corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1850967 - Forbid data: and javascript: URLs in <base>. r=emilio

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D209357
This commit is contained in:
Tom Schuster
2024-05-06 14:55:22 +00:00
parent 5deac77ba6
commit c4dd9038a3
4 changed files with 17 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
dom/html/HTMLSharedElement.cpp
View File

@@ -85,15 +85,22 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
getter_AddRefs(newBaseURI), href, aDocument, getter_AddRefs(newBaseURI), href, aDocument,
aDocument->GetFallbackBaseURI()); aDocument->GetFallbackBaseURI());
// Vaguely based on
// <https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url>
if (newBaseURI && (newBaseURI->SchemeIs("data") ||
newBaseURI->SchemeIs("javascript"))) {
newBaseURI = nullptr;
}
// Check if CSP allows this base-uri // Check if CSP allows this base-uri
nsresult rv = NS_OK;
nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp(); nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
if (csp && newBaseURI) { if (csp && newBaseURI) {
// base-uri is only enforced if explicitly defined in the // base-uri is only enforced if explicitly defined in the
// policy - do *not* consult default-src, see: // policy - do *not* consult default-src, see:
// http://www.w3.org/TR/CSP2/#directive-default-src // http://www.w3.org/TR/CSP2/#directive-default-src
bool cspPermitsBaseURI = true; bool cspPermitsBaseURI = true;
rv = csp->Permits( nsresult rv = csp->Permits(
child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI, child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI,
nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
true /* aSendViolationReports */, &cspPermitsBaseURI); true /* aSendViolationReports */, &cspPermitsBaseURI);
@@ -101,6 +108,7 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
newBaseURI = nullptr; newBaseURI = nullptr;
} }
} }
aDocument->SetBaseURI(newBaseURI); aDocument->SetBaseURI(newBaseURI);
aDocument->SetChromeXHRDocBaseURI(nullptr); aDocument->SetChromeXHRDocBaseURI(nullptr);
return; return;

7
parser/html/nsHtml5TreeOpExecutor.cpp
View File

@@ -1343,6 +1343,13 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) {
return; return;
} }
// See
// https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url
// data: and javascript: base URLs are not allowed.
if (newBaseURI->SchemeIs("data") || newBaseURI->SchemeIs("javascript")) {
return;
}
// Check the document's CSP usually delivered via the CSP header. // Check the document's CSP usually delivered via the CSP header.
if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) { if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) {
// base-uri should not fallback to the default-src and preloads should not // base-uri should not fallback to the default-src and preloads should not

6
testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-data.html.ini
View File

@@ -1,6 +0,0 @@
[base-data.html]
[First <base> has a data: URL so fallback is used]
expected: FAIL
[Dynamically inserted first <base> has a data: URL so fallback is used]
expected: FAIL

6
testing/web-platform/meta/html/semantics/document-metadata/the-base-element/base-javascript.html.ini
View File

@@ -1,6 +0,0 @@
[base-javascript.html]
[First <base> has a javascript: URL so fallback is used]
expected: FAIL
[Dynamically inserted first <base> has a javascript: URL so fallback is used]
expected: FAIL