diff options
author | Moonchild <moonchild@palemoon.org> | 2022-04-09 01:25:04 +0200 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2022-04-09 01:25:04 +0200 |
commit | 7d87b7a27002a6b0b1ded74a69f70c1c60545199 (patch) | |
tree | cb74bc99c63cb3457161fe9208ed98c4fbbe86ff /devtools | |
parent | 3d43617bc116357e2cc840599da5494f8e9947f3 (diff) | |
download | uxp-7d87b7a27002a6b0b1ded74a69f70c1c60545199.tar.gz |
[devtools] Restrict sourcemap URLs
Diffstat (limited to 'devtools')
-rw-r--r-- | devtools/client/framework/source-map-worker.js | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js index c68732f38e..b6ac2c121f 100644 --- a/devtools/client/framework/source-map-worker.js +++ b/devtools/client/framework/source-map-worker.js @@ -23,6 +23,19 @@ function enableSourceMaps() { function _resolveSourceMapURL(source) { const { url = "", sourceMapURL = "" } = source; + + const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"]; + if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) { + // If it's an internal protocol, don't allow it and return empty. + return ""; + } + if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) { + // Only allow file:// source maps from file:// docs + if (!url.startsWith("file://")) { + return ""; + } + } + if (path.isURL(sourceMapURL) || url == "") { // If it's already a full URL or the source doesn't have a URL, // don't resolve anything. |