From 31f830db583d5563458e4cca31a84e1af8fcec9b Mon Sep 17 00:00:00 2001
From: Moonchild <moonchild@palemoon.org>
Date: Sat, 9 Apr 2022 01:25:04 +0200
Subject: [devtools] Restrict sourcemap URLs

---
 devtools/client/framework/source-map-worker.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/devtools/client/framework/source-map-worker.js b/devtools/client/framework/source-map-worker.js
index c68732f38e..b6ac2c121f 100644
--- a/devtools/client/framework/source-map-worker.js
+++ b/devtools/client/framework/source-map-worker.js
@@ -23,6 +23,19 @@ function enableSourceMaps() {
 
 function _resolveSourceMapURL(source) {
   const { url = "", sourceMapURL = "" } = source;
+  
+  const UNSUPPORTED_PROTOCOLS = ["chrome://", "resource://"];
+  if (path.isURL(sourceMapURL) && UNSUPPORTED_PROTOCOLS.some(protocol => sourceMapURL.startsWith(protocol))) {
+    // If it's an internal protocol, don't allow it and return empty.
+    return "";
+  }
+  if (path.isURL(sourceMapURL) && sourceMapURL.startsWith("file://")) {
+    // Only allow file:// source maps from file:// docs
+    if (!url.startsWith("file://")) {
+      return "";
+    }
+  }
+  
   if (path.isURL(sourceMapURL) || url == "") {
     // If it's already a full URL or the source doesn't have a URL,
     // don't resolve anything.
-- 
cgit v1.2.3