wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1086999 - CSP: Asterisk (*) wildcard should not allow blob:, data:, or filesystem: when matching source expressions (r=fabrice,pauljt)

Browse Source
This commit is contained in:
Christoph Kerschbaumer 2015-03-25 15:54:13 -07:00
parent 685f3c6572
commit e4a73f690c
3 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
b2g/app/b2g.js
View File

@ -417,9 +417,9 @@ pref("browser.dom.window.dump.enabled", false);
// Default Content Security Policy to apply to certified apps.
// If you change this CSP, make sure to update the fast path in nsCSPService.cpp
pref("security.apps.certified.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' app://theme.gaiamobile.org");
pref("security.apps.certified.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' app://theme.gaiamobile.org");
// Default Content Security Policy to apply to trusted apps.
pref("security.apps.trusted.CSP.default", "default-src *; object-src 'none'; frame-src 'none'");
pref("security.apps.trusted.CSP.default", "default-src * data: blob:; object-src 'none'; frame-src 'none'");
// Temporarily force-enable GL compositing. This is default-disabled
// deep within the bowels of the widgetry system. Remove me when GL

2
dom/security/nsCSPService.cpp
View File

@ -159,7 +159,7 @@ CSPService::ShouldLoad(uint32_t aContentType,
if (status == nsIPrincipal::APP_STATUS_CERTIFIED) {
// The CSP for certified apps is :
// "default-src *; script-src 'self'; object-src 'none'; style-src 'self' app://theme.gaiamobile.org:*"
// "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' app://theme.gaiamobile.org:*"
// That means we can optimize for this case by:
// - loading same origin scripts and stylesheets, and stylesheets from the
// theme url space.

2
modules/libpref/init/all.js
View File

@ -1847,7 +1847,7 @@ pref("security.csp.debug", false);
pref("security.csp.experimentalEnabled", false);
// Default Content Security Policy to apply to privileged apps.
pref("security.apps.privileged.CSP.default", "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
// Mixed content blocking
pref("security.mixed_content.block_active_content", false);