From dad4dab99722267de87d9c6b5fda34145c6361e7 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Wed, 5 Oct 2022 17:39:13 -0500 Subject: [DOM:Media] Remove potentially unsafe type accesses when debug logging --- dom/media/mediasource/TrackBuffersManager.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'dom') diff --git a/dom/media/mediasource/TrackBuffersManager.cpp b/dom/media/mediasource/TrackBuffersManager.cpp index da21e0b39..907ee40e8 100644 --- a/dom/media/mediasource/TrackBuffersManager.cpp +++ b/dom/media/mediasource/TrackBuffersManager.cpp @@ -22,15 +22,15 @@ extern mozilla::LogModule* GetMediaSourceLog(); -#define MSE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Debug, ("TrackBuffersManager(%p:%s)::%s: " arg, this, mType.get(), __func__, ##__VA_ARGS__)) -#define MSE_DEBUGV(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Verbose, ("TrackBuffersManager(%p:%s)::%s: " arg, this, mType.get(), __func__, ##__VA_ARGS__)) +#define MSE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Debug, ("TrackBuffersManager(%p)::%s: " arg, this,__func__, ##__VA_ARGS__)) +#define MSE_DEBUGV(arg, ...) MOZ_LOG(GetMediaSourceLog(), mozilla::LogLevel::Verbose, ("TrackBuffersManager(%p)::%s: " arg, this, __func__, ##__VA_ARGS__)) mozilla::LogModule* GetMediaSourceSamplesLog() { static mozilla::LazyLogModule sLogModule("MediaSourceSamples"); return sLogModule; } -#define SAMPLE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceSamplesLog(), mozilla::LogLevel::Debug, ("TrackBuffersManager(%p:%s)::%s: " arg, this, mType.get(), __func__, ##__VA_ARGS__)) +#define SAMPLE_DEBUG(arg, ...) MOZ_LOG(GetMediaSourceSamplesLog(), mozilla::LogLevel::Debug, ("TrackBuffersManager(%p)::%s: " arg, this, __func__, ##__VA_ARGS__)) namespace mozilla { -- cgit v1.2.3 From 7e0d94a048cb7a73af5638f46bdb65794bcc4292 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Wed, 5 Oct 2022 17:42:46 -0500 Subject: [DOM:Base] Use the sanitizer to restrict href in svg:use to fragment-only URLs --- dom/base/nsTreeSanitizer.cpp | 18 +++++++++++++++--- dom/base/nsTreeSanitizer.h | 4 +++- 2 files changed, 18 insertions(+), 4 deletions(-) (limited to 'dom') diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp index 39c2408b7..970e4386b 100644 --- a/dom/base/nsTreeSanitizer.cpp +++ b/dom/base/nsTreeSanitizer.cpp @@ -1185,7 +1185,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, continue; } if (IsURL(aURLs, attrLocal)) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1239,7 +1240,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, // else not allowed } else if (aAllowXLink && kNameSpaceID_XLink == attrNs) { if (nsGkAtoms::href == attrLocal) { - if (SanitizeURL(aElement, attrNs, attrLocal)) { + bool fragmentOnly = aElement->IsSVGElement(nsGkAtoms::use); + if (SanitizeURL(aElement, attrNs, attrLocal, fragmentOnly)) { // in case the attribute removal shuffled the attribute order, start // the loop again. --ac; @@ -1273,7 +1275,8 @@ nsTreeSanitizer::SanitizeAttributes(mozilla::dom::Element* aElement, bool nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace, - nsIAtom* aLocalName) + nsIAtom* aLocalName, + bool aFragmentOnly) { nsAutoString value; aElement->GetAttr(aNamespace, aLocalName, value); @@ -1282,6 +1285,15 @@ nsTreeSanitizer::SanitizeURL(mozilla::dom::Element* aElement, static const char* kWhitespace = "\n\r\t\b"; const nsAString& v = nsContentUtils::TrimCharsInSet(kWhitespace, value); + // Fragment-only url cannot be harmful. + if (!v.IsEmpty() && v.First() == u'#') { + return false; + } + // if we allow only same-document fragment URLs, stop and remove here + if (aFragmentOnly) { + aElement->UnsetAttr(aNamespace, aLocalName, false); + return true; + } nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager(); uint32_t flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL; diff --git a/dom/base/nsTreeSanitizer.h b/dom/base/nsTreeSanitizer.h index b4a333f61..fe4917150 100644 --- a/dom/base/nsTreeSanitizer.h +++ b/dom/base/nsTreeSanitizer.h @@ -143,11 +143,13 @@ class MOZ_STACK_CLASS nsTreeSanitizer { * @param aElement the element whose attribute to possibly modify * @param aNamespace the namespace of the URL attribute * @param aLocalName the local name of the URL attribute + * @param aFragmentOnly allows same-document references only * @return true if the attribute was removed and false otherwise */ bool SanitizeURL(mozilla::dom::Element* aElement, int32_t aNamespace, - nsIAtom* aLocalName); + nsIAtom* aLocalName, + bool aFragmentOnly = false); /** * Checks a style rule for the presence of the 'binding' CSS property and -- cgit v1.2.3 From 82f0220e74d5882ac826cbd0faf9dd4157e8caca Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Wed, 5 Oct 2022 17:45:02 -0500 Subject: [DOM:Perf] Add extra check for performance API Next Hop protocol. --- dom/performance/PerformanceResourceTiming.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'dom') diff --git a/dom/performance/PerformanceResourceTiming.h b/dom/performance/PerformanceResourceTiming.h index b4775d432..63a8c2414 100644 --- a/dom/performance/PerformanceResourceTiming.h +++ b/dom/performance/PerformanceResourceTiming.h @@ -54,7 +54,9 @@ public: void GetNextHopProtocol(nsAString& aNextHopProtocol) const { - aNextHopProtocol = mNextHopProtocol; + if (mTiming && mTiming->TimingAllowed()) { + aNextHopProtocol = mNextHopProtocol; + } } void SetNextHopProtocol(const nsAString& aNextHopProtocol) -- cgit v1.2.3 From dc5571eefd8247b14edbee33c8b881d6b9e97e96 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Wed, 5 Oct 2022 17:59:56 -0500 Subject: [Multi:Sec] Be more explicit about CSP checks and reports. --- dom/html/HTMLFormElement.cpp | 3 ++- dom/html/HTMLSharedElement.cpp | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'dom') diff --git a/dom/html/HTMLFormElement.cpp b/dom/html/HTMLFormElement.cpp index 2fe452bcd..c8bb52637 100644 --- a/dom/html/HTMLFormElement.cpp +++ b/dom/html/HTMLFormElement.cpp @@ -1721,7 +1721,8 @@ HTMLFormElement::GetActionURL(nsIURI** aActionURL, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src rv = csp->Permits(actionURL, nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, - true, &permitsFormAction); + true /*aSpecific */, true /* aSendViolationReports */, + &permitsFormAction); NS_ENSURE_SUCCESS(rv, rv); if (!permitsFormAction) { return NS_ERROR_CSP_FORM_ACTION_VIOLATION; diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp index e8c75f8aa..90f9ff62e 100644 --- a/dom/html/HTMLSharedElement.cpp +++ b/dom/html/HTMLSharedElement.cpp @@ -191,7 +191,8 @@ SetBaseURIUsingFirstBaseWithHref(nsIDocument* aDocument, nsIContent* aMustMatch) // http://www.w3.org/TR/CSP2/#directive-default-src bool cspPermitsBaseURI = true; rv = csp->Permits(newBaseURI, nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, - true, &cspPermitsBaseURI); + true /* aSpecific */, true /* aSendViolationReports */, + &cspPermitsBaseURI); if (NS_FAILED(rv) || !cspPermitsBaseURI) { newBaseURI = nullptr; } -- cgit v1.2.3