fix: disallow http imports for modules loaded over https (#5680)

1 files changed, 17 insertions, 1 deletions

diff --git a/cli/module_graph.rs b/cli/module_graph.rs
index 21e575cfd..e03468679 100644
--- a/cli/module_graph.rs
+++ b/cli/module_graph.rs
@@ -274,6 +274,8 @@ impl ModuleGraphLoader {
     Ok(())
   }
 
+  // TODO(bartlomieju): decorate errors with import location in the source code
+  // https://github.com/denoland/deno/issues/5080
   fn download_module(
     &mut self,
     module_specifier: ModuleSpecifier,
@@ -283,6 +285,18 @@ impl ModuleGraphLoader {
       return Ok(());
     }
 
+    // Disallow http:// imports from modules loaded over https://
+    if let Some(referrer) = maybe_referrer.as_ref() {
+      if let "https" = referrer.as_url().scheme() {
+        if let "http" = module_specifier.as_url().scheme() {
+          let e = OpError::permission_denied(
+            "Modules loaded over https:// are not allowed to import modules over http://".to_string()
+          );
+          return Err(e.into());
+        };
+      };
+    };
+
     if !self.is_dyn_import {
       // Verify that remote file doesn't try to statically import local file.
       if let Some(referrer) = maybe_referrer.as_ref() {
@@ -293,7 +307,9 @@ impl ModuleGraphLoader {
             match specifier_url.scheme() {
               "http" | "https" => {}
               _ => {
-                let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                let e = OpError::permission_denied(
+                  "Remote modules are not allowed to statically import local modules. Use dynamic import instead.".to_string()
+                );
                 return Err(e.into());
               }
             }