Bug 587377 - Display CSP warning in the web console if a hostname is a quoteless CSP keyword match. r=sstamm

2025-05-13 08:57:27 +00:00 · 2014-01-17 11:10:29 -05:00 · 2014-01-17 11:10:29 -05:00 · a17e4fc360
commit a17e4fc360
parent 41ba4bf0d0
6 changed files with 85 additions and 0 deletions
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@ -86,6 +86,8 @@ const R_SOURCEEXP  = new RegExp (R_SCHEMESRC.source + "|" +
                                  R_NONCESRC.source + "|" +
                                   R_HASHSRC.source,  'i');

+const R_QUOTELESS_KEYWORDS = new RegExp ("^(self|unsafe-inline|unsafe-eval|" +
+                                         "inline-script|eval-script|none)$", 'i');

 this.CSPPrefObserver = {
  get debugEnabled () {
@ -1398,6 +1400,12 @@ CSPSource.fromString = function(aStr, aCSPRep, self, enforceSelfChecks) {
      // strip the ':' from the port
      sObj._port = portMatch[0].substr(1);
    }
+    // A CSP keyword without quotes is a valid hostname, but this can also be a mistake.
+    // Raise a CSP warning in the web console to developer to check his/her intent.
+    if (R_QUOTELESS_KEYWORDS.test(aStr)) {
+      cspWarn(aCSPRep, CSPLocalizer.getFormatStr("hostNameMightBeKeyword",
+                                                 [aStr, aStr.toLowerCase()]));
+    }
    return sObj;
  }

--- a/content/base/test/csp/file_self_none_as_hostname_confusion.html
+++ b/content/base/test/csp/file_self_none_as_hostname_confusion.html
@ -0,0 +1,11 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf8">
+    <title>Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none"</title>
+    <!-- Any copyright is dedicated to the Public Domain.
+       - http://creativecommons.org/publicdomain/zero/1.0/ -->
+  </head>
+  <body>
+  </body>
+</html>
--- a/content/base/test/csp/file_self_none_as_hostname_confusion.html^headers^
+++ b/content/base/test/csp/file_self_none_as_hostname_confusion.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self' SELF;
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@ -106,6 +106,8 @@ support-files =
  file_hash_source.html^headers^
  file_dual_headers_warning.html
  file_dual_headers_warning.html^headers^
+  file_self_none_as_hostname_confusion.html
+  file_self_none_as_hostname_confusion.html^headers^

 [test_CSP.html]
 [test_CSP_bug663567.html]
@ -129,3 +131,4 @@ support-files =
 [test_CSP_bug941404.html]
 [test_hash_source.html]
 [test_dual_headers_warning.html]
+[test_self_none_as_hostname_confusion.html]
--- a/content/base/test/csp/test_self_none_as_hostname_confusion.html
+++ b/content/base/test/csp/test_self_none_as_hostname_confusion.html
@ -0,0 +1,59 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=587377
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 587377</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=587377">Mozilla Bug 587377</a>
+<p id="display"></p>
+
+<iframe id="cspframe"></iframe>
+
+<pre id="test">
+
+<script class="testbody" type="text/javascript">
+// Load locale string during mochitest
+var stringBundleService = SpecialPowers.Cc["@mozilla.org/intl/stringbundle;1"]
+                          .getService(SpecialPowers.Ci.nsIStringBundleService);
+var localizer = stringBundleService.createBundle("chrome://global/locale/security/csp.properties");
+var confusionMsg = localizer.formatStringFromName("hostNameMightBeKeyword", ["SELF", "self"], 2);
+
+function cleanup() {
+  SpecialPowers.postConsoleSentinel();
+  SimpleTest.finish();
+};
+
+// To prevent the test from asserting twice and calling SimpleTest.finish() twice,
+// startTest will be marked false as soon as the confusionMsg is detected.
+startTest = false;
+SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
+  if (startTest) {
+    if (aMsg.message.indexOf(confusionMsg) > -1) {
+      startTest = false;
+      ok(true, "CSP header with a hostname similar to keyword should be warned");
+      SimpleTest.executeSoon(cleanup);
+    } else {
+      // don't see the warning yet? wait.
+      return;
+    }
+  }
+});
+
+// set up and start testing
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv(
+  {'set': [["security.csp.speccompliant", true]]},
+  function() {
+    document.getElementById('cspframe').src = 'file_self_none_as_hostname_confusion.html';
+    startTest = true;
+});
+</script>
+</pre>
+</body>
+</html>
--- a/dom/locales/en-US/chrome/security/csp.properties
+++ b/dom/locales/en-US/chrome/security/csp.properties
@ -56,6 +56,9 @@ inlineStyleBlocked = An attempt to apply inline style sheets has been blocked
 # LOCALIZATION NOTE (scriptFromStringBlocked):
 # eval is a name and should not be localized.
 scriptFromStringBlocked = An attempt to call JavaScript from a string (by calling a function like eval) has been blocked
+# LOCALIZATION NOTE (hostNameMightBeKeyword):
+# %1$S is the hostname in question and %2$S is the keyword
+hostNameMightBeKeyword = Interpreting %1$S as a hostname, not a keyword. If you intended this to be a keyword, use '%2$S' (wrapped in single quotes).

 # CSP Errors:
 policyURINotAlone = policy-uri directive can only appear alone
				`@ -0,0 +1 @@`
				`Content-Security-Policy: default-src 'self' SELF;`