RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-31 17:52:45 +00:00
Code Issues Activity Actions

LibWeb: Prevent http:// URLs loading scripts sourced from file:// URLs

Browse source 
Fixes #1616
This commit is contained in:
Brendan Coles 2020-04-10 17:41:07 +00:00 committed by Andreas Kling
parent 17b8857dc0
commit 6b0f47683c
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibWeb/DOM/HTMLScriptElement.cpp
View file

@ -71,8 +71,13 @@ void HTMLScriptElement::inserted_into(Node& new_parent)
if (src.is_null())
return;
String source;
URL src_url = document().complete_url(src);
if (src_url.protocol() == "file" && document().url().protocol() != src_url.protocol()) {
dbg() << "HTMLScriptElement: Forbidden to load " << src_url.to_string() << " from " << document().url().to_string();
return;
}
String source;
ResourceLoader::the().load_sync(src_url, [&](auto& data) {
if (data.is_null()) {
dbg() << "HTMLScriptElement: Failed to load " << src;