Closed Bug 1453559 Opened 2 years ago Closed Last year
Relative path ES Module import over a resource: URI resolves to a file: URI from within a module
If I have an HTML document and two modules loaded over a resource:// URI where the HTML document imports module 1 and that in turn imports module 2 using a relative path, the import of module 2 fails with the error: > Security Error: Content at resource://payments/example.html may not load or link to file:///Users/matthew/mozilla-central/toolkit/components/payments/res/example-module2.js. Note that example-module.js is resolved fine, the problem is only with the nested module import. See the attached example which can be applied to m-c and run via resource://payments/example.html Changing the import of module B to use the absolute resource URI works around the problem though I wonder if that means that the module script may be executed more than once? That workaround won't work for bug 1446179 as we don't want to hard-code the resource: scheme so that we can use the same modules over http: This bug prevents using relative resource URI paths within the Firefox front-end. The same issue may apply to chrome:// too though I didn't test that.
See the Browser Console when you load resource://payments/example.html
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #0) Thanks for filing this and for providing a testcase.
This is the same problem as bug 1371551 but for resource: URIs. This patch extends the fix for that bug to also cover this scheme. Instead of using the response URL for the fetch we use the channel's original URI (the request URI). This doesn't matter for these kinds of scheme.
Assignee: nobody → jcoppeard
Attachment #8967365 - Flags: review?(amarchesini)
Comment on attachment 8967365 [details] [diff] [review] bug1453559-fixup-resource-uris Review of attachment 8967365 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the quick fix! I confirmed that the patch fixes my issue. ::: dom/script/ScriptLoader.cpp @@ +3163,1 @@ > bool isWebExt = false; isWebExt is now unused
Attachment #8967365 - Flags: feedback+
Attachment #8967365 - Flags: review?(amarchesini) → review+
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #4) > isWebExt is now unused Indeed, thanks.
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/d0f8f8120bc6 Don't use channel URI for loading modules from resource: scheme r=baku
4 months ago
See Also: → 1554294
You need to log in before you can comment on or make changes to this bug.