mirror of
https://github.com/gorhill/uBlock.git
synced 2024-11-24 19:33:01 +01:00
code review: prevent redirection to WAR when request is xmlhttprequest
This commit is contained in:
parent
b2ff50f039
commit
4ed0d87b7b
@ -81,10 +81,21 @@ var RedirectEntry = function() {
|
||||
|
||||
/******************************************************************************/
|
||||
|
||||
RedirectEntry.prototype.toURL = function() {
|
||||
// Prevent redirection to web accessible resources when the request is
|
||||
// of type 'xmlhttprequest', because XMLHttpRequest.responseURL would
|
||||
// cause leakage of extension id. See:
|
||||
// - https://stackoverflow.com/a/8056313
|
||||
// - https://bugzilla.mozilla.org/show_bug.cgi?id=998076
|
||||
|
||||
RedirectEntry.prototype.toURL = function(details) {
|
||||
if ( this.warURL !== undefined ) {
|
||||
if (
|
||||
details instanceof Object === false ||
|
||||
details.requestType !== 'xmlhttprequest'
|
||||
) {
|
||||
return this.warURL + '?secret=' + vAPI.warSecret;
|
||||
}
|
||||
}
|
||||
if ( this.data.startsWith('data:') === false ) {
|
||||
if ( this.mime.indexOf(';') === -1 ) {
|
||||
this.data = 'data:' + this.mime + ';base64,' + btoa(this.data);
|
||||
@ -214,12 +225,10 @@ RedirectEngine.prototype.lookupToken = function(entries, reqURL) {
|
||||
|
||||
RedirectEngine.prototype.toURL = function(context) {
|
||||
var token = this.lookup(context);
|
||||
if ( token === undefined ) {
|
||||
return;
|
||||
}
|
||||
if ( token === undefined ) { return; }
|
||||
var entry = this.resources.get(token);
|
||||
if ( entry !== undefined ) {
|
||||
return entry.toURL();
|
||||
return entry.toURL(context);
|
||||
}
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user