commit 92a4d5250a0fa8978d244313c3ba14a43da742c8
parent 8d31013d644c426af64ba730b15d071100967e04
Author: Tom Schuster <tschuster@mozilla.com>
Date: Thu, 20 Nov 2025 16:02:44 +0000
Bug 2000535 - Use moz-remote-image: for _getIconURLForWebApp. r=akulyk
Differential Revision: https://phabricator.services.mozilla.com/D272846
Diffstat:
4 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/browser/components/preferences/dialogs/applicationManager.xhtml b/browser/components/preferences/dialogs/applicationManager.xhtml
@@ -3,8 +3,8 @@
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-<?csp default-src chrome:; img-src chrome: moz-icon: http: https:; style-src
-chrome: 'unsafe-inline'; ?>
+<?csp default-src chrome:; img-src chrome: moz-icon: moz-remote-image:;
+style-src chrome: 'unsafe-inline'; ?>
<window
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
diff --git a/browser/components/preferences/main.js b/browser/components/preferences/main.js
@@ -5305,7 +5305,14 @@ var gMainPane = {
/^https?$/.test(uri.scheme) &&
Services.prefs.getBoolPref("browser.chrome.site_icons")
) {
- return uri.prePath + "/favicon.ico";
+ // As the favicon originates from web content and is displayed in the parent process,
+ // use the moz-remote-image: protocol to safely re-encode it.
+ let params = new URLSearchParams({
+ url: uri.prePath + "/favicon.ico",
+ width: 16,
+ height: 16,
+ });
+ return "moz-remote-image://?" + params;
}
return "";
diff --git a/browser/components/preferences/preferences.xhtml b/browser/components/preferences/preferences.xhtml
@@ -12,7 +12,7 @@
<head>
<!-- @CSP: We should remove 'unsafe-inline' from style-src, see Bug 1579160 -->
- <meta http-equiv="Content-Security-Policy" content="default-src chrome:; img-src chrome: moz-icon: https: blob: data:; style-src chrome: data: 'unsafe-inline'; object-src 'none'" />
+ <meta http-equiv="Content-Security-Policy" content="default-src chrome:; img-src chrome: moz-icon: moz-remote-image: https: blob: data:; style-src chrome: data: 'unsafe-inline'; object-src 'none'" />
<title data-l10n-id="settings-page-title"></title>
diff --git a/dom/security/nsContentSecurityUtils.cpp b/dom/security/nsContentSecurityUtils.cpp
@@ -1321,6 +1321,12 @@ static nsLiteralCString sStyleSrcUnsafeInlineAllowList[] = {
"chrome://pippki/content/load_device.xhtml"_ns,
"chrome://pippki/content/setp12password.xhtml"_ns,
};
+// img-src moz-remote-image:
+static nsLiteralCString sImgSrcMozRemoteImageAllowList[] = {
+ "about:preferences"_ns,
+ "about:settings"_ns,
+ "chrome://browser/content/preferences/dialogs/applicationManager.xhtml"_ns,
+};
// img-src data: blob:
static nsLiteralCString sImgSrcDataBlobAllowList[] = {
"about:addons"_ns,
@@ -1382,7 +1388,6 @@ static nsLiteralCString sImgSrcHttpsAllowList[] = {
"chrome://devtools/content/application/index.html"_ns,
"chrome://devtools/content/framework/browser-toolbox/window.html"_ns,
"chrome://devtools/content/framework/toolbox-window.xhtml"_ns,
- "chrome://browser/content/preferences/dialogs/applicationManager.xhtml"_ns,
"chrome://global/content/alerts/alert.xhtml"_ns,
"chrome://mozapps/content/handling/appChooser.xhtml"_ns,
};
@@ -1393,7 +1398,6 @@ static nsLiteralCString sImgSrcHttpAllowList[] = {
"chrome://devtools/content/application/index.html"_ns,
"chrome://devtools/content/framework/browser-toolbox/window.html"_ns,
"chrome://devtools/content/framework/toolbox-window.xhtml"_ns,
- "chrome://browser/content/preferences/dialogs/applicationManager.xhtml"_ns,
"chrome://global/content/alerts/alert.xhtml"_ns,
"chrome://mozapps/content/handling/appChooser.xhtml"_ns,
// STOP! Do not add anything to this list.
@@ -1600,6 +1604,14 @@ class ImgSrcVisitor : public AllowBuiltinSrcVisitor {
return true;
}
+ // moz-remote-image: safely re-encodes the image, but can still be used for
+ // arbitrary network requests.
+ if (scheme == u"moz-remote-image"_ns) {
+ if (CheckAllowList(sImgSrcMozRemoteImageAllowList)) {
+ return true;
+ }
+ }
+
// data: and blob: can be used to decode arbitrary images.
if (scheme == u"data"_ns || scheme == u"blob") {
if (CheckAllowList(sImgSrcDataBlobAllowList)) {
