Bug 1352513 - re-add the hidden window exception behind a pref, r?bholley
MozReview-Commit-ID: 3q1CZ5QCuus
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -893,16 +893,33 @@ nsScriptSecurityManager::CheckLoadURIFla
bool accessAllowed = false;
reg->AllowContentToAccess(aTargetBaseURI, &accessAllowed);
if (accessAllowed) {
return NS_OK;
}
}
}
+ static bool sCanLoadChromeInContent = false;
+ static bool sCachedCanLoadChromeInContentPref = false;
+ if (!sCachedCanLoadChromeInContentPref) {
+ sCachedCanLoadChromeInContentPref = true;
+ mozilla::Preferences::AddBoolVarCache(&sCanLoadChromeInContent,
+ "security.allow_chrome_frames_inside_content");
+ }
+ if (sCanLoadChromeInContent) {
+ // Special-case the hidden window: it's allowed to load
+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
+ nsAutoCString sourceSpec;
+ if (NS_SUCCEEDED(aSourceBaseURI->GetSpec(sourceSpec)) &&
+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
+ return NS_OK;
+ }
+ }
+
if (reportErrors) {
ReportError(nullptr, errorTag, aSourceURI, aTargetURI);
}
return NS_ERROR_DOM_BAD_URI;
}
// Check for target URI pointing to a file
rv = NS_URIChainHasFlags(aTargetURI,
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2215,16 +2215,20 @@ pref("security.cert_pinning.enforcement_
// This is to prevent accidental pinning from MITM devices and is used
// for tests.
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
// If set to true, allow view-source URIs to be opened from URIs that share
// their protocol with the inner URI of the view-source URI
pref("security.view-source.reachable-from-inner-protocol", false);
+// If set to true, in some limited circumstances it may be possible to load
+// privileged content in frames inside unprivileged content.
+pref("security.allow_chrome_frames_inside_content", false);
+
// Services security settings
pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
// Blocklist preferences
pref("extensions.blocklist.enabled", true);
// OneCRL freshness checking depends on this value, so if you change it,
// please also update security.onecrl.maximum_staleness_in_seconds.
pref("extensions.blocklist.interval", 86400);