mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 10:44:56 +00:00
Bug 1268327 - ReferrerPolicy should not be delivered through CSPRO r=tnguyen
--HG-- extra : rebase_source : 92bd320351de91b72304c2fc386f1ae295837a9e
This commit is contained in:
parent
179aa18d0d
commit
76f6cc7739
@ -38,6 +38,11 @@ function handleRequest(request, response) {
|
||||
response.setHeader("Content-Security-Policy", query.get("csp"), false);
|
||||
}
|
||||
|
||||
// Deliver the CSPRO policy encoded in the URL
|
||||
if(query.has("cspro")){
|
||||
response.setHeader("Content-Security-Policy-Report-Only", query.get("cspro"), false);
|
||||
}
|
||||
|
||||
// Deliver the CORS header in the URL
|
||||
if(query.has("cors")){
|
||||
response.setHeader("Access-Control-Allow-Origin", query.get("cors"), false);
|
||||
|
@ -339,9 +339,10 @@ nsCSPContext::GetReferrerPolicy(uint32_t* outPolicy, bool* outIsSet)
|
||||
mozilla::net::ReferrerPolicy previousPolicy = mozilla::net::RP_Default;
|
||||
for (uint32_t i = 0; i < mPolicies.Length(); i++) {
|
||||
mPolicies[i]->getReferrerPolicy(refpol);
|
||||
// an empty string in refpol means it wasn't set (that's the default in
|
||||
// nsCSPPolicy).
|
||||
if (!refpol.IsEmpty()) {
|
||||
// only set the referrer policy if not delievered through a CSPRO and
|
||||
// note that and an empty string in refpol means it wasn't set
|
||||
// (that's the default in nsCSPPolicy).
|
||||
if (!mPolicies[i]->getReportOnlyFlag() && !refpol.IsEmpty()) {
|
||||
// Referrer Directive in CSP is no more used and going to be replaced by
|
||||
// Referrer-Policy HTTP header. But we still keep using referrer directive,
|
||||
// and would remove it later.
|
||||
|
@ -58,8 +58,20 @@ var testData = {
|
||||
'expected': { 'sameorigin': 'none',
|
||||
'crossorigin': 'none',
|
||||
'downgrade': 'none' }},
|
||||
};
|
||||
|
||||
// referrer delivered through CSPRO should be ignored
|
||||
'ignore-cspro': { 'cspro': "script-src * 'unsafe-inline'; referrer origin",
|
||||
'expected': { 'sameorigin': 'full',
|
||||
'crossorigin': 'full',
|
||||
'downgrade': 'none' }},
|
||||
|
||||
// referrer delivered through CSPRO should be ignored
|
||||
'ignore-cspro2': { 'csp' : "script-src * 'unsafe-inline'; referrer no-referrer",
|
||||
'cspro': "script-src * 'unsafe-inline'; referrer origin",
|
||||
'expected': { 'sameorigin': 'none',
|
||||
'crossorigin': 'none',
|
||||
'downgrade': 'none' }},
|
||||
};
|
||||
|
||||
var referrerDirectiveTests = {
|
||||
// called via postMessage when one of the iframes is done running.
|
||||
@ -112,10 +124,15 @@ SpecialPowers.pushPrefEnv({
|
||||
// one iframe created for each test case
|
||||
for (var id in testData) {
|
||||
var elt = document.createElement("iframe");
|
||||
elt.src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?" +
|
||||
"id=" + id +
|
||||
"&csp=" + escape(testData[id]['csp']) +
|
||||
"&file=tests/dom/security/test/csp/file_referrerdirective.html";
|
||||
var src = "https://example.com/tests/dom/security/test/csp/file_testserver.sjs?id=" + id;
|
||||
if (testData[id]['csp']) {
|
||||
src += "&csp=" + escape(testData[id]['csp']);
|
||||
}
|
||||
if (testData[id]['cspro']) {
|
||||
src += "&cspro=" + escape(testData[id]['cspro']);
|
||||
}
|
||||
src += "&file=tests/dom/security/test/csp/file_referrerdirective.html";
|
||||
elt.src = src;
|
||||
document.getElementById("content").appendChild(elt);
|
||||
}
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user