Only allow "about:" pages to have access to contentaccessible branding assets

Merge Info

Issues

Resolves

• #43308 (closed)

Related

• #29745
• mullvad-browser#312 (closed)

Merging

Target Branches

• tor-browser - !fixups to tor-browser-specific commits, new features, security backports
• base-browser and mullvad-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
  • All commits are base-browser commits.

Target Channels

• Alpha: esr128-14.5
• Stable: esr128-14.0
• Legacy: esr115-13.5

Backporting

Timeline

• No Backport (preferred): patchset for the next major stable
• Immediate: patchset needed as soon as possible
• Next Minor Stable Release: patchset that needs to be verified in nightly before backport
• Eventually: patchset that needs to be verified in alpha before backport

(Optional) Justification

• Emergency security update: patchset fixes CVEs, 0-days, etc
• Censorship event: patchset enables censorship circumvention
• Critical bug-fix: patchset fixes a bug in core-functionality
• Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
• Sponsor required: patchset required for sponsor
• Localization: typos and other localization changes that should be also in the release branch
• Other: please explain

Issue Tracking

• Link resolved issues with appropriate Release Prep issue for changelog generation

Review

Request Reviewer

• Request review from an applications developer depending on modified system:
  • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since Gitlab only allows 1 reviewer)
  • accessibility : henry
  • android : clairehurst, dan
  • build system : boklm
  • extensions : ma1
  • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
  • fonts : pierov
  • frontend (implementation) : henry
  • frontend (review) : donuts, morgan
  • localization : henry, pierov
  • macOS : clairehurst, dan
  • nightly builds : boklm
  • rebases/release-prep : dan, ma1, pierov, morgan
  • security : jwilde, ma1
  • signing : boklm, morgan
  • updater : pierov
  • windows : jwilde, morgan
  • misc/other : pierov, morgan

Change Description

/cc @ma1 @pierov @morgan @cypherpunks1 @thorin

The discussion in !684 is blocking mullvad-browser#312 (closed), which is high-ish priority.

Rather than implement the wide changes, and deal with the potential fallout, I just restricted the branding assets to be accessible to "about:" pages, which is all we need right now.

Unlike !684, I used the "about" scheme as the allowed source, rather than the ALLOWS_PROXY flag, which I'm not familiar with.

NOTE: I used the commit message "BB 29745: Limit remote access to content accessible resources." rather than "BB 43308" because I anticipate that this will be fixed up in !684.

NOTE: I also removed the "about:logo" page, which exposed a firefox branding asset.

How Tested

Web pages can no longer use chrome://branding/ for favicons, CSS stylesheets or images.

Same applies to other URI schemes, like "data".

Checked some existing uses of chrome://branding/ listed in https://searchfox.org/mozilla-esr128/search?q=chrome%3A%2F%2Fbranding%2F&path=&case=false&regexp=false :

• Chrome UI seems unaffected. In particular, about dialog still works and brand.properties strings are accessible.
• The "about:" pages that use branding assets still work. In particular, about:tor still shows the logo.