From 6b0f47683c78b0b9482efb7c95e42bb9a2bcaf7f Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Fri, 10 Apr 2020 17:41:07 +0000
Subject: [PATCH] LibWeb: Prevent http:// URLs loading scripts sourced from
 file:// URLs

Fixes #1616
---
 Libraries/LibWeb/DOM/HTMLScriptElement.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Libraries/LibWeb/DOM/HTMLScriptElement.cpp b/Libraries/LibWeb/DOM/HTMLScriptElement.cpp
index 5745878c48..9061b893e3 100644
--- a/Libraries/LibWeb/DOM/HTMLScriptElement.cpp
+++ b/Libraries/LibWeb/DOM/HTMLScriptElement.cpp
@@ -71,8 +71,13 @@ void HTMLScriptElement::inserted_into(Node& new_parent)
     if (src.is_null())
         return;
 
-    String source;
     URL src_url = document().complete_url(src);
+    if (src_url.protocol() == "file" && document().url().protocol() != src_url.protocol()) {
+        dbg() << "HTMLScriptElement: Forbidden to load " << src_url.to_string() << " from " << document().url().to_string();
+        return;
+    }
+
+    String source;
     ResourceLoader::the().load_sync(src_url, [&](auto& data) {
         if (data.is_null()) {
             dbg() << "HTMLScriptElement: Failed to load " << src;