[tor-commits] [Git][tpo/applications/mullvad-browser][mullvad-browser-149.0a1-16.0-2] BB 44865: Block requests to chrome://*/locale.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx

Subject: [tor-commits] [Git][tpo/applications/mullvad-browser][mullvad-browser-149.0a1-16.0-2] BB 44865: Block requests to chrome://*/locale.

From: "Pier Angelo Vendrame (@pierov) via tor-commits" <tor-commits@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 16 Apr 2026 17:38:22 +0000

Auto-submitted: auto-generated

List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>

Reply-to: noreply@xxxxxxxxxxxxxx, "Pier Angelo Vendrame (@pierov)" <git@xxxxxxxxxxxxxxxxxxxxx>

Title: GitLab

Pier Angelo Vendrame pushed to branch mullvad-browser-149.0a1-16.0-2 at The Tor Project / Applications / Mullvad Browser

Commits:

1beb74fb
by Pier Angelo Vendrame at 2026-04-16T19:38:10+02:00
```
BB 44865: Block requests to chrome://*/locale.
```

1 changed file:

caps/nsScriptSecurityManager.cpp

Changes:

caps/nsScriptSecurityManager.cpp

@@ -1104,6 +1104,12 @@ nsresult nsScriptSecurityManager::CheckLoadURIFlags(
            return NS_OK;
+         }
        } else if (targetScheme.EqualsLiteral("chrome")) {
 +        nsAutoCString path;
 +        if (NS_SUCCEEDED(aTargetURI->GetPathQueryRef(path)) &&
 +            StringBeginsWith(path, "/locale/"_ns)) {
 +          return NS_ERROR_DOM_BAD_URI;
 +        }
++
          // Allow the load only if the chrome package is allowlisted.
          nsCOMPtr<nsIXULChromeRegistry> reg(
              do_GetService(NS_CHROMEREGISTRY_CONTRACTID));

_______________________________________________ tor-commits mailing list -- tor-commits@xxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to tor-commits-leave@xxxxxxxxxxxxxxxxxxxx