corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1803607 - Allow using https: hosts for connect-src in CSP validation r=simonf

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D243676
This commit is contained in:
Tom Schuster
2025-04-09 10:04:12 +00:00
parent 10431390e6
commit 221c0e04ef
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
dom/security/nsContentSecurityUtils.cpp
View File

@@ -1420,6 +1420,9 @@ static nsLiteralCString sConnectSrcAddonsAllowList[] = {
"about:addons"_ns, "about:addons"_ns,
// STOP! Do not add anything to this list. // STOP! Do not add anything to this list.
}; };
// connect-src https://example.org
// Any https host source.
static nsLiteralCString sConnectSrcHttpsHostAllowList[] = {"about:logging"_ns};
class DisallowingVisitor : public nsCSPSrcVisitor { class DisallowingVisitor : public nsCSPSrcVisitor {
public: public:
@@ -1663,6 +1666,11 @@ class ConnectSrcVisitor : public AllowBuiltinSrcVisitor {
return AllowBuiltinSrcVisitor::visitSchemeSrc(src); return AllowBuiltinSrcVisitor::visitSchemeSrc(src);
} }
bool visitHostSrc(const nsCSPHostSrc& src) override {
return VisitHostSrcWithWildcardAndHttpsHostAllowLists(
src, nullptr, sConnectSrcHttpsHostAllowList);
}
}; };
class AddonSrcVisitor : public AllowBuiltinSrcVisitor { class AddonSrcVisitor : public AllowBuiltinSrcVisitor {