Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-05 05:30:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1687342: Blocked-URI in CSP reports should be URI before redirects with ref removed r=freddyb,dveditz

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D103450
This commit is contained in:
Christoph Kerschbaumer 2021-02-09 18:42:03 +00:00
parent d14708a4c5
commit 2b003274b2
3 changed files with 21 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
dom/security/nsCSPContext.cpp
View File

@ -934,20 +934,18 @@ void nsCSPContext::logToConsole(const char* aName,
/** /**
* Strip URI for reporting according to: * Strip URI for reporting according to:
* http://www.w3.org/TR/CSP/#violation-reports * https://w3c.github.io/webappsec-csp/#security-violation-reports
* *
* @param aURI * @param aURI
* The uri to be stripped for reporting * The URI of the blocked resource. In case of a redirect, this it the
* @param aSelfURI * initial URI the request started out with, not the redirected URI.
* The uri of the protected resource * @return The ASCII serialization of the uri to be reported ignoring
* which is needed to enforce the SOP. * the ref part of the URI.
* @return ASCII serialization of the uri to be reported.
*/ */
void StripURIForReporting(nsIURI* aURI, nsIURI* aSelfURI, void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) {
nsACString& outStrippedURI) { // If the origin of aURI is a globally unique identifier (for example,
// 1) If the origin of uri is a globally unique identifier (for example, // aURI has a scheme of data, blob, or filesystem), then
// aURI has a scheme of data, blob, or filesystem), then return the // return the ASCII serialization of uris scheme.
// ASCII serialization of uris scheme.
bool isHttpFtpOrWs = bool isHttpFtpOrWs =
(aURI->SchemeIs("http") || aURI->SchemeIs("https") || (aURI->SchemeIs("http") || aURI->SchemeIs("https") ||
aURI->SchemeIs("ftp") || aURI->SchemeIs("ws") || aURI->SchemeIs("wss")); aURI->SchemeIs("ftp") || aURI->SchemeIs("ws") || aURI->SchemeIs("wss"));
@ -960,7 +958,7 @@ void StripURIForReporting(nsIURI* aURI, nsIURI* aSelfURI,
return; return;
} }
// Return uri, with any fragment component removed. // Return aURI, with any fragment component removed.
aURI->GetSpecIgnoringRef(outStrippedURI); aURI->GetSpecIgnoringRef(outStrippedURI);
} }
@ -980,7 +978,7 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
// document-uri // document-uri
nsAutoCString reportDocumentURI; nsAutoCString reportDocumentURI;
StripURIForReporting(mSelfURI, mSelfURI, reportDocumentURI); StripURIForReporting(mSelfURI, reportDocumentURI);
CopyUTF8toUTF16(reportDocumentURI, aViolationEventInit.mDocumentURI); CopyUTF8toUTF16(reportDocumentURI, aViolationEventInit.mDocumentURI);
// referrer // referrer
@ -988,17 +986,9 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
// blocked-uri // blocked-uri
if (aBlockedURI) { if (aBlockedURI) {
// in case of blocking a browsing context (frame) we have to report
// the final URI in case of a redirect. For subresources we report
// the URI before redirects.
nsCOMPtr<nsIURI> uriToReport;
if (aViolatedDirective.EqualsLiteral("frame-src")) {
uriToReport = aBlockedURI;
} else {
uriToReport = aOriginalURI ? aOriginalURI : aBlockedURI;
}
nsAutoCString reportBlockedURI; nsAutoCString reportBlockedURI;
StripURIForReporting(uriToReport, mSelfURI, reportBlockedURI); StripURIForReporting(aOriginalURI ? aOriginalURI : aBlockedURI,
reportBlockedURI);
CopyUTF8toUTF16(reportBlockedURI, aViolationEventInit.mBlockedURI); CopyUTF8toUTF16(reportBlockedURI, aViolationEventInit.mBlockedURI);
} else { } else {
CopyUTF8toUTF16(aBlockedString, aViolationEventInit.mBlockedURI); CopyUTF8toUTF16(aBlockedString, aViolationEventInit.mBlockedURI);

6
dom/security/test/csp/test_blocked_uri_in_reports.html
View File

@ -19,9 +19,9 @@ SimpleTest.waitForExplicitFinish();
* which gets redirected to: * which gets redirected to:
* http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js * http://test1.example.com/tests/dom/security//test/csp/file_path_matching.js
* *
* The blocked-uri in the csp-report should be: * The blocked-uri in the csp-report should be the original URI:
* test1.example.com * http://example.com/tests/dom/security/test/csp/file_path_matching_redirect_server.sjs
* instead of: * instead of the redirected URI:
* http://test1.example.com/tests/com/security/test/csp/file_path_matching.js * http://test1.example.com/tests/com/security/test/csp/file_path_matching.js
* *
* see also: http://www.w3.org/TR/CSP/#violation-reports * see also: http://www.w3.org/TR/CSP/#violation-reports

5
testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini Normal file
View File

@ -0,0 +1,5 @@
[frame-src-redirect.html]
expected: TIMEOUT
[Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect]
expected: TIMEOUT