Backed out changeset 4bedbc45e231 (bug 1505412) for failures in test_bug1505412.html CLOSED TREE

2024-10-18 15:55:36 +00:00 · 2019-08-22 19:52:49 +03:00 · 2019-08-22 19:52:49 +03:00 · 2d0fff3267
commit 2d0fff3267
parent c8c773d698
7 changed files with 0 additions and 170 deletions
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@ -877,25 +877,6 @@ bool nsCSPNonceSrc::permits(nsIURI* aUri, const nsAString& aNonce,
                 NS_ConvertUTF16toUTF8(aNonce).get()));
  }

-  if (aReportOnly && aWasRedirected && aNonce.IsEmpty()) {
-    /* Fix for Bug 1505412
-     *  If we land here, we're currently handling a script-preload which got
-     *  redirected. Preloads do not have any info about the nonce assiociated.
-     *  Because of Report-Only the preload passes the 1st CSP-check so the
-     *  preload does not get retried with a nonce attached.
-     *  Currently we're relying on the script-manager to
-     *  provide a fake loadinfo to check the preloads against csp.
-     *  So during HTTPChannel->OnRedirect we cant check csp for this case.
-     *  But as the script-manager already checked the csp,
-     *  a report would already have been send,
-     *  if the nonce didnt match.
-     *  So we can pass the check here for Report-Only Cases.
-     */
-    MOZ_ASSERT(aParserCreated == false,
-               "Skipping nonce-check is only allowed for Preloads");
-    return true;
-  }
-
  // nonces can not be invalidated by strict-dynamic
  return mNonce.Equals(aNonce);
 }
--- a/dom/security/test/csp/file_bug1505412.sjs
+++ b/dom/security/test/csp/file_bug1505412.sjs
@ -1,36 +0,0 @@
-// https://bugzilla.mozilla.org/show_bug.cgi?id=650386
-// This SJS file serves file_redirect_content.html
-// with a CSP that will trigger a violation and that will report it
-// to file_redirect_report.sjs
-//
-// This handles 301, 302, 303 and 307 redirects. The HTTP status code
-// returned/type of redirect to do comes from the query string
-// parameter passed in from the test_bug650386_* files and then also
-// uses that value in the report-uri parameter of the CSP
-function handleRequest(request, response) {
-  response.setHeader("Cache-Control", "no-cache", false);
-
-  // this gets used in the CSP as part of the report URI.
-  var redirect = request.queryString;
-
-  if (!redirect) {
-    // if we somehow got some bogus redirect code here,
-    // do a 302 redirect to the same URL as the report URI
-    // redirects to - this will fail the test.
-    var loc =
-      "http://sub1.test1.example.org/tests/dom/security/test/csp/file_bug1505412.sjs?redirected";
-    response.setStatusLine("1.1", 302, "Found");
-    response.setHeader("Location", loc, false);
-    return;
-  }
-
-  // response.setHeader("content-type", "text/application", false);
-  // the actual file content.
-  // this image load will (intentionally) fail due to the CSP policy of default-src: 'self'
-  // specified by the CSP string above.
-  var content = "info('Script Loaded')";
-
-  response.write(content);
-
-  return;
-}
--- a/dom/security/test/csp/file_bug1505412_chrome.js
+++ b/dom/security/test/csp/file_bug1505412_chrome.js
@ -1,30 +0,0 @@
-const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
-const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm");
-
-Cu.importGlobalProperties(["TextDecoder"]);
-
-var openingObserver = {
-  observe: function(subject, topic, data) {
-    sendAsyncMessage("request-found", { subject, topic, data });
-    // subject should be an nsURI
-    if (subject.QueryInterface == undefined) {
-      return;
-    }
-
-    if (topic == "http-on-opening-request") {
-      var asciiSpec = subject.QueryInterface(Ci.nsIHttpChannel).URI.asciiSpec;
-      sendAsyncMessage("request-found", asciiSpec);
-      if (!asciiSpec.includes("report")) {
-        return;
-      }
-      sendAsyncMessage("report-found");
-    }
-  },
-};
-
-Services.obs.addObserver(openingObserver, "http-on-opening-request");
-addMessageListener("finish", function() {
-  Services.obs.removeObserver(openingObserver, "http-on-opening-request");
-});
-
-sendAsyncMessage("proxy-ready");
--- a/dom/security/test/csp/file_bug1505412_frame.html
+++ b/dom/security/test/csp/file_bug1505412_frame.html
@ -1,14 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
-    <title> Bug 1505412 CSP-RO reports violations in inline-scripts with nonce</title>
-    <script src="/tests/SimpleTest/SimpleTest.js" nonce="foobar"></script>
-    <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
- 
-
-<body>
-    <script src="file_bug1505412.sjs" nonce="foobar"></script>
-</body>
-
-</html>
--- a/dom/security/test/csp/file_bug1505412_frame.html^headers^
+++ b/dom/security/test/csp/file_bug1505412_frame.html^headers^
@ -1 +0,0 @@
-Content-Security-Policy-Report-Only: script-src 'nonce-foobar'; report-uri /report/
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -87,10 +87,6 @@ support-files =
  file_bug1312272.js
  file_bug1312272.html^headers^
  file_bug1452037.html
-  file_bug1505412.sjs
-  file_bug1505412_chrome.js
-  file_bug1505412_frame.html
-  file_bug1505412_frame.html^headers^
  file_policyuri_regression_from_multipolicy.html
  file_policyuri_regression_from_multipolicy.html^headers^
  file_policyuri_regression_from_multipolicy_policy
@ -250,8 +246,6 @@ prefs =
 [test_bug802872.html]
 [test_bug885433.html]
 [test_bug888172.html]
-[test_bug1505412.html]
-skip-if = !debug
 [test_evalscript.html]
 [test_evalscript_blocked_by_strict_dynamic.html]
 [test_evalscript_allowed_by_strict_dynamic.html]
--- a/dom/security/test/csp/test_bug1505412.html
+++ b/dom/security/test/csp/test_bug1505412.html
@ -1,64 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-
-<head>
-    <title> Bug 1505412 CSP-RO reports violations in inline-scripts with nonce</title>
-    <script src="/tests/SimpleTest/SimpleTest.js" nonce="foobar"></script>
-    <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-
-
-<body>
-    <p id="display"></p>
-    <div id="content" style="display: none">
-    </div>
-
-    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1505412">Test for 1505412 </a>
-    <script class="testbody" type="text/javascript" nonce="foobar">
-        /* Description of the test:
-            1:  We setup a Proxy that will cause the Test to Fail
-                if Firefox sends a CSP-Report to /report
-            2:  We Load an iframe with has a Script pointing to
-                file_bug1505412.sjs 
-            3:  The Preloader will fetch the file and Gets redirected
-            4:  If correct, the File should be loaded and no CSP-Report 
-                should be send.  
-        */
-
-
-
-        SimpleTest.waitForExplicitFinish();
-        SimpleTest.requestCompleteLog();
-        var script;
-        try {
-            var chromeScriptUrl = SimpleTest.getTestFileURL("file_bug1505412_chrome.js");
-            script = SpecialPowers.loadChromeScript(chromeScriptUrl);
-            SimpleTest.registerCleanupFunction(() => {
-                script.sendAsyncMessage("finish");
-            });
-        } catch (error) {
-        }
-
-        script.addMessageListener('proxy-ready', function pr() {
-            let t = document.querySelector("#target");
-            t.src = "file_bug1505412_frame.html";
-            t.addEventListener("load", () => {
-                ok(true, "Script Loaded without CSP beeing triggered");
-                SimpleTest.finish();
-            });
-
-        }, { once: true });
-
-
-        script.addMessageListener('report-found', function ml(msg) {
-            ok(false, "A report was triggered");
-            SimpleTest.finish();
-        }, { once: true });
-
-
-
-
-    </script>
-    <iframe id="target" frameborder="0"></iframe>
-</body>
-
-</html>
				`@ -1 +0,0 @@`
				`Content-Security-Policy-Report-Only: script-src 'nonce-foobar'; report-uri /report/`