Bug 1293476 - Decouple URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT and MAKE_LINKABLE.
MozReview-Commit-ID: FZEemKDafEg
--- a/netwerk/protocol/about/nsAboutProtocolHandler.cpp
+++ b/netwerk/protocol/about/nsAboutProtocolHandler.cpp
@@ -84,21 +84,27 @@ nsAboutProtocolHandler::GetFlagsForURI(n
// Swallow this and just tell the consumer the default:
return NS_OK;
}
uint32_t aboutModuleFlags = 0;
rv = aboutMod->GetURIFlags(aURI, &aboutModuleFlags);
// This should never happen, so pass back the error:
NS_ENSURE_SUCCESS(rv, rv);
- // If marked as safe, and marked linkable, pass 'safe' flags.
- if ((aboutModuleFlags & nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT) &&
- (aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE)) {
- *aFlags = URI_NORELATIVE | URI_NOAUTH | URI_LOADABLE_BY_ANYONE |
- URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT;
+ // Secure (https) pages can load safe about pages without becoming
+ // mixed content.
+ if (aboutModuleFlags & nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT) {
+ *aFlags |= URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT;
+ // about: pages can only be loaded by unprivileged principals
+ // if they are marked as LINKABLE
+ if (aboutModuleFlags & nsIAboutModule::MAKE_LINKABLE) {
+ // Replace URI_DANGEROUS_TO_LOAD with URI_LOADABLE_BY_ANYONE.
+ *aFlags &= ~URI_DANGEROUS_TO_LOAD;
+ *aFlags |= URI_LOADABLE_BY_ANYONE;
+ }
}
return NS_OK;
}
NS_IMETHODIMP
nsAboutProtocolHandler::NewURI(const nsACString &aSpec,
const char *aCharset, // ignore charset info
nsIURI *aBaseURI,