[devtools] Restrict sourcemap URLs

author: Moonchild <moonchild@palemoon.org> 2022-04-09 01:25:04 +0200
committer: Moonchild <moonchild@palemoon.org> 2022-04-09 01:25:04 +0200
commit: 7d87b7a27002a6b0b1ded74a69f70c1c60545199 (patch)
tree: cb74bc99c63cb3457161fe9208ed98c4fbbe86ff /devtools
parent: 3d43617bc116357e2cc840599da5494f8e9947f3 (diff)
download: uxp-7d87b7a27002a6b0b1ded74a69f70c1c60545199.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js
index c68732f38e..b6ac2c121f 100644
--- a/devtools/client/framework/source-map-worker.js
+++ b/devtools/client/framework/source-map-worker.js
@@ -23,6 +23,19 @@ function enableSourceMaps() {
 
 function _resolveSourceMapURL(source) {
   const { url = "", sourceMapURL = "" } = source;
+  
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+  if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) {
+    // If it's an internal protocol, don't allow it and return empty.
+    return "";
+  }
+  if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) {
+    // Only allow file:// source maps from file:// docs
+    if (!url.startsWith("file://")) {
+      return "";
+    }
+  }
+  
   if (path.isURL(sourceMapURL) || url == "") {
     // If it's already a full URL or the source doesn't have a URL,
     // don't resolve anything.
author	Moonchild <moonchild@palemoon.org>	2022-04-09 01:25:04 +0200
committer	Moonchild <moonchild@palemoon.org>	2022-04-09 01:25:04 +0200
commit	7d87b7a27002a6b0b1ded74a69f70c1c60545199 (patch)
tree	cb74bc99c63cb3457161fe9208ed98c4fbbe86ff /devtools
parent	3d43617bc116357e2cc840599da5494f8e9947f3 (diff)
download	uxp-7d87b7a27002a6b0b1ded74a69f70c1c60545199.tar.gz