Bug 1236222 - CSP: Blocked URI should be empty for inline violations. r=ckerschb

MozReview-Commit-ID: 6bMAVJl9RTG

--HG--
extra : rebase_source : e2cceb777ac659f7fd1a84f6d8408dc7e7179a35

dom/security/nsCSPContext.cpp

@@ -897,7 +897,7 @@ StripURIForReporting(nsIURI* aURI,
 
 nsresult
 nsCSPContext::GatherSecurityPolicyViolationEventData(
-  nsISupports* aBlockedContentSource,
+  nsIURI* aBlockedURI,
   nsIURI* aOriginalURI,
   nsAString& aViolatedDirective,
   uint32_t aViolatedPolicyIndex,
@@ -921,23 +921,9 @@ nsCSPContext::GatherSecurityPolicyViolationEventData(
   aViolationEventInit.mReferrer = mReferrer;
 
   // blocked-uri
-  if (aBlockedContentSource) {
+  if (aBlockedURI) {
     nsAutoCString reportBlockedURI;
-    nsCOMPtr<nsIURI> uri = do_QueryInterface(aBlockedContentSource);
-    // could be a string or URI
-    if (uri) {
-      StripURIForReporting(uri, mSelfURI, reportBlockedURI);
-    } else {
-      nsCOMPtr<nsISupportsCString> cstr = do_QueryInterface(aBlockedContentSource);
-      if (cstr) {
-        cstr->GetData(reportBlockedURI);
-      }
-    }
-    if (reportBlockedURI.IsEmpty()) {
-      // this can happen for frame-ancestors violation where the violating
-      // ancestor is cross-origin.
-      NS_WARNING("No blocked URI (null aBlockedContentSource) for CSP violation report.");
-    }
+    StripURIForReporting(aBlockedURI, mSelfURI, reportBlockedURI);
     aViolationEventInit.mBlockedURI = NS_ConvertUTF8toUTF16(reportBlockedURI);
   }
 
@@ -1266,8 +1252,10 @@ class CSPReportSenderRunnable final : public Runnable
 
       // 0) prepare violation data
       mozilla::dom::SecurityPolicyViolationEventInit init;
+      // mBlockedContentSource could be a URI or a string.
+      nsCOMPtr<nsIURI> blockedURI = do_QueryInterface(mBlockedContentSource);
       rv = mCSPContext->GatherSecurityPolicyViolationEventData(
-        mBlockedContentSource, mOriginalURI,
+        blockedURI, mOriginalURI,
         mViolatedDirective, mViolatedPolicyIndex,
         mSourceFile, mScriptSample, mLineNum,
         init);
@@ -1285,8 +1273,6 @@ class CSPReportSenderRunnable final : public Runnable
       mCSPContext->SendReports(init, mViolatedPolicyIndex);
 
       // 3) log to console (one per policy violation)
-      // mBlockedContentSource could be a URI or a string.
-      nsCOMPtr<nsIURI> blockedURI = do_QueryInterface(mBlockedContentSource);
       // if mBlockedContentSource is not a URI, it could be a string
       nsCOMPtr<nsISupportsCString> blockedString = do_QueryInterface(mBlockedContentSource);
 

dom/security/nsCSPContext.h

@@ -64,9 +64,8 @@ class nsCSPContext : public nsIContentSecurityPolicy
     /**
      * Construct SecurityPolicyViolationEventInit structure.
      *
-     * @param aBlockedContentSource
-     *        Either a CSP Source (like 'self', as string) or nsIURI: the source
-     *        of the violation.
+     * @param aBlockedURI
+     *        A nsIURI: the source of the violation.
      * @param aOriginalUri
      *        The original URI if the blocked content is a redirect, else null
      * @param aViolatedDirective
@@ -81,7 +80,7 @@ class nsCSPContext : public nsIContentSecurityPolicy
      *        The output
      */
     nsresult GatherSecurityPolicyViolationEventData(
-      nsISupports* aBlockedContentSource,
+      nsIURI* aBlockedURI,
       nsIURI* aOriginalURI,
       nsAString& aViolatedDirective,
       uint32_t aViolatedPolicyIndex,

dom/security/test/csp/test_report.html

@@ -48,7 +48,7 @@ window.checkResults = function(reportObj) {
   ok(cspReport["referrer"].startsWith("http://mochi.test:8888/tests/dom/security/test/csp/test_report.html"),
      "Incorrect referrer");
 
-  is(cspReport["blocked-uri"], "self", "Incorrect blocked-uri");
+  is(cspReport["blocked-uri"], "", "Incorrect blocked-uri");
 
   is(cspReport["violated-directive"], "default-src", "Incorrect violated-directive");
 

dom/security/test/unit/test_csp_reports.js

@@ -106,7 +106,7 @@ function run_test() {
                    createInstance(Ci.nsISupportsString);
   content.data = "";
   // test that inline script violations cause a report.
-  makeTest(0, {"blocked-uri": "self"}, false,
+  makeTest(0, {"blocked-uri": ""}, false,
       function(csp) {
         let inlineOK = true;
         inlineOK = csp.getAllowsInline(Ci.nsIContentPolicy.TYPE_SCRIPT,
@@ -120,7 +120,7 @@ function run_test() {
       });
 
   // test that eval violations cause a report.
-  makeTest(1, {"blocked-uri": "self",
+  makeTest(1, {"blocked-uri": "",
                // JSON script-sample is UTF8 encoded
                "script-sample" : "\xc2\xa3\xc2\xa5\xc2\xb5\xe5\x8c\x97\xf0\xa0\x9d\xb9"}, false,
       function(csp) {
@@ -153,7 +153,7 @@ function run_test() {
       });
 
   // test that inline script violations cause a report in report-only policy
-  makeTest(3, {"blocked-uri": "self"}, true,
+  makeTest(3, {"blocked-uri": ""}, true,
       function(csp) {
         let inlineOK = true;
         let content = Cc["@mozilla.org/supports-string;1"].
@@ -170,7 +170,7 @@ function run_test() {
       });
 
   // test that eval violations cause a report in report-only policy
-  makeTest(4, {"blocked-uri": "self"}, true,
+  makeTest(4, {"blocked-uri": ""}, true,
       function(csp) {
         let evalOK = true, oReportViolation = {'value': false};
         evalOK = csp.getAllowsEval(oReportViolation);

toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js

@@ -835,7 +835,7 @@ function awaitCSP(urlsPromise) {
       let report = body["csp-report"];
 
       let origURL = report["blocked-uri"];
-      if (origURL !== "self") {
+      if (origURL !== "self" && origURL !== "") {
         let {baseURL} = getOriginBase(origURL);
 
         if (expectedURLs.has(baseURL)) {