feat(security): explicitly whitelist URL schemes for bootstrap. (#15427)

Many browsers have some extension URL scheme. It is unclear how many of
those have the security issue of allowing parser-inserted loads of
extension URLs.

To be conservative, this code whitelists the URL schemes that are known
to be subject to CSP, i.e. the ones that are expected and safe.
This commit is contained in:
Martin Probst
2016-11-23 15:44:43 -08:00
committed by GitHub
parent cc92da0d67
commit 7f1b8bdfe1
+13 -5
View File
@@ -1455,12 +1455,20 @@ function allowAutoBootstrap(document) {
link.href = src;
var scriptProtocol = link.protocol;
var docLoadProtocol = document.location.protocol;
if ((scriptProtocol === 'resource:' ||
scriptProtocol === 'chrome-extension:') &&
docLoadProtocol !== scriptProtocol) {
return false;
if (docLoadProtocol === scriptProtocol) {
return true;
}
switch(scriptProtocol) {
case 'http:':
case 'https:':
case 'ftp:':
case 'blob:':
case 'file:':
case 'data:':
return true;
default:
return false;
}
return true;
}
// Cached as it has to run during loading so that document.currentScript is available.