[or-cvs] r13736: Fix view-source extension disclosure bug, and also fix javas (torbutton/trunk/src/components)
mikeperry at seul.org
mikeperry at seul.org
Tue Feb 26 07:52:52 UTC 2008
Author: mikeperry
Date: 2008-02-26 02:52:51 -0500 (Tue, 26 Feb 2008)
New Revision: 13736
Modified:
torbutton/trunk/src/components/cssblocker.js
Log:
Fix view-source extension disclosure bug, and also fix
javascript and about urls. Both issues found by Greg
Fleischer.
Modified: torbutton/trunk/src/components/cssblocker.js
===================================================================
--- torbutton/trunk/src/components/cssblocker.js 2008-02-26 07:33:50 UTC (rev 13735)
+++ torbutton/trunk/src/components/cssblocker.js 2008-02-26 07:52:51 UTC (rev 13736)
@@ -90,10 +90,10 @@
"mailbox" : true};
var browserSources = { "browser":true, "mozapps":true, "global":true,
- "pippki":true};
+ "pippki":true, "branding":true};
var hostFreeSchemes = { "resource":true, "data":true, "cid":true,
- "javascript":true, "file":true};
+ "file":true, "view-source":true};
var safeOriginSchemes = { "about":true, "chrome":true, "file":true};
@@ -144,6 +144,7 @@
return ok;
}
+ // "Host-free" schemes do not have an nsIURI.host property
if(contentLocation.scheme in hostFreeSchemes) {
if(!requestOrigin) {
this.logger.eclog(5, "NO ORIGIN! Chrome: "+contentLocation.spec);
@@ -152,7 +153,7 @@
(requestOrigin.scheme in safeOriginSchemes)) {
this.logger.eclog(1, "Skipping chrome-sourced local: "+contentLocation.spec);
return ok;
- } else if(this.tor_enabled) {
+ } else if(contentLocation.spec.toLowerCase().indexOf("torbutton") != -1 || this.tor_enabled) {
this.logger.eclog(4, "Blocking local: "+contentLocation.spec+" from: "+requestOrigin.spec);
return block;
}
More information about the tor-commits
mailing list