feat(security): explicitly whitelist URL schemes for bootstrap. (#15427)
Many browsers have some extension URL scheme. It is unclear how many of those have the security issue of allowing parser-inserted loads of extension URLs. To be conservative, this code whitelists the URL schemes that are known to be subject to CSP, i.e. the ones that are expected and safe.
This commit is contained in:
+13
-5
@@ -1455,12 +1455,20 @@ function allowAutoBootstrap(document) {
|
||||
link.href = src;
|
||||
var scriptProtocol = link.protocol;
|
||||
var docLoadProtocol = document.location.protocol;
|
||||
if ((scriptProtocol === 'resource:' ||
|
||||
scriptProtocol === 'chrome-extension:') &&
|
||||
docLoadProtocol !== scriptProtocol) {
|
||||
return false;
|
||||
if (docLoadProtocol === scriptProtocol) {
|
||||
return true;
|
||||
}
|
||||
switch(scriptProtocol) {
|
||||
case 'http:':
|
||||
case 'https:':
|
||||
case 'ftp:':
|
||||
case 'blob:':
|
||||
case 'file:':
|
||||
case 'data:':
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
// Cached as it has to run during loading so that document.currentScript is available.
|
||||
|
||||
Reference in New Issue
Block a user