summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2022-04-09 01:25:04 +0200
committerMoonchild <moonchild@palemoon.org>2022-04-09 10:00:04 +0200
commit31f830db583d5563458e4cca31a84e1af8fcec9b (patch)
treeb048de0504bc6206ac0c454a09770323f5f3828d
parentcaed2e0861f59acc40d075c188e3e577dcacd060 (diff)
downloaduxp-release-29.tar.gz
[devtools] Restrict sourcemap URLsRC_20220409RB_29.4.629.4.6_RC1release-29
-rw-r--r--devtools/client/framework/source-map-worker.js13
1 files changed, 13 insertions, 0 deletions
diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js
index c68732f38e..b6ac2c121f 100644
--- a/devtools/client/framework/source-map-worker.js
+++ b/devtools/client/framework/source-map-worker.js
@@ -23,6 +23,19 @@ function enableSourceMaps() {
function _resolveSourceMapURL(source) {
const { url = "", sourceMapURL = "" } = source;
+
+ const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+ if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) {
+ // If it's an internal protocol, don't allow it and return empty.
+ return "";
+ }
+ if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) {
+ // Only allow file:// source maps from file:// docs
+ if (!url.startsWith("file://")) {
+ return "";
+ }
+ }
+
if (path.isURL(sourceMapURL) || url == "") {
// If it's already a full URL or the source doesn't have a URL,
// don't resolve anything.