Bug 1263628 - meta-refresh can use a relative URL, ensure base URI is included r=gijs
E.g. articles on facebook.com provide a meta-refresh containing "0; URL=/foo/bar?....",
and we previously attempted to use just this URL component, instead of constructing it
using the current page URL.
MozReview-Commit-ID: 4vSoz5lc1e
--- a/toolkit/components/reader/ReaderMode.jsm
+++ b/toolkit/components/reader/ReaderMode.jsm
@@ -204,33 +204,37 @@ this.ReaderMode = {
// Manually follow a meta refresh tag if one exists.
let meta = doc.querySelector("meta[http-equiv=refresh]");
if (meta) {
let content = meta.getAttribute("content");
if (content) {
let urlIndex = content.toUpperCase().indexOf("URL=");
if (urlIndex > -1) {
- let url = content.substring(urlIndex + 4);
+ let baseURI = Services.io.newURI(url, null, null);
+ let newURI = Services.io.newURI(content.substring(urlIndex + 4), null, baseURI);
+ let newURL = newURI.spec;
let ssm = Services.scriptSecurityManager;
let flags = ssm.LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
ssm.DISALLOW_INHERIT_PRINCIPAL;
try {
- ssm.checkLoadURIStrWithPrincipal(doc.nodePrincipal, url, flags);
+ ssm.checkLoadURIStrWithPrincipal(doc.nodePrincipal, newURL, flags);
} catch (ex) {
let errorMsg = "Reader mode disallowed meta refresh (reason: " + ex + ").";
if (Services.prefs.getBoolPref("reader.errors.includeURLs"))
- errorMsg += " Refresh target URI: '" + url + "'.";
+ errorMsg += " Refresh target URI: '" + newURL + "'.";
reject(errorMsg);
return;
}
// Otherwise, pass an object indicating our new URL:
- reject({newURL: url});
- return;
+ if (!baseURI.equalsExceptRef(newURI)) {
+ reject({newURL});
+ return;
+ }
}
}
}
let responseURL = xhr.responseURL;
let givenURL = url;
// Convert these to real URIs to make sure the escaping (or lack
// thereof) is identical:
try {