Bug 1268327 - ReferrerPolicy should not be delivered through CSPRO r=tnguyen

--HG-- extra : rebase_source : 92bd320351de91b72304c2fc386f1ae295837a9e
2024-10-08 10:44:56 +00:00 · 2016-06-22 14:13:03 +02:00 · 2016-06-22 14:13:03 +02:00 · 76f6cc7739
commit 76f6cc7739
parent 179aa18d0d
3 changed files with 31 additions and 8 deletions
--- a/dom/manifest/test/file_testserver.sjs
+++ b/dom/manifest/test/file_testserver.sjs
@ -38,6 +38,11 @@ function handleRequest(request, response) {
    response.setHeader("Content-Security-Policy", query.get("csp"), false);
  }

+  // Deliver the CSPRO policy encoded in the URL
+  if(query.has("cspro")){
+    response.setHeader("Content-Security-Policy-Report-Only", query.get("cspro"), false);
+  }
+
  // Deliver the CORS header in the URL
  if(query.has("cors")){
    response.setHeader("Access-Control-Allow-Origin", query.get("cors"), false);
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@ -339,9 +339,10 @@ nsCSPContext::GetReferrerPolicy(uint32_t* outPolicy, bool* outIsSet)
  mozilla::net::ReferrerPolicy previousPolicy = mozilla::net::RP_Default;
  for (uint32_t i = 0; i < mPolicies.Length(); i++) {
    mPolicies[i]->getReferrerPolicy(refpol);
-    // an empty string in refpol means it wasn't set (that's the default in
-    // nsCSPPolicy).
-    if (!refpol.IsEmpty()) {
+    // only set the referrer policy if not delievered through a CSPRO and
+    // note that and an empty string in refpol means it wasn't set
+    // (that's the default in nsCSPPolicy).
+    if (!mPolicies[i]->getReportOnlyFlag() && !refpol.IsEmpty()) {
      // Referrer Directive in CSP is no more used and going to be replaced by
      // Referrer-Policy HTTP header. But we still keep using referrer directive,
      // and would remove it later.
--- a/dom/security/test/csp/test_referrerdirective.html
+++ b/dom/security/test/csp/test_referrerdirective.html
@ -58,8 +58,20 @@ var testData = {
          'expected': {  'sameorigin': 'none',
                        'crossorigin': 'none',
                          'downgrade': 'none' }},
-  };

+  // referrer delivered through CSPRO should be ignored
+  'ignore-cspro':  { 'cspro': "script-src * 'unsafe-inline'; referrer origin",
+          'expected': {  'sameorigin': 'full',
+                        'crossorigin': 'full',
+                          'downgrade': 'none' }},
+
+  // referrer delivered through CSPRO should be ignored
+  'ignore-cspro2':   { 'csp'  : "script-src * 'unsafe-inline'; referrer no-referrer",
+                       'cspro': "script-src * 'unsafe-inline'; referrer origin",
+         'expected': {  'sameorigin': 'none',
+                        'crossorigin': 'none',
+                          'downgrade': 'none' }},
+  };

 var referrerDirectiveTests = {
  // called via postMessage when one of the iframes is done running.
@ -112,10 +124,15 @@ SpecialPowers.pushPrefEnv({
      // one iframe created for each test case
      for (var id in testData) {
        var elt = document.createElement("iframe");
-        elt.src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?" +
-                  "id=" + id +
-                  "&csp=" + escape(testData[id]['csp']) +
-                  "&file=tests/dom/security/test/csp/file_referrerdirective.html";
+        var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?id=" + id;
+        if (testData[id]['csp']) {
+          src += "&csp=" + escape(testData[id]['csp']);
+        }
+        if (testData[id]['cspro']) {
+          src += "&cspro=" + escape(testData[id]['cspro']);
+        }
+        src += "&file=tests/dom/security/test/csp/file_referrerdirective.html";
+        elt.src = src;
        document.getElementById("content").appendChild(elt);
      }
    });