Merge pull request #23311 from mozfreddyb/bug-1056882

Bug 1056882: disallow cross-origin imports
mozilla-b2g · Aug 26, 2014 · 503d3c4 · 503d3c4
2 parents 14a2fef + 33f2a2e
commit 503d3c4
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/shared/js/html_imports.js b/shared/js/html_imports.js
@@ -48,6 +48,9 @@ var HtmlImports = {
   },
 
   getImportContent: function(path, callback) {
+    // bail out if the imported resource isn't in the same origin
+    var parsedURL = new URL(path, location.href);
+    if (parsedURL.origin !== location.origin) { return }
     var xhr = new XMLHttpRequest();
     xhr.onload = function(o) {
       callback(xhr.responseText);