mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 19:35:51 +00:00
Bug 1418241
- CSP violation: blockedURI inline/eval, r=ckerschb
This commit is contained in:
parent
375af7205f
commit
14262bdc7c
@ -483,7 +483,7 @@ nsCSPContext::reportInlineViolation(nsContentPolicyType aContentType,
|
||||
|
||||
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
|
||||
if (selfICString) {
|
||||
selfICString->SetData(nsDependentCString("self"));
|
||||
selfICString->SetData(nsDependentCString("inline"));
|
||||
}
|
||||
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
|
||||
|
||||
@ -672,7 +672,16 @@ nsCSPContext::LogViolationDetails(uint16_t aViolationType,
|
||||
|
||||
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
|
||||
if (selfICString) {
|
||||
selfICString->SetData(nsDependentCString("self"));
|
||||
if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL) {
|
||||
selfICString->SetData(nsDependentCString("eval"));
|
||||
} else if (aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_INLINE_SCRIPT ||
|
||||
aViolationType == nsIContentSecurityPolicy::VIOLATION_TYPE_INLINE_STYLE) {
|
||||
selfICString->SetData(nsDependentCString("inline"));
|
||||
} else {
|
||||
// All the other types should have a URL, but just in case, let's use
|
||||
// 'self' here.
|
||||
selfICString->SetData(nsDependentCString("self"));
|
||||
}
|
||||
}
|
||||
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
|
||||
|
||||
@ -881,6 +890,7 @@ StripURIForReporting(nsIURI* aURI,
|
||||
nsresult
|
||||
nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
nsIURI* aBlockedURI,
|
||||
const nsACString& aBlockedString,
|
||||
nsIURI* aOriginalURI,
|
||||
nsAString& aViolatedDirective,
|
||||
uint32_t aViolatedPolicyIndex,
|
||||
@ -909,6 +919,8 @@ nsCSPContext::GatherSecurityPolicyViolationEventData(
|
||||
nsAutoCString reportBlockedURI;
|
||||
StripURIForReporting(aBlockedURI, mSelfURI, reportBlockedURI);
|
||||
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(reportBlockedURI);
|
||||
} else {
|
||||
aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(aBlockedString);
|
||||
}
|
||||
|
||||
// effective-directive
|
||||
@ -1289,8 +1301,15 @@ class CSPReportSenderRunnable final : public Runnable
|
||||
mozilla::dom::SecurityPolicyViolationEventInit init;
|
||||
// mBlockedContentSource could be a URI or a string.
|
||||
nsCOMPtr<nsIURI> blockedURI = do_QueryInterface(mBlockedContentSource);
|
||||
// if mBlockedContentSource is not a URI, it could be a string
|
||||
nsCOMPtr<nsISupportsCString> blockedICString = do_QueryInterface(mBlockedContentSource);
|
||||
nsAutoCString blockedDataStr;
|
||||
if (blockedICString) {
|
||||
blockedICString->GetData(blockedDataStr);
|
||||
}
|
||||
|
||||
rv = mCSPContext->GatherSecurityPolicyViolationEventData(
|
||||
blockedURI, mOriginalURI,
|
||||
blockedURI, blockedDataStr, mOriginalURI,
|
||||
mViolatedDirective, mViolatedPolicyIndex,
|
||||
mSourceFile, mScriptSample, mLineNum, mColumnNum,
|
||||
init);
|
||||
@ -1308,10 +1327,6 @@ class CSPReportSenderRunnable final : public Runnable
|
||||
mCSPContext->SendReports(init, mViolatedPolicyIndex);
|
||||
|
||||
// 3) log to console (one per policy violation)
|
||||
// if mBlockedContentSource is not a URI, it could be a string
|
||||
nsCOMPtr<nsISupportsCString> blockedString = do_QueryInterface(mBlockedContentSource);
|
||||
|
||||
nsCString blockedDataStr;
|
||||
|
||||
if (blockedURI) {
|
||||
blockedURI->GetSpec(blockedDataStr);
|
||||
@ -1324,8 +1339,6 @@ class CSPReportSenderRunnable final : public Runnable
|
||||
blockedDataStr.Append(NS_ConvertUTF16toUTF8(nsContentUtils::GetLocalizedEllipsis()));
|
||||
}
|
||||
}
|
||||
} else if (blockedString) {
|
||||
blockedString->GetData(blockedDataStr);
|
||||
}
|
||||
|
||||
if (blockedDataStr.Length() > 0) {
|
||||
|
@ -89,6 +89,7 @@ class nsCSPContext : public nsIContentSecurityPolicy
|
||||
*/
|
||||
nsresult GatherSecurityPolicyViolationEventData(
|
||||
nsIURI* aBlockedURI,
|
||||
const nsACString& aBlockedString,
|
||||
nsIURI* aOriginalURI,
|
||||
nsAString& aViolatedDirective,
|
||||
uint32_t aViolatedPolicyIndex,
|
||||
|
@ -48,7 +48,7 @@ window.checkResults = function(reportObj) {
|
||||
ok(cspReport["referrer"].startsWith("http://mochi.test:8888/tests/dom/security/test/csp/test_report.html"),
|
||||
"Incorrect referrer");
|
||||
|
||||
is(cspReport["blocked-uri"], "", "Incorrect blocked-uri");
|
||||
is(cspReport["blocked-uri"], "inline", "Incorrect blocked-uri");
|
||||
|
||||
is(cspReport["violated-directive"], "default-src", "Incorrect violated-directive");
|
||||
|
||||
|
@ -103,7 +103,7 @@ function run_test() {
|
||||
"/foo/self");
|
||||
|
||||
// test that inline script violations cause a report.
|
||||
makeTest(0, {"blocked-uri": ""}, false,
|
||||
makeTest(0, {"blocked-uri": "inline"}, false,
|
||||
function(csp) {
|
||||
let inlineOK = true;
|
||||
inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
|
||||
@ -119,7 +119,7 @@ function run_test() {
|
||||
});
|
||||
|
||||
// test that eval violations cause a report.
|
||||
makeTest(1, {"blocked-uri": "",
|
||||
makeTest(1, {"blocked-uri": "eval",
|
||||
// JSON script-sample is UTF8 encoded
|
||||
"script-sample" : "\xc2\xa3\xc2\xa5\xc2\xb5\xe5\x8c\x97\xf0\xa0\x9d\xb9",
|
||||
"line-number": 1,
|
||||
@ -156,7 +156,7 @@ function run_test() {
|
||||
});
|
||||
|
||||
// test that inline script violations cause a report in report-only policy
|
||||
makeTest(3, {"blocked-uri": ""}, true,
|
||||
makeTest(3, {"blocked-uri": "inline"}, true,
|
||||
function(csp) {
|
||||
let inlineOK = true;
|
||||
inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
|
||||
@ -172,7 +172,7 @@ function run_test() {
|
||||
});
|
||||
|
||||
// test that eval violations cause a report in report-only policy
|
||||
makeTest(4, {"blocked-uri": ""}, true,
|
||||
makeTest(4, {"blocked-uri": "inline"}, true,
|
||||
function(csp) {
|
||||
let evalOK = true, oReportViolation = {'value': false};
|
||||
evalOK = csp.getAllowsEval(oReportViolation);
|
||||
|
@ -2,4 +2,3 @@
|
||||
expected: TIMEOUT
|
||||
[Direct block, cross-origin = full URL in report]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
@ -1,7 +1,4 @@
|
||||
[report-strips-fragment.html]
|
||||
disabled:
|
||||
if verify: fails in verify mode
|
||||
expected: TIMEOUT
|
||||
[Reported document URI does not contain fragments.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript-window-open-blocked.html]
|
||||
[Check that a securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script-src-report-only-policy-works-with-hash-policy.html]
|
||||
[Test that the securitypolicyviolation event is fired]
|
||||
expected: FAIL
|
||||
|
@ -2,4 +2,3 @@
|
||||
expected: TIMEOUT
|
||||
[Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
@ -1,4 +0,0 @@
|
||||
[blockeduri-eval.html]
|
||||
[Eval violations have a blockedURI of 'eval']
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[blockeduri-inline.html]
|
||||
[Inline violations have a blockedURI of 'inline']
|
||||
expected: FAIL
|
||||
|
@ -1,14 +1,5 @@
|
||||
[script-sample-no-opt-in.html]
|
||||
expected: TIMEOUT
|
||||
[Inline script should not have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[Inline event handlers should not have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[JavaScript URLs in iframes should not have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[eval()-alikes should not have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
|
@ -1,19 +1,4 @@
|
||||
[script-sample.html]
|
||||
expected: TIMEOUT
|
||||
[Inline script should have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[Inline event handlers should have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[JavaScript URLs in iframes should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[eval() should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[setInterval() should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
||||
[setTimeout() should have a sample.]
|
||||
expected: TIMEOUT
|
||||
|
@ -1,7 +0,0 @@
|
||||
[style-sample-no-opt-in.html]
|
||||
[Inline style blocks should not have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[Inline style attributes should not have a sample.]
|
||||
expected: FAIL
|
||||
|
@ -1,7 +0,0 @@
|
||||
[style-sample.html]
|
||||
[Inline style blocks should have a sample.]
|
||||
expected: FAIL
|
||||
|
||||
[Inline style attributes should have a sample.]
|
||||
expected: FAIL
|
||||
|
@ -1,12 +1,6 @@
|
||||
[targeting.html]
|
||||
prefs: [dom.webcomponents.shadowdom.enabled:true]
|
||||
expected: TIMEOUT
|
||||
[These tests should not fail.]
|
||||
expected: NOTRUN
|
||||
|
||||
[Inline violations target the right element.]
|
||||
expected: FAIL
|
||||
|
||||
[Correct targeting inside shadow tree (inline handler).]
|
||||
disabled: https://bugzilla.mozilla.org/show_bug.cgi?id=1404842
|
||||
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_missing_unsafe_hashes-href.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_missing_unsafe_hashes-href_blank.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_missing_unsafe_hashes-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_wrong_hash-href.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_wrong_hash-href_blank.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[javascript_src_denied_wrong_hash-window_open.html]
|
||||
[Test that the javascript: src is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[script_event_handlers_denied_wrong_hash.html]
|
||||
[Test that the inline event handler is not allowed to run]
|
||||
expected: FAIL
|
||||
|
@ -1,4 +0,0 @@
|
||||
[style_attribute_denied_wrong_hash.html]
|
||||
[Test that the inline style attribute is blocked]
|
||||
expected: FAIL
|
||||
|
@ -835,7 +835,7 @@ function awaitCSP(urlsPromise) {
|
||||
let report = body["csp-report"];
|
||||
|
||||
let origURL = report["blocked-uri"];
|
||||
if (origURL !== "self" && origURL !== "") {
|
||||
if (origURL !== "inline" && origURL !== "") {
|
||||
let {baseURL} = getOriginBase(origURL);
|
||||
|
||||
if (expectedURLs.has(baseURL)) {
|
||||
|
Loading…
Reference in New Issue
Block a user