diff options
| author | JustOff <Off.Just.Off@gmail.com> | 2017-11-19 19:17:36 +0200 |
|---|---|---|
| committer | JustOff <Off.Just.Off@gmail.com> | 2017-11-19 19:17:36 +0200 |
| commit | 2f965ebf124b75f2c456fb509d92917a98c975ea (patch) | |
| tree | ed5a97cf1ebf55ae480e27ccab6bc3367a8c8410 /dom | |
| parent | db9f8a1749bf46e11c00a4d13e988e8f973e7725 (diff) | |
| download | palemoon-gre-2f965ebf124b75f2c456fb509d92917a98c975ea.tar.gz | |
Implement X-Content-Type-Options: nosniff.
Diffstat (limited to 'dom')
| -rw-r--r-- | dom/base/nsContentUtils.cpp | 24 | ||||
| -rw-r--r-- | dom/base/nsContentUtils.h | 5 | ||||
| -rw-r--r-- | dom/locales/en-US/chrome/security/security.properties | 6 |
3 files changed, 27 insertions, 8 deletions
diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 8a5e1dbfe..04e60b08a 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -3441,6 +3441,20 @@ nsContentUtils::IsChildOfSameType(nsIDocument* aDoc) return sameTypeParent != nullptr; } +bool +nsContentUtils::IsScriptType(const nsACString& aContentType) +{ + // NOTE: if you add a type here, add it to the CONTENTDLF_CATEGORIES + // define in nsContentDLF.h as well. + return aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_XJAVASCRIPT) || + aContentType.EqualsLiteral(TEXT_ECMASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_ECMASCRIPT) || + aContentType.EqualsLiteral(TEXT_JAVASCRIPT) || + aContentType.EqualsLiteral(APPLICATION_JSON) || + aContentType.EqualsLiteral(TEXT_JSON); +} + bool nsContentUtils::IsPlainTextType(const nsACString& aContentType) { @@ -3449,14 +3463,8 @@ nsContentUtils::IsPlainTextType(const nsACString& aContentType) return aContentType.EqualsLiteral(TEXT_PLAIN) || aContentType.EqualsLiteral(TEXT_CSS) || aContentType.EqualsLiteral(TEXT_CACHE_MANIFEST) || - aContentType.EqualsLiteral(APPLICATION_JAVASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_XJAVASCRIPT) || - aContentType.EqualsLiteral(TEXT_ECMASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_ECMASCRIPT) || - aContentType.EqualsLiteral(TEXT_JAVASCRIPT) || - aContentType.EqualsLiteral(APPLICATION_JSON) || - aContentType.EqualsLiteral(TEXT_JSON) || - aContentType.EqualsLiteral(TEXT_VTT); + aContentType.EqualsLiteral(TEXT_VTT) || + IsScriptType(aContentType); } bool diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index 2cd433b10..fae08fb07 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -876,6 +876,11 @@ public: static bool IsChildOfSameType(nsIDocument* aDoc); /** + '* Returns true if the content-type is any of the supported script types. + */ + static bool IsScriptType(const nsACString& aContentType); + + /** '* Returns true if the content-type will be rendered as plain-text. */ static bool IsPlainTextType(const nsACString& aContentType); diff --git a/dom/locales/en-US/chrome/security/security.properties b/dom/locales/en-US/chrome/security/security.properties index 2a2b4d8de..f67347d87 100644 --- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -36,3 +36,9 @@ BothAllowScriptsAndSameOriginPresent=An iframe which has both allow-scripts and WeakProtocolVersionWarning=This site uses the protocol SSL 3.0 for encryption, which is deprecated and insecure. # LOCALIZATION NOTE: Do not translate "RC4". WeakCipherSuiteWarning=This site uses the cipher RC4 for encryption, which is deprecated and insecure. + +#XCTO: nosniff +# LOCALIZATION NOTE: Do not translate "X-Content-Type-Options: nosniff". +MimeTypeMismatch=The resource from “%1$S” was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff). +# LOCALIZATION NOTE: Do not translate "X-Content-Type-Options" and also do not trasnlate "nosniff". +XCTOHeaderValueMissing=X-Content-Type-Options header warning: value was “%1$S”; did you mean to send “nosniff”? |