Bug 22457: Allow resources loaded by view-source://

Instead of whitelisting single resources for view-source requests that might allow platform detection we allow all of those that are needed by requests with a view-source origin. This should be safe now that https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 landed.

Bug 22457: Allow resources loaded by view-source://
Instead of whitelisting single resources for view-source requests that might allow platform detection we allow all of those that are needed by requests with a view-source origin. This should be safe now that https://bugzilla.mozilla.org/show_bug.cgi?id=1172165 landed.
137c0527 · Georg Koppen · ad937183 · 137c0527
Commit 137c0527 authored Jun 01, 2017 by Georg Koppen
--- a/src/components/content-policy.js
+++ b/src/components/content-policy.js
@@ -83,8 +83,12 @@ ContentPolicy.prototype = {
      return Ci.nsIContentPolicy.ACCEPT;
    }

-    // Accept if no origin URI or if origin scheme is chrome/resource/about.
-    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
+    // Accept if no origin URI or if origin scheme is
+    // chrome/resource/about/view-source.
+    if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') ||
+                           aRequestOrigin.schemeIs('chrome') ||
+                           aRequestOrigin.schemeIs('about') ||
+                           aRequestOrigin.schemeIs('view-source'))
      return Ci.nsIContentPolicy.ACCEPT;

    // Accept if resource directly loaded into a tab.