Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-03-02 22:37:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1848315 - CSP: Provide the whole violated directive as a string. r=freddyb

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D186142
This commit is contained in:
Tom Schuster 2024-02-28 13:54:53 +00:00
parent 4dda607167
commit 7dff422288
4 changed files with 55 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
dom/security/nsCSPContext.cpp
View File

@ -189,10 +189,11 @@ bool nsCSPContext::permitsInternal(
bool permits = true;
nsAutoString violatedDirective;
nsAutoString violatedDirectiveString;
for (uint32_t p = 0; p < mPolicies.Length(); p++) {
if (!mPolicies[p]->permits(aDir, aLoadInfo, aContentLocation,
!!aOriginalURIIfRedirect, aSpecific,
violatedDirective)) {
violatedDirective, violatedDirectiveString)) {
// If the policy is violated and not report-only, reject the load and
// report to the console
if (!mPolicies[p]->getReportOnlyFlag()) {
@ -220,7 +221,7 @@ bool nsCSPContext::permitsInternal(
BlockedContentSource::eUnknown, /* a BlockedContentSource */
aOriginalURIIfRedirect, /* in case of redirect originalURI is not
null */
violatedDirective,
violatedDirective, violatedDirectiveString,
aDir, // aViolatedDirective
p, // policy index
u""_ns, // no observer subject
@ -515,7 +516,8 @@ void nsCSPContext::reportInlineViolation(
CSPDirective aDirective, Element* aTriggeringElement,
nsICSPEventListener* aCSPEventListener, const nsAString& aNonce,
bool aReportSample, const nsAString& aSample,
const nsAString& aViolatedDirective, CSPDirective aEffectiveDirective,
const nsAString& aViolatedDirective,
const nsAString& aViolatedDirectiveString, CSPDirective aEffectiveDirective,
uint32_t aViolatedPolicyIndex, // TODO, use report only flag for that
uint32_t aLineNumber, uint32_t aColumnNumber) {
nsString observerSubject;
@ -560,14 +562,15 @@ void nsCSPContext::reportInlineViolation(
BlockedContentSource::eInline, // aBlockedSource
mSelfURI, // aOriginalURI
aViolatedDirective, // aViolatedDirective
aEffectiveDirective, // aEffectiveDirective
aViolatedPolicyIndex, // aViolatedPolicyIndex
observerSubject, // aObserverSubject
sourceFile, // aSourceFile
aReportSample, // aReportSample
aSample, // aScriptSample
lineNumber, // aLineNum
columnNumber); // aColumnNum
aViolatedDirectiveString,
aEffectiveDirective, // aEffectiveDirective
aViolatedPolicyIndex, // aViolatedPolicyIndex
observerSubject, // aObserverSubject
sourceFile, // aSourceFile
aReportSample, // aReportSample
aSample, // aScriptSample
lineNumber, // aLineNum
columnNumber); // aColumnNum
}
NS_IMETHODIMP
@ -668,13 +671,16 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, bool aHasUnsafeHash,
*outAllowsInline = false;
}
nsAutoString violatedDirective;
nsAutoString violatedDirectiveString;
bool reportSample = false;
mPolicies[i]->getDirectiveStringAndReportSampleForContentType(
aDirective, violatedDirective, &reportSample);
mPolicies[i]->getViolatedDirectiveInformation(
aDirective, violatedDirective, violatedDirectiveString,
&reportSample);
reportInlineViolation(aDirective, aTriggeringElement, aCSPEventListener,
aNonce, reportSample, content, violatedDirective,
aDirective, i, aLineNumber, aColumnNumber);
violatedDirectiveString, aDirective, i, aLineNumber,
aColumnNumber);
}
}
@ -737,13 +743,15 @@ nsCSPContext::LogViolationDetails(
}
nsAutoString violatedDirective;
nsAutoString violatedDirectiveString;
bool reportSample = false;
mPolicies[p]->getDirectiveStringAndReportSampleForContentType(
SCRIPT_SRC_DIRECTIVE, violatedDirective, &reportSample);
mPolicies[p]->getViolatedDirectiveInformation(
SCRIPT_SRC_DIRECTIVE, violatedDirective, violatedDirectiveString,
&reportSample);
AsyncReportViolation(
aTriggeringElement, aCSPEventListener, nullptr, blockedContentSource,
nullptr, violatedDirective,
nullptr, violatedDirective, violatedDirectiveString,
CSPDirective::SCRIPT_SRC_DIRECTIVE /* aEffectiveDirective */, p,
observerSubject, aSourceFile, reportSample, aScriptSample, aLineNum,
aColumnNum);
@ -1367,6 +1375,7 @@ class CSPReportSenderRunnable final : public Runnable {
nsCSPContext::BlockedContentSource aBlockedContentSource,
nsIURI* aOriginalURI, uint32_t aViolatedPolicyIndex, bool aReportOnlyFlag,
const nsAString& aViolatedDirective,
const nsAString& aViolatedDirectiveString,
const CSPDirective aEffectiveDirective, const nsAString& aObserverSubject,
const nsAString& aSourceFile, bool aReportSample,
const nsAString& aScriptSample, uint32_t aLineNum, uint32_t aColumnNum,
@ -1381,6 +1390,7 @@ class CSPReportSenderRunnable final : public Runnable {
mReportOnlyFlag(aReportOnlyFlag),
mReportSample(aReportSample),
mViolatedDirective(aViolatedDirective),
mViolatedDirectiveString(aViolatedDirectiveString),
mEffectiveDirective(aEffectiveDirective),
mSourceFile(aSourceFile),
mScriptSample(aScriptSample),
@ -1506,6 +1516,7 @@ class CSPReportSenderRunnable final : public Runnable {
bool mReportOnlyFlag;
bool mReportSample;
nsString mViolatedDirective;
nsString mViolatedDirectiveString;
CSPDirective mEffectiveDirective;
nsCOMPtr<nsISupports> mObserverSubject;
nsString mSourceFile;
@ -1548,6 +1559,7 @@ nsresult nsCSPContext::AsyncReportViolation(
Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener,
nsIURI* aBlockedURI, BlockedContentSource aBlockedContentSource,
nsIURI* aOriginalURI, const nsAString& aViolatedDirective,
const nsAString& aViolatedDirectiveString,
const CSPDirective aEffectiveDirective, uint32_t aViolatedPolicyIndex,
const nsAString& aObserverSubject, const nsAString& aSourceFile,
bool aReportSample, const nsAString& aScriptSample, uint32_t aLineNum,
@ -1559,8 +1571,8 @@ nsresult nsCSPContext::AsyncReportViolation(
aTriggeringElement, aCSPEventListener, aBlockedURI, aBlockedContentSource,
aOriginalURI, aViolatedPolicyIndex,
mPolicies[aViolatedPolicyIndex]->getReportOnlyFlag(), aViolatedDirective,
aEffectiveDirective, aObserverSubject, aSourceFile, aReportSample,
aScriptSample, aLineNum, aColumnNum, this);
aViolatedDirectiveString, aEffectiveDirective, aObserverSubject,
aSourceFile, aReportSample, aScriptSample, aLineNum, aColumnNum, this);
if (XRE_IsContentProcess()) {
if (mEventTarget) {

2
dom/security/nsCSPContext.h
View File

@ -127,6 +127,7 @@ class nsCSPContext : public nsIContentSecurityPolicy {
nsICSPEventListener* aCSPEventListener, nsIURI* aBlockedURI,
BlockedContentSource aBlockedContentSource, nsIURI* aOriginalURI,
const nsAString& aViolatedDirective,
const nsAString& aViolatedDirectiveString,
const CSPDirective aEffectiveDirective, uint32_t aViolatedPolicyIndex,
const nsAString& aObserverSubject, const nsAString& aSourceFile,
bool aReportSample, const nsAString& aScriptSample, uint32_t aLineNum,
@ -169,6 +170,7 @@ class nsCSPContext : public nsIContentSecurityPolicy {
const nsAString& aNonce, bool aReportSample,
const nsAString& aSample,
const nsAString& aViolatedDirective,
const nsAString& aViolatedDirectiveString,
CSPDirective aEffectiveDirective,
uint32_t aViolatedPolicyIndex,
uint32_t aLineNumber, uint32_t aColumnNumber);

50
dom/security/nsCSPUtils.cpp
View File

@ -1569,7 +1569,8 @@ nsCSPPolicy::~nsCSPPolicy() {
bool nsCSPPolicy::permits(CSPDirective aDir, nsILoadInfo* aLoadInfo,
nsIURI* aUri, bool aWasRedirected, bool aSpecific,
nsAString& outViolatedDirective) const {
nsAString& outViolatedDirective,
nsAString& outViolatedDirectiveString) const {
if (CSPUTILSLOGENABLED()) {
CSPUTILSLOG(("nsCSPPolicy::permits, aUri: %s, aDir: %s, aSpecific: %s",
aUri->GetSpecOrDefault().get(), CSP_CSPDirectiveToString(aDir),
@ -1589,6 +1590,7 @@ bool nsCSPPolicy::permits(CSPDirective aDir, nsILoadInfo* aLoadInfo,
if (!mDirectives[i]->permits(aDir, aLoadInfo, aUri, aWasRedirected,
mReportOnly, mUpgradeInsecDir)) {
mDirectives[i]->getDirName(outViolatedDirective);
mDirectives[i]->toString(outViolatedDirectiveString);
return false;
}
return true;
@ -1604,6 +1606,7 @@ bool nsCSPPolicy::permits(CSPDirective aDir, nsILoadInfo* aLoadInfo,
if (!defaultDir->permits(aDir, aLoadInfo, aUri, aWasRedirected, mReportOnly,
mUpgradeInsecDir)) {
defaultDir->getDirName(outViolatedDirective);
defaultDir->toString(outViolatedDirectiveString);
return false;
}
return true;
@ -1692,43 +1695,22 @@ bool nsCSPPolicy::allowsAllInlineBehavior(CSPDirective aDir) const {
* The parameter outDirective is the equivalent of 'outViolatedDirective'
* for the ::permits() function family.
*/
void nsCSPPolicy::getDirectiveStringAndReportSampleForContentType(
CSPDirective aDirective, nsAString& outDirective,
bool* aReportSample) const {
MOZ_ASSERT(aReportSample);
void nsCSPPolicy::getViolatedDirectiveInformation(CSPDirective aDirective,
nsAString& outDirective,
nsAString& outDirectiveString,
bool* aReportSample) const {
*aReportSample = false;
nsCSPDirective* defaultDir = nullptr;
for (uint32_t i = 0; i < mDirectives.Length(); i++) {
if (mDirectives[i]->isDefaultDirective()) {
defaultDir = mDirectives[i];
continue;
}
if (mDirectives[i]->equals(aDirective)) {
mDirectives[i]->getDirName(outDirective);
*aReportSample = mDirectives[i]->hasReportSampleKeyword();
return;
}
}
// if we haven't found a matching directive yet,
// the contentType must be restricted by the default directive
if (defaultDir) {
defaultDir->getDirName(outDirective);
*aReportSample = defaultDir->hasReportSampleKeyword();
nsCSPDirective* directive = matchingOrDefaultDirective(aDirective);
if (!directive) {
MOZ_ASSERT_UNREACHABLE("Can not query violated directive");
outDirective.AppendLiteral("couldNotQueryViolatedDirective");
outDirective.Truncate();
return;
}
NS_ASSERTION(false, "Can not query directive string for contentType!");
outDirective.AppendLiteral("couldNotQueryViolatedDirective");
}
void nsCSPPolicy::getDirectiveAsString(CSPDirective aDir,
nsAString& outDirective) const {
for (uint32_t i = 0; i < mDirectives.Length(); i++) {
if (mDirectives[i]->equals(aDir)) {
mDirectives[i]->toString(outDirective);
return;
}
}
directive->getDirName(outDirective);
directive->toString(outDirectiveString);
*aReportSample = directive->hasReportSampleKeyword();
}
/*

12
dom/security/nsCSPUtils.h
View File

@ -619,7 +619,8 @@ class nsCSPPolicy {
bool permits(CSPDirective aDirective, nsILoadInfo* aLoadInfo, nsIURI* aUri,
bool aWasRedirected, bool aSpecific,
nsAString& outViolatedDirective) const;
nsAString& outViolatedDirective,
nsAString& outViolatedDirectiveString) const;
bool allows(CSPDirective aDirective, enum CSPKeyword aKeyword,
const nsAString& aHashOrNonce) const;
void toString(nsAString& outStr) const;
@ -650,11 +651,10 @@ class nsCSPPolicy {
void getReportURIs(nsTArray<nsString>& outReportURIs) const;
void getDirectiveStringAndReportSampleForContentType(
CSPDirective aDirective, nsAString& outDirective,
bool* aReportSample) const;
void getDirectiveAsString(CSPDirective aDir, nsAString& outDirective) const;
void getViolatedDirectiveInformation(CSPDirective aDirective,
nsAString& outDirective,
nsAString& outDirectiveString,
bool* aReportSample) const;
uint32_t getSandboxFlags() const;