gnu/packages/patches/icecat-CVE-2016-1954.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/a5c4c18849b4

# HG changeset patch
# User Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
# Date 1456157874 28800
# Node ID a5c4c18849b486ef8693e20421b69239a2cbe574
# Parent  e93aeb25e2a44df8d22f5a065b4410620e2c8730
Bug 1243178: CSP - Skip sending reports for non http schemes (r=dveditz) a=ritu

diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -798,16 +798,17 @@ nsCSPContext::SendReports(nsISupports* a
       (NS_SUCCEEDED(reportURI->SchemeIs("https", &isHttpScheme)) && isHttpScheme);
 
     if (!isHttpScheme) {
       const char16_t* params[] = { reportURIs[r].get() };
       CSP_LogLocalizedStr(NS_LITERAL_STRING("reportURInotHttpsOrHttp2").get(),
                           params, ArrayLength(params),
                           aSourceFile, aScriptSample, aLineNum, 0,
                           nsIScriptError::errorFlag, "CSP", mInnerWindowID);
+      continue;
     }
 
     // make sure this is an anonymous request (no cookies) so in case the
     // policy URI is injected, it can't be abused for CSRF.
     nsLoadFlags flags;
     rv = reportChannel->GetLoadFlags(&flags);
     NS_ENSURE_SUCCESS(rv, rv);
     flags |= nsIRequest::LOAD_ANONYMOUS;