diff options
| author | Moonchild <moonchild@palemoon.org> | 2022-07-12 12:48:06 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-07-12 12:48:06 +0000 |
| commit | 9ef50065928d5bfb3ff0ee80330615a1ebc4cc21 (patch) | |
| tree | eba2156b7e4dd34a035f686ef18c2e3c867460ae | |
| parent | 68bfe68581521ccb2363910fae18e06c12f6b573 (diff) | |
| download | uxp-9ef50065928d5bfb3ff0ee80330615a1ebc4cc21.tar.gz | |
Issue #1959 - Don't apply CSPs to explicit data documents and images.
This resolves #1959
| -rw-r--r-- | dom/base/nsDocument.cpp | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp index 95827151db..f5df30ffed 100644 --- a/dom/base/nsDocument.cpp +++ b/dom/base/nsDocument.cpp @@ -2504,6 +2504,21 @@ nsDocument::InitCSP(nsIChannel* aChannel) return NS_OK; } + // If this is explicitly loaded as a data document, no need to set a CSP. + if (mLoadedAsData) { + return NS_OK; + } + + // If this is an image, no need to set a CSP. + // If we don't do this, SVG images will be parsed as normal XML documents and + // subject to served CSPs, which might block internally applied inline styles. + // See UXP issue #1959. + nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo(); + if (loadInfo->GetExternalContentPolicyType() == + nsIContentPolicy::TYPE_IMAGE) { + return NS_OK; + } + nsAutoCString tCspHeaderValue, tCspROHeaderValue; nsCOMPtr<nsIHttpChannel> httpChannel; @@ -2532,7 +2547,6 @@ nsDocument::InitCSP(nsIChannel* aChannel) // Check if this is a signed content to apply default CSP. bool applySignedContentCSP = false; - nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo(); if (loadInfo && loadInfo->GetVerifySignedContent()) { applySignedContentCSP = true; } |