[tbb-commits] [Git][tpo/applications/mullvad-browser][mullvad-browser-128.7.0esr-14.5-1] BB 29745: Limit remote access to content accessible resources

[ma1 (@ma1) via tbb-commits]

ma1 pushed to branch mullvad-browser-128.7.0esr-14.5-1 at The Tor Project / 
Applications / Mullvad Browser


Commits:
911dbf28 by Henry Wilkes at 2025-02-03T17:56:38+01:00
BB 29745: Limit remote access to content accessible resources

- - - - -


1 changed file:

- caps/nsScriptSecurityManager.cpp


Changes:

=====================================
caps/nsScriptSecurityManager.cpp
=====================================
@@ -1044,6 +1044,48 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
         }
       }
 
+      // Only allow some "about:" pages to have access to contentaccessible
+      // "chrome://branding/" assets. Otherwise web pages could easily and
+      // consistently detect the differences between channels when their
+      // branding differs. See tor-browser#43308 and tor-browser#42319.
+      // NOTE: The same assets under the alternative URI
+      // "resource:///chrome/browser/content/branding/" should already be
+      // inaccessible to web content, so we only add a condition for the chrome
+      // path.
+      if (targetScheme.EqualsLiteral("chrome")) {
+        nsAutoCString targetHost;
+        rv = aTargetBaseURI->GetHost(targetHost);
+        NS_ENSURE_SUCCESS(rv, rv);
+        if (targetHost.EqualsLiteral("branding")) {
+          // Disallow any Principal whose scheme is not "about", or is a
+          // contentaccessible "about" URI ("about:blank" or "about:srcdoc").
+          // NOTE: "about:blank" and "about:srcdoc" would be unexpected here
+          // since such a document spawned by a web document should inherit the
+          // same Principal URI. I.e. they would be "http:" or "https:" 
schemes.
+          // But we add this condition for extra assurances.
+          // NOTE: Documents with null Principals, like "about:blank" typed by
+          // the user, would also be excluded since the Principal URI would be
+          // "moz-nullprincipal:".
+          if (!aSourceBaseURI->SchemeIs("about") ||
+              NS_IsContentAccessibleAboutURI(aSourceBaseURI)) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+          // Also exclude "about:reader" from accessing branding assets. I.e. 
if
+          // a web page includes `<img src="chrome://branding/..." />` we do 
not
+          // want it to render within "about:reader" either.
+          // Though it is unknown whether the information within "about:reader"
+          // would be exploitable by a web page, we also want to exclude
+          // "about:reader" for consistency: if it does not display in the
+          // original web page, it should not display in "about:reader" either.
+          nsAutoCString sourcePath;
+          rv = aSourceBaseURI->GetFilePath(sourcePath);
+          NS_ENSURE_SUCCESS(rv, rv);
+          if (sourcePath.EqualsLiteral("reader")) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+        }
+      }
+
       if (targetScheme.EqualsLiteral("resource")) {
         if (StaticPrefs::security_all_resource_uri_content_accessible()) {
           return NS_OK;



View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/911dbf2801b96f6f59e76e006b1be0c383160cb9

-- 
View it on GitLab: 
https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/commit/911dbf2801b96f6f59e76e006b1be0c383160cb9
You're receiving this email because of your account on gitlab.torproject.org.



_______________________________________________
tbb-commits mailing list -- tbb-commits@lists.torproject.org
To unsubscribe send an email to tbb-commits-le...@lists.torproject.org