Bug 979580: Enable CSP 1.1 {nonce,hash}-source by default r=sstamm

2024-11-26 14:22:01 +00:00 · 2014-03-21 14:24:53 -07:00 · 2014-03-21 14:24:53 -07:00 · 44a69247e4
commit 44a69247e4
parent 29c628c5eb
4 changed files with 8 additions and 22 deletions
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@ -1772,9 +1772,6 @@ this.CSPNonceSource = function CSPNonceSource() {
 }

 CSPNonceSource.fromString = function(aStr, aCSPRep) {
-  if (!CSPPrefObserver.experimentalEnabled)
-    return null;
-
  let nonce = R_NONCESRC.exec(aStr)[1];
  if (!nonce) {
    cspError(aCSPRep, "Error in parsing nonce-source from string: nonce was empty");
@ -1789,8 +1786,6 @@ CSPNonceSource.fromString = function(aStr, aCSPRep) {
 CSPNonceSource.prototype = {

  permits: function(aContext) {
-    if (!CSPPrefObserver.experimentalEnabled) return false;
-
    if (aContext instanceof Ci.nsIDOMHTMLElement) {
      return this._nonce === aContext.getAttribute('nonce');
    } else if (typeof aContext === 'string') {
@ -1822,9 +1817,6 @@ this.CSPHashSource = function CSPHashSource() {
 }

 CSPHashSource.fromString = function(aStr, aCSPRep) {
-  if (!CSPPrefObserver.experimentalEnabled)
-    return null;
-
  let hashSrcMatch = R_HASHSRC.exec(aStr);
  let algo = hashSrcMatch[1];
  let hash = hashSrcMatch[2];
@ -1846,8 +1838,6 @@ CSPHashSource.fromString = function(aStr, aCSPRep) {
 CSPHashSource.prototype = {

  permits: function(aContext) {
-    if (!CSPPrefObserver.experimentalEnabled) return false;
-
    let ScriptableUnicodeConverter =
      Components.Constructor("@mozilla.org/intl/scriptableunicodeconverter",
                             "nsIScriptableUnicodeConverter");
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@ -208,9 +208,6 @@ ContentSecurityPolicy.prototype = {
  },

  getAllowsNonce: function(aNonce, aContentType, shouldReportViolation) {
-    if (!CSPPrefObserver.experimentalEnabled)
-      return false;
-
    if (!(aContentType == Ci.nsIContentPolicy.TYPE_SCRIPT ||
          aContentType == Ci.nsIContentPolicy.TYPE_STYLESHEET)) {
      CSPdebug("Nonce check requested for an invalid content type (not script or style): " + aContentType);
@ -223,7 +220,9 @@ ContentSecurityPolicy.prototype = {

    shouldReportViolation.value = this._policies.some(function(policy, i) {
      // Don't report a violation if the policy didn't use nonce-source
-      return policy._directives[directive]._hasNonceSource && !policyAllowsNonce[i];
+      return policy._directives.hasOwnProperty(directive) &&
+             policy._directives[directive]._hasNonceSource &&
+             !policyAllowsNonce[i];
    });

    // allow it to execute?  (Do all the policies allow it to execute)?
@ -233,9 +232,6 @@ ContentSecurityPolicy.prototype = {
  },

  getAllowsHash: function(aContent, aContentType, shouldReportViolation) {
-    if (!CSPPrefObserver.experimentalEnabled)
-      return false;
-
    if (!(aContentType == Ci.nsIContentPolicy.TYPE_SCRIPT ||
          aContentType == Ci.nsIContentPolicy.TYPE_STYLESHEET)) {
      CSPdebug("Hash check requested for an invalid content type (not script or style): " + aContentType);
@ -248,7 +244,9 @@ ContentSecurityPolicy.prototype = {

    shouldReportViolation.value = this._policies.some(function(policy, i) {
      // Don't report a violation if the policy didn't use hash-source
-      return policy._directives[directive]._hasHashSource && !policyAllowsHash[i];
+      return policy._directives.hasOwnProperty(directive) &&
+             policy._directives[directive]._hasHashSource &&
+             !policyAllowsHash[i];
    });

    // allow it to execute?  (Do all the policies allow it to execute)?
--- a/content/base/test/csp/test_hash_source.html
+++ b/content/base/test/csp/test_hash_source.html
@ -126,8 +126,7 @@ function checkInline () {
 SimpleTest.waitForExplicitFinish();

 SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true],
-          ["security.csp.experimentalEnabled", true]]},
+  {'set':[["security.csp.speccompliant", true]]},
  function() {
    // save this for last so that our listeners are registered.
    // ... this loads the testbed of good and bad requests.
--- a/content/base/test/csp/test_nonce_source.html
+++ b/content/base/test/csp/test_nonce_source.html
@ -113,8 +113,7 @@ window.examiner = new examiner();
 SimpleTest.waitForExplicitFinish();

 SpecialPowers.pushPrefEnv(
-  {'set':[["security.csp.speccompliant", true],
-          ["security.csp.experimentalEnabled", true]]},
+  {'set':[["security.csp.speccompliant", true]]},
  function() {
    // save this for last so that our listeners are registered.
    // ... this loads the testbed of good and bad requests.