[REDO] Bug 1222924 - Stop allowing webpages to link to moz-icon:

In UXP Moonchild changed the implications for this security bug so it actually didn't do what Mozilla intended in an attempt to preserve functionality internally. He failed on both counts. This fix denies web access to any moz-icon but allows it to still work on other protocols like file: and about: etc.

We may want to re-visit the second part of our commit sha 6fa154c0adc64bd43775a79b7b508d87a486882b

Regardless, it seems to now perform as it was intended while not breaking stuff internally.

1 files changed, 5 insertions, 5 deletions

diff --git a/system/security/script/nsScriptSecurityManager.cpp b/system/security/script/nsScriptSecurityManager.cpp
index 8f36fa917..d4e526843 100644
--- a/system/security/script/nsScriptSecurityManager.cpp
+++ b/system/security/script/nsScriptSecurityManager.cpp
@@ -819,6 +819,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     }
 
     bool targetIsViewSource = false;
+    bool targetIsMozIcon = false;
 
     if (sourceScheme.LowerCaseEqualsLiteral(NS_NULLPRINCIPAL_SCHEME)) {
         // A null principal can target its own URI.
@@ -836,12 +837,11 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
     }
     else if ((!sourceScheme.EqualsIgnoreCase("http") &&
               !sourceScheme.EqualsIgnoreCase("https")) &&
-             targetScheme.EqualsIgnoreCase("moz-icon"))
+             NS_SUCCEEDED(aTargetURI->SchemeIs("moz-icon", &targetIsMozIcon)) &&
+             targetIsMozIcon)
     {
-        // Exception for linking to moz-icon://.ext?size=...
-        // Note that because targetScheme is the base (innermost) URI scheme,
-        // this does NOT allow e.g. file -> moz-icon:file:///... links.
-        // This is intentional.
+        // Exception for linking to moz-icon: including file:// icons except for
+        // the web.
         return NS_OK;
     }