nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1573720 - Convert security.view-source.reachable-from-inner-protocol to a static pref. r=bzbarsky

Browse source 
Differential Revision: https://phabricator.services.mozilla.com/D41912

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Nicholas Nethercote 2019-08-15 05:29:35 +00:00
parent 28020e4832
commit 5e22e64603
3 changed files with 10 additions and 17 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

15
caps/nsScriptSecurityManager.cpp
View file

@ -676,24 +676,13 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
rv = sourceBaseURI->GetScheme(sourceScheme); rv = sourceBaseURI->GetScheme(sourceScheme);
if (NS_FAILED(rv)) return rv; if (NS_FAILED(rv)) return rv;
// When comparing schemes, if the relevant pref is set, view-source URIs
// are reachable from same-protocol (so e.g. file: can link to
// view-source:file). This is required for reftests.
static bool sViewSourceReachableFromInner = false;
static bool sCachedViewSourcePref = false;
if (!sCachedViewSourcePref) {
sCachedViewSourcePref = true;
mozilla::Preferences::AddBoolVarCache(
&sViewSourceReachableFromInner,
"security.view-source.reachable-from-inner-protocol");
}
if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) { if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
// A null principal can target its own URI. // A null principal can target its own URI.
if (sourceURI == aTargetURI) { if (sourceURI == aTargetURI) {
return NS_OK; return NS_OK;
} }
} else if (sViewSourceReachableFromInner && } else if (StaticPrefs::
security_view_source_reachable_from_inner_protocol() &&
sourceScheme.EqualsIgnoreCase(targetScheme.get()) && sourceScheme.EqualsIgnoreCase(targetScheme.get()) &&
aTargetURI->SchemeIs("view-source")) { aTargetURI->SchemeIs("view-source")) {
// exception for foo: linking to view-source:foo for reftests... // exception for foo: linking to view-source:foo for reftests...

8
modules/libpref/init/StaticPrefList.yaml
View file

@ -6295,6 +6295,14 @@
mirror: always mirror: always
#endif #endif
# When comparing schemes, if this pref is set, view-source URIs are reachable
# from same-protocol (so e.g. file: can link to view-source:file). This is
# required for reftests.
- name: security.view-source.reachable-from-inner-protocol
type: bool
value: false
mirror: always
# Hardware Origin-bound Second Factor Support # Hardware Origin-bound Second Factor Support
- name: security.webauth.webauthn - name: security.webauth.webauthn
type: bool type: bool

4
modules/libpref/init/all.js
View file

@ -2596,10 +2596,6 @@ pref("security.cert_pinning.enforcement_level", 0);
// for tests. // for tests.
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false); pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
// If set to true, allow view-source URIs to be opened from URIs that share
// their protocol with the inner URI of the view-source URI
pref("security.view-source.reachable-from-inner-protocol", false);
// If set to true strict checks will happen on the triggering principal for loads. // If set to true strict checks will happen on the triggering principal for loads.
// Android is disabled at the moment pending Bug 1504968 // Android is disabled at the moment pending Bug 1504968
#if !defined(RELEASE_OR_BETA) && !defined(ANDROID) #if !defined(RELEASE_OR_BETA) && !defined(ANDROID)