Closed Bug 1453559 Opened 4 years ago Closed 4 years ago

Relative path ES Module import over a resource: URI resolves to a file: URI from within a module


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
firefox61 --- fixed


(Reporter: MattN, Assigned: jonco)


(Blocks 1 open bug, )



(2 files, 1 obsolete file)

If I have an HTML document and two modules loaded over a resource:// URI where the HTML document imports module 1 and that in turn imports module 2 using a relative path, the import of module 2 fails with the error:

> Security Error: Content at resource://payments/example.html may not load or link to file:///Users/matthew/mozilla-central/toolkit/components/payments/res/example-module2.js.

Note that example-module.js is resolved fine, the problem is only with the nested module import.

See the attached example which can be applied to m-c and run via resource://payments/example.html

Changing the import of module B to use the absolute resource URI works around the problem though I wonder if that means that the module script may be executed more than once? That workaround won't work for bug 1446179 as we don't want to hard-code the resource: scheme so that we can use the same modules over http:

This bug prevents using relative resource URI paths within the Firefox front-end. The same issue may apply to chrome:// too though I didn't test that.
See the Browser Console when you load resource://payments/example.html
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #0)
Thanks for filing this and for providing a testcase.
This is the same problem as bug 1371551 but for resource: URIs.

This patch extends the fix for that bug to also cover this scheme.  Instead of using the response URL for the fetch we use the channel's original URI (the request URI).  This doesn't matter for these kinds of scheme.
Assignee: nobody → jcoppeard
Attachment #8967365 - Flags: review?(amarchesini)
Comment on attachment 8967365 [details] [diff] [review]

Review of attachment 8967365 [details] [diff] [review]:

Thanks for the quick fix!

I confirmed that the patch fixes my issue.

::: dom/script/ScriptLoader.cpp
@@ +3163,1 @@
>      bool isWebExt = false;

isWebExt is now unused
Attachment #8967365 - Flags: feedback+
Attachment #8967365 - Flags: review?(amarchesini) → review+
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #4)
> isWebExt is now unused

Indeed, thanks.
Pushed by
Don't use channel URI for loading modules from resource: scheme r=baku
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
See Also: → 1554294

Comment on attachment 9071590 [details]
Bug 1554294 - Adding in chrome as a supported scriptLoader IsInternalURIScheme and adding relative file paths to aboutlogins

Revision D34705 was moved to bug 1554294. Setting attachment 9071590 [details] to obsolete.

Attachment #9071590 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.