tor-browser

commit 98048fb540fe855fadd0705b4eebfddb9431dcdf
parent e1dc348a50d437d8175d773d2e19e9f9b7184d6b
Author: Henry Wilkes <henry@torproject.org>
Date:   Wed, 15 Jan 2025 13:45:24 +0000

BB 29745: Limit remote access to content accessible resources

Diffstat:
M
caps/nsScriptSecurityManager.cpp
 | 
42
++++++++++++++++++++++++++++++++++++++++++

1 file changed, 42 insertions(+), 0 deletions(-)
diff --git a/caps/nsScriptSecurityManager.cpp b/caps/nsScriptSecurityManager.cpp
@@ -1039,6 +1039,48 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
         }
       }
 
+      // Only allow some "about:" pages to have access to contentaccessible
+      // "chrome://branding/" assets. Otherwise web pages could easily and
+      // consistently detect the differences between channels when their
+      // branding differs. See tor-browser#43308 and tor-browser#42319.
+      // NOTE: The same assets under the alternative URI
+      // "resource:///chrome/browser/content/branding/" should already be
+      // inaccessible to web content, so we only add a condition for the chrome
+      // path.
+      if (targetScheme.EqualsLiteral("chrome")) {
+        nsAutoCString targetHost;
+        rv = aTargetBaseURI->GetHost(targetHost);
+        NS_ENSURE_SUCCESS(rv, rv);
+        if (targetHost.EqualsLiteral("branding")) {
+          // Disallow any Principal whose scheme is not "about", or is a
+          // contentaccessible "about" URI ("about:blank" or "about:srcdoc").
+          // NOTE: "about:blank" and "about:srcdoc" would be unexpected here
+          // since such a document spawned by a web document should inherit the
+          // same Principal URI. I.e. they would be "http:" or "https:" schemes.
+          // But we add this condition for extra assurances.
+          // NOTE: Documents with null Principals, like "about:blank" typed by
+          // the user, would also be excluded since the Principal URI would be
+          // "moz-nullprincipal:".
+          if (!aSourceBaseURI->SchemeIs("about") ||
+              NS_IsContentAccessibleAboutURI(aSourceBaseURI)) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+          // Also exclude "about:reader" from accessing branding assets. I.e. if
+          // a web page includes `<img src="chrome://branding/..." />` we do not
+          // want it to render within "about:reader" either.
+          // Though it is unknown whether the information within "about:reader"
+          // would be exploitable by a web page, we also want to exclude
+          // "about:reader" for consistency: if it does not display in the
+          // original web page, it should not display in "about:reader" either.
+          nsAutoCString sourcePath;
+          rv = aSourceBaseURI->GetFilePath(sourcePath);
+          NS_ENSURE_SUCCESS(rv, rv);
+          if (sourcePath.EqualsLiteral("reader")) {
+            return NS_ERROR_DOM_BAD_URI;
+          }
+        }
+      }
+
       if (targetScheme.EqualsLiteral("resource")) {
         if (StaticPrefs::security_all_resource_uri_content_accessible()) {
           return NS_OK;