Closed
Bug 1453559
Opened 7 years ago
Closed 7 years ago
Relative path ES Module import over a resource: URI resolves to a file: URI from within a module
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox61 | --- | fixed |
People
(Reporter: MattN, Assigned: jonco)
References
(Blocks 1 open bug, )
Details
Attachments
(2 files, 1 obsolete file)
2.09 KB,
patch
|
Details | Diff | Splinter Review | |
2.00 KB,
patch
|
baku
:
review+
MattN
:
feedback+
|
Details | Diff | Splinter Review |
If I have an HTML document and two modules loaded over a resource:// URI where the HTML document imports module 1 and that in turn imports module 2 using a relative path, the import of module 2 fails with the error:
> Security Error: Content at resource://payments/example.html may not load or link to file:///Users/matthew/mozilla-central/toolkit/components/payments/res/example-module2.js.
Note that example-module.js is resolved fine, the problem is only with the nested module import.
See the attached example which can be applied to m-c and run via resource://payments/example.html
Changing the import of module B to use the absolute resource URI works around the problem though I wonder if that means that the module script may be executed more than once? That workaround won't work for bug 1446179 as we don't want to hard-code the resource: scheme so that we can use the same modules over http:
This bug prevents using relative resource URI paths within the Firefox front-end. The same issue may apply to chrome:// too though I didn't test that.
Reporter | ||
Comment 1•7 years ago
|
||
See the Browser Console when you load resource://payments/example.html
Assignee | ||
Comment 2•7 years ago
|
||
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #0)
Thanks for filing this and for providing a testcase.
Assignee | ||
Comment 3•7 years ago
|
||
This is the same problem as bug 1371551 but for resource: URIs.
This patch extends the fix for that bug to also cover this scheme. Instead of using the response URL for the fetch we use the channel's original URI (the request URI). This doesn't matter for these kinds of scheme.
Assignee: nobody → jcoppeard
Attachment #8967365 -
Flags: review?(amarchesini)
Reporter | ||
Comment 4•7 years ago
|
||
Comment on attachment 8967365 [details] [diff] [review]
bug1453559-fixup-resource-uris
Review of attachment 8967365 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for the quick fix!
I confirmed that the patch fixes my issue.
::: dom/script/ScriptLoader.cpp
@@ +3163,1 @@
> bool isWebExt = false;
isWebExt is now unused
Attachment #8967365 -
Flags: feedback+
Updated•7 years ago
|
Attachment #8967365 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 5•7 years ago
|
||
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #4)
> isWebExt is now unused
Indeed, thanks.
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0f8f8120bc6
Don't use channel URI for loading modules from resource: scheme r=baku
Comment 7•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 8•7 years ago
|
||
bugherder |
Comment 9•5 years ago
|
||
Comment 10•5 years ago
|
||
Comment on attachment 9071590 [details]
Bug 1554294 - Adding in chrome as a supported scriptLoader IsInternalURIScheme and adding relative file paths to aboutlogins
Revision D34705 was moved to bug 1554294. Setting attachment 9071590 [details] to obsolete.
Attachment #9071590 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•