summaryrefslogtreecommitdiff
path: root/devtools
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2022-04-09 01:25:04 +0200
committerMoonchild <moonchild@palemoon.org>2022-04-09 01:25:04 +0200
commit7d87b7a27002a6b0b1ded74a69f70c1c60545199 (patch)
treecb74bc99c63cb3457161fe9208ed98c4fbbe86ff /devtools
parent3d43617bc116357e2cc840599da5494f8e9947f3 (diff)
downloaduxp-7d87b7a27002a6b0b1ded74a69f70c1c60545199.tar.gz
[devtools] Restrict sourcemap URLs
Diffstat (limited to 'devtools')
-rw-r--r--devtools/client/framework/source-map-worker.js13
1 files changed, 13 insertions, 0 deletions
diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js
index c68732f38e..b6ac2c121f 100644
--- a/devtools/client/framework/source-map-worker.js
+++ b/devtools/client/framework/source-map-worker.js
@@ -23,6 +23,19 @@ function enableSourceMaps() {
function _resolveSourceMapURL(source) {
const { url = "", sourceMapURL = "" } = source;
+
+ const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+ if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) {
+ // If it's an internal protocol, don't allow it and return empty.
+ return "";
+ }
+ if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) {
+ // Only allow file:// source maps from file:// docs
+ if (!url.startsWith("file://")) {
+ return "";
+ }
+ }
+
if (path.isURL(sourceMapURL) || url == "") {
// If it's already a full URL or the source doesn't have a URL,
// don't resolve anything.