From 44a69247e4cbd0f84fadfb558906e199d9c0bc28 Mon Sep 17 00:00:00 2001 From: Garrett Robinson Date: Fri, 21 Mar 2014 14:24:53 -0700 Subject: [PATCH] Bug 979580: Enable CSP 1.1 {nonce,hash}-source by default r=sstamm --- content/base/src/CSPUtils.jsm | 10 ---------- content/base/src/contentSecurityPolicy.js | 14 ++++++-------- content/base/test/csp/test_hash_source.html | 3 +-- content/base/test/csp/test_nonce_source.html | 3 +-- 4 files changed, 8 insertions(+), 22 deletions(-) diff --git a/content/base/src/CSPUtils.jsm b/content/base/src/CSPUtils.jsm index bc4da2dd3b7c..d2aed262d3e4 100644 --- a/content/base/src/CSPUtils.jsm +++ b/content/base/src/CSPUtils.jsm @@ -1772,9 +1772,6 @@ this.CSPNonceSource = function CSPNonceSource() { } CSPNonceSource.fromString = function(aStr, aCSPRep) { - if (!CSPPrefObserver.experimentalEnabled) - return null; - let nonce = R_NONCESRC.exec(aStr)[1]; if (!nonce) { cspError(aCSPRep, "Error in parsing nonce-source from string: nonce was empty"); @@ -1789,8 +1786,6 @@ CSPNonceSource.fromString = function(aStr, aCSPRep) { CSPNonceSource.prototype = { permits: function(aContext) { - if (!CSPPrefObserver.experimentalEnabled) return false; - if (aContext instanceof Ci.nsIDOMHTMLElement) { return this._nonce === aContext.getAttribute('nonce'); } else if (typeof aContext === 'string') { @@ -1822,9 +1817,6 @@ this.CSPHashSource = function CSPHashSource() { } CSPHashSource.fromString = function(aStr, aCSPRep) { - if (!CSPPrefObserver.experimentalEnabled) - return null; - let hashSrcMatch = R_HASHSRC.exec(aStr); let algo = hashSrcMatch[1]; let hash = hashSrcMatch[2]; @@ -1846,8 +1838,6 @@ CSPHashSource.fromString = function(aStr, aCSPRep) { CSPHashSource.prototype = { permits: function(aContext) { - if (!CSPPrefObserver.experimentalEnabled) return false; - let ScriptableUnicodeConverter = Components.Constructor("@mozilla.org/intl/scriptableunicodeconverter", "nsIScriptableUnicodeConverter"); diff --git a/content/base/src/contentSecurityPolicy.js b/content/base/src/contentSecurityPolicy.js index 3911bc7ddc6f..99cf6197456c 100644 --- a/content/base/src/contentSecurityPolicy.js +++ b/content/base/src/contentSecurityPolicy.js @@ -208,9 +208,6 @@ ContentSecurityPolicy.prototype = { }, getAllowsNonce: function(aNonce, aContentType, shouldReportViolation) { - if (!CSPPrefObserver.experimentalEnabled) - return false; - if (!(aContentType == Ci.nsIContentPolicy.TYPE_SCRIPT || aContentType == Ci.nsIContentPolicy.TYPE_STYLESHEET)) { CSPdebug("Nonce check requested for an invalid content type (not script or style): " + aContentType); @@ -223,7 +220,9 @@ ContentSecurityPolicy.prototype = { shouldReportViolation.value = this._policies.some(function(policy, i) { // Don't report a violation if the policy didn't use nonce-source - return policy._directives[directive]._hasNonceSource && !policyAllowsNonce[i]; + return policy._directives.hasOwnProperty(directive) && + policy._directives[directive]._hasNonceSource && + !policyAllowsNonce[i]; }); // allow it to execute? (Do all the policies allow it to execute)? @@ -233,9 +232,6 @@ ContentSecurityPolicy.prototype = { }, getAllowsHash: function(aContent, aContentType, shouldReportViolation) { - if (!CSPPrefObserver.experimentalEnabled) - return false; - if (!(aContentType == Ci.nsIContentPolicy.TYPE_SCRIPT || aContentType == Ci.nsIContentPolicy.TYPE_STYLESHEET)) { CSPdebug("Hash check requested for an invalid content type (not script or style): " + aContentType); @@ -248,7 +244,9 @@ ContentSecurityPolicy.prototype = { shouldReportViolation.value = this._policies.some(function(policy, i) { // Don't report a violation if the policy didn't use hash-source - return policy._directives[directive]._hasHashSource && !policyAllowsHash[i]; + return policy._directives.hasOwnProperty(directive) && + policy._directives[directive]._hasHashSource && + !policyAllowsHash[i]; }); // allow it to execute? (Do all the policies allow it to execute)? diff --git a/content/base/test/csp/test_hash_source.html b/content/base/test/csp/test_hash_source.html index 46cfe7e45237..709ec761fe88 100644 --- a/content/base/test/csp/test_hash_source.html +++ b/content/base/test/csp/test_hash_source.html @@ -126,8 +126,7 @@ function checkInline () { SimpleTest.waitForExplicitFinish(); SpecialPowers.pushPrefEnv( - {'set':[["security.csp.speccompliant", true], - ["security.csp.experimentalEnabled", true]]}, + {'set':[["security.csp.speccompliant", true]]}, function() { // save this for last so that our listeners are registered. // ... this loads the testbed of good and bad requests. diff --git a/content/base/test/csp/test_nonce_source.html b/content/base/test/csp/test_nonce_source.html index 5360ea6859e9..892c4ee72909 100644 --- a/content/base/test/csp/test_nonce_source.html +++ b/content/base/test/csp/test_nonce_source.html @@ -113,8 +113,7 @@ window.examiner = new examiner(); SimpleTest.waitForExplicitFinish(); SpecialPowers.pushPrefEnv( - {'set':[["security.csp.speccompliant", true], - ["security.csp.experimentalEnabled", true]]}, + {'set':[["security.csp.speccompliant", true]]}, function() { // save this for last so that our listeners are registered. // ... this loads the testbed of good and bad requests.