corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1916351 - Only allow JSON mime type for javascript modules r=evilpie,necko-reviewers,devtools-reviewers,jesup,nchevobbe

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D220917
This commit is contained in:
Jonatan Klemets
2024-09-05 09:59:12 +00:00
parent 9143c206db
commit 32c95bd458
6 changed files with 62 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
netwerk/protocol/http/HttpBaseChannel.cpp
View File

@@ -2945,9 +2945,14 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
return NS_OK;
}
if (nsContentUtils::IsJsonMimeType(typeString)) {
nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
bool isModule =
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
AccumulateCategorical(
Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::text_json);
Telemetry::LABELS_SCRIPT_BLOCK_INCORRECT_MIME_3::javaScript);
return NS_OK;
}
@@ -3087,7 +3092,6 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
}
// We restrict importScripts() in worker code to JavaScript MIME types.
nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
if (internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS ||
internalType == nsIContentPolicy::TYPE_INTERNAL_WORKER_STATIC_MODULE) {
ReportMimeTypeMismatch(aChannel, "BlockImportScriptsWithWrongMimeType",
@@ -3108,8 +3112,7 @@ nsresult EnsureMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
}
// ES6 modules require a strict MIME type check.
if (internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD) {
if (isModule) {
ReportMimeTypeMismatch(aChannel, "BlockModuleWithWrongMimeType", aURI,
contentType, Report::Error);
return NS_ERROR_CORRUPTED_CONTENT;
@@ -3145,11 +3148,21 @@ void WarnWrongMIMEOfScript(HttpBaseChannel* aChannel, nsIURI* aURI,
nsAutoCString contentType;
aResponseHead->ContentType(contentType);
NS_ConvertUTF8toUTF16 typeString(contentType);
if (!nsContentUtils::IsJavascriptMIMEType(typeString) &&
!nsContentUtils::IsJsonMimeType(typeString)) {
ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
contentType, Report::Warning);
if (nsContentUtils::IsJavascriptMIMEType(typeString)) {
return;
}
nsContentPolicyType internalType = aLoadInfo->InternalContentPolicyType();
bool isModule =
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE ||
internalType == nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD;
if (isModule && nsContentUtils::IsJsonMimeType(typeString)) {
return;
}
ReportMimeTypeMismatch(aChannel, "WarnScriptWithWrongMimeType", aURI,
contentType, Report::Warning);
}
nsresult HttpBaseChannel::ValidateMIMEType() {