT);
            } catch(e) {
              return;
            }
--- a/xpfe/global/resources/content/bindings/tabbrowser.xml
+++ b/xpfe/global/resources/content/bindings/tabbrowser.xml
@ -705,8 +705,13 @@
              Components.interfaces.nsIScriptSecurityManager;

            try {
-              secMan.checkLoadURI(origURI, uri,
-                                  nsIScriptSecMan.DISALLOW_SCRIPT);
+              // error pages can load their favicon
+              // to be on the safe side, only allow chrome:// favicons
+              const aboutNeterr = "about:neterror?";
+              if (origURI.spec.substr(0, aboutNeterr.length) != aboutNeterr ||
+                  !uri.schemeIs("chrome"))
+                secMan.checkLoadURI(origURI, uri,
+                                    nsIScriptSecMan.DISALLOW_SCRIPT);
            } catch(e) {
              return;
            }