Bug 693940: Restrict SVG-as-an-image to load URIs with URI_INHERITS_SECURITY_CONTEXT. r=bz

content/base/src/nsDataDocumentContentPolicy.cpp

@@ -87,12 +87,14 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
   }
 
   if (doc->IsBeingUsedAsImage()) {
-    // Allow local resources for SVG-as-an-image documents, but disallow
+    // Only allow SVG-as-an-image to load local resources that inherit security
-    // everything else, to prevent data leakage
+    // context (basically just data: URIs), to prevent data leakage.
     bool hasFlags;
-    nsresult rv = NS_URIChainHasFlags(aContentLocation,
+    nsresult rv =
-                                      nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
+      NS_URIChainHasFlags(aContentLocation,
-                                      &hasFlags);
+                          nsIProtocolHandler::URI_IS_LOCAL_RESOURCE |
+                          nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT,
+                          &hasFlags);
     if (NS_FAILED(rv) || !hasFlags) {
       // resource is not local (or we couldn't tell) - reject!
       *aDecision = nsIContentPolicy::REJECT_TYPE;

layout/reftests/svg/as-image/reftest.list

@@ -109,11 +109,11 @@ random == img-and-image-1.html img-and-image-1-ref.svg # bug 645267
 # tests for external resources vs. data URIs in SVG as an image
 == svg-image-datauri-1.html            lime100x100.svg
 HTTP == svg-image-datauri-1.html       lime100x100.svg
-fails-if(Android) == svg-image-external-1.html           lime100x100.svg
+== svg-image-external-1.html           blue100x100.svg
 HTTP == svg-image-external-1.html      blue100x100.svg
 == svg-stylesheet-datauri-1.html       lime100x100.svg
 HTTP == svg-stylesheet-datauri-1.html  lime100x100.svg
-random == svg-stylesheet-external-1.html      lime100x100.svg # see bug 629885 comment 9
+== svg-stylesheet-external-1.html      blue100x100.svg
 HTTP == svg-stylesheet-external-1.html blue100x100.svg
 
 # test that :visited status is ignored in image documents