Commit ace11cd8 authored by Yawning Angel's avatar Yawning Angel
Browse files

Bug 8725: Block `chrome://` based fingerprinting with nsIContentPolicy.

Most addons do not set `contentaccessible=yes`, however behavior should
be consistent even if such addons are installed.

This does not affect any of the standard addons shipped with Tor Browser, but
will break user installed addons that depend on actually being able to
access `chrome://` URLs in this manner.
parent 3bff5aae
......@@ -24,12 +24,12 @@ ContentPolicy.prototype = {
_xpcom_categories: [{category: "content-policy"}],
shouldLoad: function(aContentType, aContentLocation, aRequestOrigin, aContext, aMimeTypeGuess, aExtra) {
// Accept if no content URI or scheme is not a resource.
if (!aContentLocation || !aContentLocation.schemeIs('resource'))
// Accept if no content URI or scheme is not a resource/chrome.
if (!aContentLocation || !(aContentLocation.schemeIs('resource') || aContentLocation.schemeIs('chrome')))
return Ci.nsIContentPolicy.ACCEPT;
// Accept if no origin URI, or if the origin URI scheme is chrome/resource.
if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome'))
// Accept if no origin URI or if origin scheme is chrome/resource/about.
if (!aRequestOrigin || aRequestOrigin.schemeIs('resource') || aRequestOrigin.schemeIs('chrome') || aRequestOrigin.schemeIs('about'))
return Ci.nsIContentPolicy.ACCEPT;
// Accept if resource directly loaded into a tab.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment