LibWeb: Prevent http:// URLs loading scripts sourced from file:// URLs

Fixes #1616
Author: https://github.com/bcoles Commit: https://github.com/SerenityOS/serenity/commit/6b0f47683c7 Pull-request: https://github.com/SerenityOS/serenity/pull/1732 Issue: https://github.com/SerenityOS/serenity/issues/1616
2025-04-23 04:55:15 +00:00 · 2020-04-10 17:41:07 +00:00 · 2020-04-10 17:41:07 +00:00 · 6b0f47683c · 2024-07-19 07:42:11 +09:00
commit 6b0f47683c
parent 17b8857dc0
1 changed files with 6 additions and 1 deletions
--- a/Libraries/LibWeb/DOM/HTMLScriptElement.cpp
+++ b/Libraries/LibWeb/DOM/HTMLScriptElement.cpp
@ -71,8 +71,13 @@ void HTMLScriptElement::inserted_into(Node& new_parent)
    if (src.is_null())
        return;

-    String source;
    URL src_url = document().complete_url(src);
+    if (src_url.protocol() == "file" && document().url().protocol() != src_url.protocol()) {
+        dbg() << "HTMLScriptElement: Forbidden to load " << src_url.to_string() << " from " << document().url().to_string();
+        return;
+    }
+
+    String source;
    ResourceLoader::the().load_sync(src_url, [&](auto& data) {
        if (data.is_null()) {
            dbg() << "HTMLScriptElement: Failed to load " << src;