Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 19:35:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1418241 - CSP violation: blockedURI inline/eval, r=ckerschb

Browse Source
This commit is contained in:
Andrea Marchesini 2018-07-17 11:13:12 +02:00
parent 375af7205f
commit 14262bdc7c
25 changed files with 29 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
dom/security/nsCSPContext.cpp
View File

@ -483,7 +483,7 @@ nsCSPContext::reportInlineViolation(nsContentPolicyType aContentType,
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
if (selfICString) {
selfICString->SetData(nsDependentCString("self"));
selfICString->SetData(nsDependentCString("inline"));
}
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
@ -672,7 +672,16 @@ nsCSPContext::LogViolationDetails(uint16_t aViolationType,
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
if (selfICString) {
selfICString->SetData(nsDependentCString("self"));
if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL) {
selfICString->SetData(nsDependentCString("eval"));
} else if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_INLINE_SCRIPT ||
aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_INLINE_STYLE) {
selfICString->SetData(nsDependentCString("inline"));
} else {
// All the other types should have a URL, but just in case, let's use
// 'self' here.
selfICString->SetData(nsDependentCString("self"));
}
}
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
@ -881,6 +890,7 @@ StripURIForReporting(nsIURI* aURI,
nsresult
nsCSPContext::GatherSecurityPolicyViolationEventData(
nsIURI* aBlockedURI,
const nsACString& aBlockedString,
nsIURI* aOriginalURI,
nsAString& aViolatedDirective,
uint32_t aViolatedPolicyIndex,
@ -909,6 +919,8 @@ nsCSPContext::GatherSecurityPolicyViolationEventData(
nsAutoCString reportBlockedURI;
StripURIForReporting(aBlockedURI, mSelfURI, reportBlockedURI);
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(reportBlockedURI);
} else {
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(aBlockedString);
}
// effective-directive
@ -1289,8 +1301,15 @@ class CSPReportSenderRunnable final : public Runnable
mozilla::dom::SecurityPolicyViolationEventInit init;
// mBlockedContentSource could be a URI or a string.
nsCOMPtr<nsIURI> blockedURI = do_QueryInterface(mBlockedContentSource);
// if mBlockedContentSource is not a URI, it could be a string
nsCOMPtr<nsISupportsCString> blockedICString = do_QueryInterface(mBlockedContentSource);
nsAutoCString blockedDataStr;
if (blockedICString) {
blockedICString->GetData(blockedDataStr);
}
rv = mCSPContext->GatherSecurityPolicyViolationEventData(
blockedURI, mOriginalURI,
blockedURI, blockedDataStr, mOriginalURI,
mViolatedDirective, mViolatedPolicyIndex,
mSourceFile, mScriptSample, mLineNum, mColumnNum,
init);
@ -1308,10 +1327,6 @@ class CSPReportSenderRunnable final : public Runnable
mCSPContext->SendReports(init, mViolatedPolicyIndex);
// 3) log to console (one per policy violation)
// if mBlockedContentSource is not a URI, it could be a string
nsCOMPtr<nsISupportsCString> blockedString = do_QueryInterface(mBlockedContentSource);
nsCString blockedDataStr;
if (blockedURI) {
blockedURI->GetSpec(blockedDataStr);
@ -1324,8 +1339,6 @@ class CSPReportSenderRunnable final : public Runnable
blockedDataStr.Append(NS_ConvertUTF16toUTF8(nsContentUtils::GetLocalizedEllipsis()));
}
}
} else if (blockedString) {
blockedString->GetData(blockedDataStr);
}
if (blockedDataStr.Length() > 0) {

1
dom/security/nsCSPContext.h
View File

@ -89,6 +89,7 @@ class nsCSPContext : public nsIContentSecurityPolicy
*/
nsresult GatherSecurityPolicyViolationEventData(
nsIURI* aBlockedURI,
const nsACString& aBlockedString,
nsIURI* aOriginalURI,
nsAString& aViolatedDirective,
uint32_t aViolatedPolicyIndex,

2
dom/security/test/csp/test_report.html
View File

@ -48,7 +48,7 @@ window.checkResults = function(reportObj) {
ok(cspReport["referrer"].startsWith("http://mochi.test:8888/tests/dom/security/test/csp/test_report.html"),
"Incorrect referrer");
is(cspReport["blocked-uri"], "", "Incorrect blocked-uri");
is(cspReport["blocked-uri"], "inline", "Incorrect blocked-uri");
is(cspReport["violated-directive"], "default-src", "Incorrect violated-directive");

8
dom/security/test/unit/test_csp_reports.js
View File

@ -103,7 +103,7 @@ function run_test() {
"/foo/self");
// test that inline script violations cause a report.
makeTest(0, {"blocked-uri": ""}, false,
makeTest(0, {"blocked-uri": "inline"}, false,
function(csp) {
let inlineOK = true;
inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
@ -119,7 +119,7 @@ function run_test() {
});
// test that eval violations cause a report.
makeTest(1, {"blocked-uri": "",
makeTest(1, {"blocked-uri": "eval",
// JSON script-sample is UTF8 encoded
"script-sample" : "\xc2\xa3\xc2\xa5\xc2\xb5\xe5\x8c\x97\xf0\xa0\x9d\xb9",
"line-number": 1,
@ -156,7 +156,7 @@ function run_test() {
});
// test that inline script violations cause a report in report-only policy
makeTest(3, {"blocked-uri": ""}, true,
makeTest(3, {"blocked-uri": "inline"}, true,
function(csp) {
let inlineOK = true;
inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
@ -172,7 +172,7 @@ function run_test() {
});
// test that eval violations cause a report in report-only policy
makeTest(4, {"blocked-uri": ""}, true,
makeTest(4, {"blocked-uri": "inline"}, true,
function(csp) {
let evalOK = true, oReportViolation = {'value': false};
evalOK = csp.getAllowsEval(oReportViolation);

1
testing/web-platform/meta/content-security-policy/reporting/report-original-url.sub.html.ini
View File

@ -2,4 +2,3 @@
expected: TIMEOUT
[Direct block, cross-origin = full URL in report]
expected: TIMEOUT

3
testing/web-platform/meta/content-security-policy/reporting/report-strips-fragment.html.ini
View File

@ -1,7 +1,4 @@
[report-strips-fragment.html]
disabled:
if verify: fails in verify mode
expected: TIMEOUT
[Reported document URI does not contain fragments.]
expected: TIMEOUT

4
testing/web-platform/meta/content-security-policy/script-src/javascript-window-open-blocked.html.ini
View File

@ -1,4 +0,0 @@
[javascript-window-open-blocked.html]
[Check that a securitypolicyviolation event is fired]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy.html.ini
View File

@ -1,4 +0,0 @@
[script-src-report-only-policy-works-with-hash-policy.html]
[Test that the securitypolicyviolation event is fired]
expected: FAIL

1
testing/web-platform/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html.ini
View File

@ -2,4 +2,3 @@
expected: TIMEOUT
[Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.]
expected: TIMEOUT

4
testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-eval.html.ini
View File

@ -1,4 +0,0 @@
[blockeduri-eval.html]
[Eval violations have a blockedURI of 'eval']
expected: FAIL

4
testing/web-platform/meta/content-security-policy/securitypolicyviolation/blockeduri-inline.html.ini
View File

@ -1,4 +0,0 @@
[blockeduri-inline.html]
[Inline violations have a blockedURI of 'inline']
expected: FAIL

9
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html.ini
View File

@ -1,14 +1,5 @@
[script-sample-no-opt-in.html]
expected: TIMEOUT
[Inline script should not have a sample.]
expected: FAIL
[Inline event handlers should not have a sample.]
expected: FAIL
[JavaScript URLs in iframes should not have a sample.]
expected: TIMEOUT
[eval()-alikes should not have a sample.]
expected: TIMEOUT

15
testing/web-platform/meta/content-security-policy/securitypolicyviolation/script-sample.html.ini
View File

@ -1,19 +1,4 @@
[script-sample.html]
expected: TIMEOUT
[Inline script should have a sample.]
expected: FAIL
[Inline event handlers should have a sample.]
expected: FAIL
[JavaScript URLs in iframes should have a sample.]
expected: TIMEOUT
[eval() should have a sample.]
expected: TIMEOUT
[setInterval() should have a sample.]
expected: TIMEOUT
[setTimeout() should have a sample.]
expected: TIMEOUT

7
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html.ini
View File

@ -1,7 +0,0 @@
[style-sample-no-opt-in.html]
[Inline style blocks should not have a sample.]
expected: FAIL
[Inline style attributes should not have a sample.]
expected: FAIL

7
testing/web-platform/meta/content-security-policy/securitypolicyviolation/style-sample.html.ini
View File

@ -1,7 +0,0 @@
[style-sample.html]
[Inline style blocks should have a sample.]
expected: FAIL
[Inline style attributes should have a sample.]
expected: FAIL

6
testing/web-platform/meta/content-security-policy/securitypolicyviolation/targeting.html.ini
View File

@ -1,12 +1,6 @@
[targeting.html]
prefs: [dom.webcomponents.shadowdom.enabled:true]
expected: TIMEOUT
[These tests should not fail.]
expected: NOTRUN
[Inline violations target the right element.]
expected: FAIL
[Correct targeting inside shadow tree (inline handler).]
disabled: https://bugzilla.mozilla.org/show_bug.cgi?id=1404842

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_missing_unsafe_hashes-href.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_missing_unsafe_hashes-href_blank.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_missing_unsafe_hashes-window_open.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_wrong_hash-href.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_wrong_hash-href_blank.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html.ini
View File

@ -1,4 +0,0 @@
[javascript_src_denied_wrong_hash-window_open.html]
[Test that the javascript: src is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash.html.ini
View File

@ -1,4 +0,0 @@
[script_event_handlers_denied_wrong_hash.html]
[Test that the inline event handler is not allowed to run]
expected: FAIL

4
testing/web-platform/meta/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash.html.ini
View File

@ -1,4 +0,0 @@
[style_attribute_denied_wrong_hash.html]
[Test that the inline style attribute is blocked]
expected: FAIL

2
toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
View File

@ -835,7 +835,7 @@ function awaitCSP(urlsPromise) {
let report = body["csp-report"];
let origURL = report["blocked-uri"];
if (origURL !== "self" && origURL !== "") {
if (origURL !== "inline" && origURL !== "") {
let {baseURL} = getOriginBase(origURL);
if (expectedURLs.has(baseURL)) {