Bug 1247459 - Meta and header CSP are merged without a semicolon. r=ckerschb

devtools/client/webconsole/test/browser.ini

@@ -141,6 +141,7 @@ support-files =
   test_bug1092055_shouldwarn.js^headers^
   test_bug1092055_shouldwarn.js
   test_bug1092055_shouldwarn.html
+  test_bug_1247459_violation.html
   !/devtools/client/framework/test/shared-head.js
   !/devtools/client/netmonitor/test/sjs_cors-test-server.sjs
   !/image/test/mochitest/blue.png
@@ -295,6 +296,8 @@ skip-if = os != "mac"
 skip-if = e10s # Bug 1042253 - webconsole e10s tests (Linux debug intermittent)
 [browser_webconsole_bug_1010953_cspro.js]
 skip-if = e10s && (os == 'win' || os == 'mac') # Bug 1243967
+[browser_webconsole_bug_1247459_violation.js]
+skip-if = e10s && (os == 'win') # Bug 1264955
 [browser_webconsole_certificate_messages.js]
 skip-if = e10s # Bug 1042253 - webconsole tests disabled with e10s
 [browser_webconsole_show_subresource_security_errors.js]

devtools/client/webconsole/test/browser_webconsole_bug_1247459_violation.js

@@ -0,0 +1,40 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set ft=javascript ts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Tests that the Web Console CSP messages for two META policies
+// are correctly displayed.
+
+"use strict";
+
+const TEST_URI = "data:text/html;charset=utf8,Web Console CSP violation test";
+const TEST_VIOLATION = "https://example.com/browser/devtools/client/" +
+                       "webconsole/test/test_bug_1247459_violation.html";
+const CSP_VIOLATION_MSG = "Content Security Policy: The page\u2019s settings " +
+                          "blocked the loading of a resource at " +
+                          "http://some.example.com/test.png (\u201cimg-src " +
+                          "https://example.com\u201d).";
+
+add_task(function* () {
+  let { browser } = yield loadTab(TEST_URI);
+
+  let hud = yield openConsole();
+
+  hud.jsterm.clearOutput();
+
+  let loaded = loadBrowser(browser);
+  BrowserTestUtils.loadURI(browser, TEST_VIOLATION);
+  yield loaded;
+
+  yield waitForMessages({
+    webconsole: hud,
+    messages: [
+      {
+        name: "CSP policy URI warning displayed successfully",
+        text: CSP_VIOLATION_MSG,
+        repeats: 2
+      }
+    ]
+  });
+});

devtools/client/webconsole/test/browser_webconsole_bug_770099_violation.js

@@ -13,7 +13,7 @@ const TEST_VIOLATION = "https://example.com/browser/devtools/client/" +
 const CSP_VIOLATION_MSG = "Content Security Policy: The page\u2019s settings " +
                           "blocked the loading of a resource at " +
                           "http://some.example.com/test.png (\u201cdefault-src " +
-                            "https://example.com\u201d).";
+                          "https://example.com\u201d).";
 
 add_task(function* () {
   let { browser } = yield loadTab(TEST_URI);

devtools/client/webconsole/test/test_bug_1247459_violation.html

@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src https://example.com"></meta>
+  <meta http-equiv="Content-Security-Policy" content="img-src https://example.com"></meta>
+  <meta charset="UTF-8">
+  <title>Test for Bug 1247459 - policy violations for header and META are displayed separately</title>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247459">Mozilla Bug 1247459</a>
+<img src="http://some.example.com/test.png">
+</body>
+</html>

dom/security/nsCSPUtils.cpp

@@ -1168,6 +1168,7 @@ nsCSPPolicy::permits(CSPDirective aDir,
   }
 
   NS_ASSERTION(aUri, "permits needs an uri to perform the check!");
+  outViolatedDirective.Truncate();
 
   nsCSPDirective* defaultDir = nullptr;