Closed Bug 1453559 Opened 2 years ago Closed Last year

Relative path ES Module import over a resource: URI resolves to a file: URI from within a module

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: MattN, Assigned: jonco)

References

(Blocks 1 open bug, )

Details

Attachments

(2 files, 1 obsolete file)

If I have an HTML document and two modules loaded over a resource:// URI where the HTML document imports module 1 and that in turn imports module 2 using a relative path, the import of module 2 fails with the error:

> Security Error: Content at resource://payments/example.html may not load or link to file:///Users/matthew/mozilla-central/toolkit/components/payments/res/example-module2.js.

Note that example-module.js is resolved fine, the problem is only with the nested module import.

See the attached example which can be applied to m-c and run via resource://payments/example.html

Changing the import of module B to use the absolute resource URI works around the problem though I wonder if that means that the module script may be executed more than once? That workaround won't work for bug 1446179 as we don't want to hard-code the resource: scheme so that we can use the same modules over http:

This bug prevents using relative resource URI paths within the Firefox front-end. The same issue may apply to chrome:// too though I didn't test that.
See the Browser Console when you load resource://payments/example.html
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #0)
Thanks for filing this and for providing a testcase.
This is the same problem as bug 1371551 but for resource: URIs.

This patch extends the fix for that bug to also cover this scheme.  Instead of using the response URL for the fetch we use the channel's original URI (the request URI).  This doesn't matter for these kinds of scheme.
Assignee: nobody → jcoppeard
Attachment #8967365 - Flags: review?(amarchesini)
Comment on attachment 8967365 [details] [diff] [review]
bug1453559-fixup-resource-uris

Review of attachment 8967365 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the quick fix!

I confirmed that the patch fixes my issue.

::: dom/script/ScriptLoader.cpp
@@ +3163,1 @@
>      bool isWebExt = false;

isWebExt is now unused
Attachment #8967365 - Flags: feedback+
Attachment #8967365 - Flags: review?(amarchesini) → review+
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #4)
> isWebExt is now unused

Indeed, thanks.
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0f8f8120bc6
Don't use channel URI for loading modules from resource: scheme r=baku
https://hg.mozilla.org/mozilla-central/rev/d0f8f8120bc6
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61

Comment on attachment 9071590 [details]
Bug 1554294 - Adding in chrome as a supported scriptLoader IsInternalURIScheme and adding relative file paths to aboutlogins

Revision D34705 was moved to bug 1554294. Setting attachment 9071590 [details] to obsolete.

Attachment #9071590 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.