corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1521573 web_accessible incognito support, r=kmag,smaug

Browse Source 
Prevent web_accessible_resources resources loading in private contexts when extension does not have permission.

Differential Revision: https://phabricator.services.mozilla.com/D17138
This commit is contained in:
Shane Caraveo
2019-01-29 01:42:34 +00:00
parent 71839aa247
commit 4202995d18
5 changed files with 211 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
netwerk/protocol/res/ExtensionProtocolHandler.cpp
View File

@@ -341,20 +341,27 @@ static inline ExtensionPolicyService& EPS() {
nsresult ExtensionProtocolHandler::GetFlagsForURI(nsIURI* aURI,
uint32_t* aFlags) {
// In general a moz-extension URI is only loadable by chrome, but a
// whitelisted subset are web-accessible (and cross-origin fetchable). Check
// that whitelist.
bool loadableByAnyone = false;
uint32_t flags =
URI_STD | URI_IS_LOCAL_RESOURCE | URI_IS_POTENTIALLY_TRUSTWORTHY;
URLInfo url(aURI);
if (auto* policy = EPS().GetByURL(url)) {
loadableByAnyone = policy->IsPathWebAccessible(url.FilePath());
// In general a moz-extension URI is only loadable by chrome, but a
// whitelisted subset are web-accessible (and cross-origin fetchable). Check
// that whitelist.
if (policy->IsPathWebAccessible(url.FilePath())) {
flags |= URI_LOADABLE_BY_ANYONE | URI_FETCHABLE_BY_ANYONE;
} else {
flags |= URI_DANGEROUS_TO_LOAD;
}
// Disallow in private windows if the extension does not have permission.
if (!policy->PrivateBrowsingAllowed()) {
flags |= URI_DISALLOW_IN_PRIVATE_CONTEXT;
}
}
*aFlags =
URI_STD | URI_IS_LOCAL_RESOURCE | URI_IS_POTENTIALLY_TRUSTWORTHY |
(loadableByAnyone ? (URI_LOADABLE_BY_ANYONE | URI_FETCHABLE_BY_ANYONE)
: URI_DANGEROUS_TO_LOAD);
*aFlags = flags;
return NS_OK;
}