[tbb-commits] [torbutton/master] Bug 19837: Whitelist internal URLs that Firefox requires for media.

gk at torproject.org gk at torproject.org
Fri Aug 19 08:33:12 UTC 2016


commit 61b395a433c821bd4b17f69b956eb149f12f525e
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Mon Aug 15 18:53:05 2016 +0000

    Bug 19837: Whitelist internal URLs that Firefox requires for media.
    
    Firefox requires being able to load chrome:// and resource:// URLs for
    things like the media player, with the origin set to the remote URL
    that triggered the load.
    
    This is unfortunate in that there's no way to disambiguate malicious JS
    versus someone opening a video file (for example).
    
    See https://trac.torproject.org/projects/tor/ticket/19837#comment:5
    for why this is a huge nightmare and will eventually require C++ code.
---
 src/components/content-policy.js | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/components/content-policy.js b/src/components/content-policy.js
index e025ecd..3379eb7 100644
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -21,7 +21,26 @@ ContentPolicy.prototype = {
   contractID: "@torproject.org/content-policy;1",
   QueryInterface: XPCOMUtils.generateQI([Ci.nsIContentPolicy]),
 
+  uriWhitelist: {
+    // Video playback.
+    "chrome://global/content/TopLevelVideoDocument.js": Ci.nsIContentPolicy.TYPE_SCRIPT,
+    "resource://gre/res/TopLevelVideoDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET,
+    "chrome://global/skin/media/TopLevelVideoDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET,
+    "chrome://global/content/bindings/videocontrols.xml": Ci.nsIContentPolicy.TYPE_XBL,
+    "chrome://global/content/bindings/scale.xml": Ci.nsIContentPolicy.TYPE_XBL,
+    "chrome://global/content/bindings/progressmeter.xml": Ci.nsIContentPolicy.TYPE_XBL,
+
+    // Image display.
+    "resource://gre/res/ImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET,
+    "resource://gre/res/TopLevelImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET,
+    "chrome://global/skin/media/TopLevelImageDocument.css": Ci.nsIContentPolicy.TYPE_STYLESHEET,
+
+    // Resizing text boxes.
+    "chrome://global/content/bindings/resizer.xml": Ci.nsIContentPolicy.TYPE_XBL,
+  },
+
   shouldLoad: function(aContentType, aContentLocation, aRequestOrigin, aContext, aMimeTypeGuess, aExtra) {
+
     // Accept if no content URI or scheme is not a resource/chrome.
     if (!aContentLocation || !(aContentLocation.schemeIs('resource') || aContentLocation.schemeIs('chrome')))
       return Ci.nsIContentPolicy.ACCEPT;
@@ -34,6 +53,16 @@ ContentPolicy.prototype = {
     if (Ci.nsIContentPolicy.TYPE_DOCUMENT === aContentType)
       return Ci.nsIContentPolicy.ACCEPT;
 
+    // There's certain things that break horribly if they aren't allowed to
+    // access URIs with proscribed schemes, with `aContentOrigin` basically
+    // set to arbibrary URIs.
+    //
+    // XXX: Feature gate this behind the security slider or something, I don't
+    // give a fuck.
+    if (aContentLocation.spec in this.uriWhitelist)
+      if (this.uriWhitelist[aContentLocation.spec] == aContentType)
+        return Ci.nsIContentPolicy.ACCEPT;
+
     return Ci.nsIContentPolicy.REJECT_REQUEST;
   },
 



More information about the tbb-commits mailing list