diff options
author | Moonchild <moonchild@palemoon.org> | 2022-04-09 01:25:04 +0200 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2022-04-09 10:00:04 +0200 |
commit | 31f830db583d5563458e4cca31a84e1af8fcec9b (patch) | |
tree | b048de0504bc6206ac0c454a09770323f5f3828d | |
parent | caed2e0861f59acc40d075c188e3e577dcacd060 (diff) | |
download | uxp-release-29.tar.gz |
[devtools] Restrict sourcemap URLsRC_20220409RB_29.4.629.4.6_RC1release-29
-rw-r--r-- | devtools/client/framework/source-map-worker.js | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js index c68732f38e..b6ac2c121f 100644 --- a/devtools/client/framework/source-map-worker.js +++ b/devtools/client/framework/source-map-worker.js @@ -23,6 +23,19 @@ function enableSourceMaps() { function _resolveSourceMapURL(source) { const { url = "", sourceMapURL = "" } = source; + + const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"]; + if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) { + // If it's an internal protocol, don't allow it and return empty. + return ""; + } + if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) { + // Only allow file:// source maps from file:// docs + if (!url.startsWith("file://")) { + return ""; + } + } + if (path.isURL(sourceMapURL) || url == "") { // If it's already a full URL or the source doesn't have a URL, // don't resolve anything. |