From 4ed0d87b7b17b0b937e8c53c4c5b4ab87bafd20a Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Fri, 16 Feb 2018 13:37:20 -0500
Subject: [PATCH] code review: prevent redirection to WAR when request is
 xmlhttprequest

---
 src/js/redirect-engine.js | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/js/redirect-engine.js b/src/js/redirect-engine.js
index f26fcdd92..967d700fc 100644
--- a/src/js/redirect-engine.js
+++ b/src/js/redirect-engine.js
@@ -81,9 +81,20 @@ var RedirectEntry = function() {
 
 /******************************************************************************/
 
-RedirectEntry.prototype.toURL = function() {
+// Prevent redirection to web accessible resources when the request is
+// of type 'xmlhttprequest', because XMLHttpRequest.responseURL would
+// cause leakage of extension id. See:
+// - https://stackoverflow.com/a/8056313
+// - https://bugzilla.mozilla.org/show_bug.cgi?id=998076
+
+RedirectEntry.prototype.toURL = function(details) {
     if ( this.warURL !== undefined ) {
-        return this.warURL + '?secret=' + vAPI.warSecret;
+        if (
+            details instanceof Object === false ||
+            details.requestType !== 'xmlhttprequest'
+        ) {
+            return this.warURL + '?secret=' + vAPI.warSecret;
+        }
     }
     if ( this.data.startsWith('data:') === false ) {
         if ( this.mime.indexOf(';') === -1 ) {
@@ -214,12 +225,10 @@ RedirectEngine.prototype.lookupToken = function(entries, reqURL) {
 
 RedirectEngine.prototype.toURL = function(context) {
     var token = this.lookup(context);
-    if ( token === undefined ) {
-        return;
-    }
+    if ( token === undefined ) { return; }
     var entry = this.resources.get(token);
     if ( entry !== undefined ) {
-        return entry.toURL();
+        return entry.toURL(context);
     }
 };