Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 03:15:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 515433, bug 515437: Content Security Policy (CSP) core

Browse Source
This commit is contained in:
Sid Stamm ext:(%2C%20Brandon%20Sterne%20%3Cbsterne%40mozilla.com%3E) 2010-01-13 14:18:24 -08:00
parent d3cc2ac124
commit f2cab6a506
24 changed files with 3159 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
browser/installer/package-manifest.in
View File

@ -326,6 +326,7 @@
@BINPATH@/components/nsWebHandlerApp.js
@BINPATH@/components/nsBadCertHandler.js
@BINPATH@/components/nsFormAutoComplete.js
@BINPATH@/components/contentSecurityPolicy.js
#ifdef XP_MACOSX
@BINPATH@/components/libalerts_s.dylib
#endif

8
caps/idl/nsIPrincipal.idl
View File

@ -47,11 +47,12 @@ struct JSPrincipals;
%}
interface nsIURI;
interface IContentSecurityPolicy;
[ptr] native JSContext(JSContext);
[ptr] native JSPrincipals(JSPrincipals);
[scriptable, uuid(b8268b9a-2403-44ed-81e3-614075c92034)]
[scriptable, uuid(799ab95c-0038-4e0f-b705-74c21f185bb5)]
interface nsIPrincipal : nsISerializable
{
/**
@ -241,4 +242,9 @@ interface nsIPrincipal : nsISerializable
* one, this will return null. Getting this attribute never throws.
*/
readonly attribute nsISupports certificate;
/**
* A Content Security Policy associated with this principal.
*/
[noscript] attribute IContentSecurityPolicy csp;
};

1
caps/include/nsPrincipal.h
View File

@ -138,6 +138,7 @@ protected:
DomainPolicy* mSecurityPolicy;
nsCOMPtr<IContentSecurityPolicy> mCSP;
nsCOMPtr<nsIURI> mCodebase;
nsCOMPtr<nsIURI> mDomain;
PRPackedBool mTrusted;

15
caps/src/nsNullPrincipal.cpp
View File

@ -251,6 +251,21 @@ nsNullPrincipal::GetURI(nsIURI** aURI)
return NS_EnsureSafeToReturn(mURI, aURI);
}
NS_IMETHODIMP
nsNullPrincipal::GetCsp(IContentSecurityPolicy** aCsp)
{
// CSP on a null principal makes no sense
*aCsp = nsnull;
return NS_OK;
}
NS_IMETHODIMP
nsNullPrincipal::SetCsp(IContentSecurityPolicy* aCsp)
{
// CSP on a null principal makes no sense
return NS_ERROR_NOT_AVAILABLE;
}
NS_IMETHODIMP
nsNullPrincipal::GetDomain(nsIURI** aDomain)
{

20
caps/src/nsPrincipal.cpp
View File

@ -57,6 +57,7 @@
#include "nsIPrefService.h"
#include "nsIClassInfoImpl.h"
#include "nsDOMError.h"
#include "IContentSecurityPolicy.h"
#include "nsPrincipal.h"
@ -774,6 +775,25 @@ nsPrincipal::GetCertificate(nsISupports** aCertificate)
return NS_OK;
}
NS_IMETHODIMP
nsPrincipal::GetCsp(IContentSecurityPolicy** aCsp)
{
NS_IF_ADDREF(*aCsp = mCSP);
return NS_OK;
}
NS_IMETHODIMP
nsPrincipal::SetCsp(IContentSecurityPolicy* aCsp)
{
// If CSP was already set, it should not be destroyed! Instead, it should
// get set anew when a new principal is created.
if (mCSP)
return NS_ERROR_ALREADY_INITIALIZED;
mCSP = aCsp;
return NS_OK;
}
NS_IMETHODIMP
nsPrincipal::GetHashValue(PRUint32* aValue)
{

14
caps/src/nsSystemPrincipal.cpp
View File

@ -223,6 +223,20 @@ nsSystemPrincipal::GetHasCertificate(PRBool* aResult)
return NS_OK;
}
NS_IMETHODIMP
nsSystemPrincipal::GetCsp(IContentSecurityPolicy** aCsp)
{
*aCsp = nsnull;
return NS_OK;
}
NS_IMETHODIMP
nsSystemPrincipal::SetCsp(IContentSecurityPolicy* aCsp)
{
// CSP on a null principal makes no sense
return NS_OK;
}
NS_IMETHODIMP
nsSystemPrincipal::GetDomain(nsIURI** aDomain)
{

152
content/base/public/IContentSecurityPolicy.idl Normal file
View File

@ -0,0 +1,152 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Content Security Policy IDL definition.
*
* The Initial Developer of the Original Code is
* Mozilla Corporation
*
* Contributor(s):
* Sid Stamm <sid@mozilla.com>
* Brandon Sterne <bsterne@mozilla.com>
* Daniel Veditz <dveditz@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nsISupports.idl"
interface nsIURI;
interface nsIHttpChannel;
interface nsIDocShell;
/**
* IContentSecurityPolicy
* Describes an XPCOM component used to model an enforce CSPs.
*/
[scriptable, uuid(AB36A2BF-CB32-4AA6-AB41-6B4E4444A221)]
interface IContentSecurityPolicy : nsISupports
{
/**
* Set to true when the CSP has been read in and parsed and is ready to
* enforce. This is a barrier for the nsDocument so it doesn't load any
* sub-content until either it knows that a CSP is ready or will not be used.
*/
attribute boolean isInitialized;
/**
* When set to true, content load-blocking and fail-closed are disabled: CSP
* will ONLY send reports, and not modify behavior.
*/
attribute boolean reportOnlyMode;
/**
* A read-only string version of the policy for debugging.
*/
readonly attribute AString policy;
/**
* Whether this policy allows in-page script.
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*/
readonly attribute boolean allowsInlineScript;
/**
* whether this policy allows eval and eval-like functions
* such as setTimeout("code string", time).
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*/
readonly attribute boolean allowsEval;
/**
* Manually triggers violation report sending given a URI and reason.
* The URI may be null, in which case "self" is sent.
* @param blockedURI
* the URI that violated the policy
* @param violatedDirective
* the directive that was violated.
* @return
* nothing.
*/
void sendReports(in AString blockedURI, in AString violatedDirective);
/**
* Called after the CSP object is created to fill in the appropriate request
* and request header information needed in case a report needs to be sent.
*/
void scanRequestData(in nsIHttpChannel aChannel);
/**
* Updates the policy currently stored in the CSP to be "refined" or
* tightened by the one specified in the string policyString.
*/
void refinePolicy(in AString policyString, in nsIURI selfURI);
/**
* Verifies ancestry as permitted by the policy.
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*
* @param docShell
* containing the protected resource
* @return
* true if the frame's ancestors are all permitted by policy
*/
boolean permitsAncestry(in nsIDocShell docShell);
/**
* Delegate method called by the service when sub-elements of the protected
* document are being loaded. Given a bit of information about the request,
* decides whether or not the policy is satisfied.
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*/
short shouldLoad(in unsigned long aContentType,
in nsIURI aContentLocation,
in nsIURI aRequestOrigin,
in nsISupports aContext,
in ACString aMimeTypeGuess,
in nsISupports aExtra);
/**
* Delegate method called by the service when sub-elements of the protected
* document are being processed. Given a bit of information about the request,
* decides whether or not the policy is satisfied.
*/
short shouldProcess(in unsigned long aContentType,
in nsIURI aContentLocation,
in nsIURI aRequestOrigin,
in nsISupports aContext,
in ACString aMimeType,
in nsISupports aExtra);
};

1
content/base/public/Makefile.in
View File

@ -113,6 +113,7 @@ XPIDLSRCS = \
nsIObjectLoadingContent.idl \
nsIFrameLoader.idl \
nsIXMLHttpRequest.idl \
IContentSecurityPolicy.idl \
$(NULL)
include $(topsrcdir)/config/rules.mk

1295
content/base/src/CSPUtils.jsm Normal file
View File

File diff suppressed because it is too large Load Diff

10
content/base/src/Makefile.in
View File

@ -79,6 +79,7 @@ CPPSRCS = \
nsContentUtils.cpp \
nsCopySupport.cpp \
nsCrossSiteListenerProxy.cpp \
nsCSPService.cpp \
nsDataDocumentContentPolicy.cpp \
nsDOMAttribute.cpp \
nsDOMAttributeMap.cpp \
@ -141,7 +142,14 @@ GQI_SRCS = contentbase.gqi
# static lib.
FORCE_STATIC_LIB = 1
EXTRA_COMPONENTS = $(srcdir)/nsBadCertHandler.js
EXTRA_COMPONENTS = \
$(srcdir)/nsBadCertHandler.js \
contentSecurityPolicy.js \
$(NULL)
EXTRA_JS_MODULES = \
CSPUtils.jsm \
$(NULL)
include $(topsrcdir)/config/rules.mk

445
content/base/src/contentSecurityPolicy.js Normal file
View File

@ -0,0 +1,445 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the ContentSecurityPolicy module.
*
* The Initial Developer of the Original Code is
* Mozilla Corporation
*
* Contributor(s):
* Sid Stamm <sid@mozilla.com>
* Brandon Sterne <bsterne@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/**
* Content Security Policy
*
* Overview
* This is a stub component that will be fleshed out to do all the fancy stuff
* that ContentSecurityPolicy has to do.
*/
/* :::::::: Constants and Helpers ::::::::::::::: */
const Cc = Components.classes;
const Ci = Components.interfaces;
const Cr = Components.results;
const Cu = Components.utils;
const CSP_VIOLATION_TOPIC = "csp-on-violate-policy";
Cu.import("resource://gre/modules/XPCOMUtils.jsm");
Cu.import("resource://gre/modules/CSPUtils.jsm");
/* ::::: Policy Parsing & Data structures :::::: */
function ContentSecurityPolicy() {
CSPdebug("CSP CREATED");
this._isInitialized = false;
this._reportOnlyMode = false;
this._policy = CSPRep.fromString("allow *");
// default options "wide open" since this policy will be intersected soon
this._policy._allowInlineScripts = true;
this._policy._allowEval = true;
this._requestHeaders = [];
this._request = "";
CSPdebug("CSP POLICY INITED TO 'allow *'");
this._observerService = Cc['@mozilla.org/observer-service;1']
.getService(Ci.nsIObserverService);
}
/*
* Set up mappings from nsIContentPolicy content types to CSP directives.
*/
{
let cp = Ci.nsIContentPolicy;
let csp = ContentSecurityPolicy;
let cspr_sd = CSPRep.SRC_DIRECTIVES;
csp._MAPPINGS=[];
/* default, catch-all case */
csp._MAPPINGS[cp.TYPE_OTHER] = cspr_sd.ALLOW;
/* self */
csp._MAPPINGS[cp.TYPE_DOCUMENT] = null;
/* shouldn't see this one */
csp._MAPPINGS[cp.TYPE_REFRESH] = null;
/* categorized content types */
csp._MAPPINGS[cp.TYPE_SCRIPT] = cspr_sd.SCRIPT_SRC;
csp._MAPPINGS[cp.TYPE_IMAGE] = cspr_sd.IMG_SRC;
csp._MAPPINGS[cp.TYPE_STYLESHEET] = cspr_sd.STYLE_SRC;
csp._MAPPINGS[cp.TYPE_OBJECT] = cspr_sd.OBJECT_SRC;
csp._MAPPINGS[cp.TYPE_SUBDOCUMENT] = cspr_sd.FRAME_SRC;
csp._MAPPINGS[cp.TYPE_MEDIA] = cspr_sd.MEDIA_SRC;
csp._MAPPINGS[cp.TYPE_FONT] = cspr_sd.FONT_SRC;
csp._MAPPINGS[cp.TYPE_XMLHTTPREQUEST] = cspr_sd.XHR_SRC;
/* These must go through the catch-all */
csp._MAPPINGS[cp.TYPE_XBL] = cspr_sd.ALLOW;
csp._MAPPINGS[cp.TYPE_PING] = cspr_sd.ALLOW;
csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.ALLOW;
csp._MAPPINGS[cp.TYPE_DTD] = cspr_sd.ALLOW;
}
ContentSecurityPolicy.prototype = {
classDescription: "Content Security Policy Component",
contractID: "@mozilla.org/contentsecuritypolicy;1",
classID: Components.ID("{AB36A2BF-CB32-4AA6-AB41-6B4E4444A221}"),
QueryInterface: XPCOMUtils.generateQI([Ci.IContentSecurityPolicy]),
// get this contractID registered for certain categories via XPCOMUtils
_xpcom_categories: [ ],
get isInitialized() {
return this._isInitialized;
},
set isInitialized (foo) {
this._isInitialized = foo;
},
get policy () {
return this._policy.toString();
},
get allowsInlineScript() {
// trigger automatic report to go out when inline scripts are disabled.
if (!this._policy.allowsInlineScripts) {
var violation = 'violated base restriction: Inline Scripts will not execute';
// gotta wrap the violation string, since it's sent out to observers as
// an nsISupports.
let wrapper = Cc["@mozilla.org/supports-cstring;1"]
.createInstance(Ci.nsISupportsCString);
wrapper.data = violation;
this._observerService.notifyObservers(
wrapper,
CSP_VIOLATION_TOPIC,
'inline script base restriction');
this.sendReports('self', violation);
}
return this._reportOnlyMode || this._policy.allowsInlineScripts;
},
get allowsEval() {
// trigger automatic report to go out when eval and friends are disabled.
if (!this._policy.allowsEvalInScripts) {
var violation = 'violated base restriction: Code will not be created from strings';
// gotta wrap the violation string, since it's sent out to observers as
// an nsISupports.
let wrapper = Cc["@mozilla.org/supports-cstring;1"]
.createInstance(Ci.nsISupportsCString);
wrapper.data = violation;
this._observerService.notifyObservers(
wrapper,
CSP_VIOLATION_TOPIC,
'eval script base restriction');
this.sendReports('self', violation);
}
return this._reportOnlyMode || this._policy.allowsEvalInScripts;
},
set reportOnlyMode(val) {
this._reportOnlyMode = val;
},
get reportOnlyMode () {
return this._reportOnlyMode;
},
/*
// Having a setter is a bad idea... opens up the policy to "loosening"
// Instead, use "refinePolicy."
set policy (aStr) {
this._policy = CSPRep.fromString(aStr);
},
*/
/**
* Given an nsIHttpChannel, fill out the appropriate data.
*/
scanRequestData:
function(aChannel) {
// grab the request line
var internalChannel = aChannel.QueryInterface(Ci.nsIHttpChannelInternal);
var reqMaj = {};
var reqMin = {};
var reqVersion = internalChannel.getRequestVersion(reqMaj, reqMin);
this._request = aChannel.requestMethod + " "
+ aChannel.URI.asciiSpec
+ " HTTP/" + reqMaj.value + "." + reqMin.value;
// grab the request headers
var self = this;
aChannel.visitRequestHeaders({
visitHeader: function(aHeader, aValue) {
self._requestHeaders.push(aHeader + ": " + aValue);
}});
},
/* ........ Methods .............. */
/**
* Given a new policy, intersects the currently enforced policy with the new
* one and stores the result. The effect is a "tightening" or refinement of
* an old policy. This is called any time a new policy is encountered and
* the effective policy has to be refined.
*/
refinePolicy:
function csp_refinePolicy(aPolicy, selfURI) {
CSPdebug("REFINE POLICY: " + aPolicy);
CSPdebug(" SELF: " + selfURI.asciiSpec);
// stay uninitialized until policy merging is done
this._isInitialized = false;
// If there is a policy-uri, fetch the policy, then re-call this function.
// (1) parse and create a CSPRep object
var newpolicy = CSPRep.fromString(aPolicy,
selfURI.scheme + "://" + selfURI.hostPort);
// (2) Intersect the currently installed CSPRep object with the new one
var intersect = this._policy.intersectWith(newpolicy);
// (3) Save the result
this._policy = intersect;
this._isInitialized = true;
},
/**
* Generates and sends a violation report to the specified report URIs.
*/
sendReports:
function(blockedUri, violatedDirective) {
var uriString = this._policy.getReportURIs();
var uris = uriString.split(/\s+/);
if (uris.length > 0) {
// Generate report to send composed of:
// <csp-report>
// <request>GET /index.html HTTP/1.1</request>
// <request-headers>Host: example.com
// User-Agent: ...
// ...
// </request-headers>
// <blocked-uri>...</blocked-uri>
// <violated-directive>...</violated-directive>
// </csp-report>
//
var strHeaders = "";
for (let i in this._requestHeaders) {
strHeaders += this._requestHeaders[i] + "\n";
}
var report = "<csp-report>\n" +
" <request>" + this._request + "</request>\n" +
" <request-headers><![CDATA[\n" +
strHeaders +
" ]]></request-headers>\n" +
" <blocked-uri>" +
(typeof blockedUri === "nsIURI" ? blockedUri.asciiSpec : blockedUri) +
"</blocked-uri>\n" +
" <violated-directive>" + violatedDirective + "</violated-directive>\n" +
"</csp-report>\n";
CSPdebug("Constructed violation report:\n" + report);
// For each URI in the report list, send out a report.
for (let i in uris) {
if (uris[i] === "")
continue;
var failure = function(aEvt) {
if (req.readyState == 4 && req.status != 200) {
CSPError("Failed to send report to " + reportURI);
}
};
var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
.createInstance(Ci.nsIXMLHttpRequest);
try {
req.open("POST", uris[i], true);
req.setRequestHeader('Content-Type', 'application/xml');
req.upload.addEventListener("error", failure, false);
req.upload.addEventListener("abort", failure, false);
//req.channel.loadFlags |= Ci.nsIRequest.LOAD_BYPASS_CACHE;
// make request anonymous
// This prevents sending cookies with the request,
// in case the policy URI is injected, it can't be
// abused for CSRF.
req.channel.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
req.send(report);
CSPdebug("Sent violation report to " + uris[i]);
} catch(e) {
// it's possible that the URI was invalid, just log a
// warning and skip over that.
CSPWarning("Tried to send report to invalid URI: \"" + uris[i] + "\"");
}
}
}
},
/**
* Exposed Method to analyze docShell for approved frame ancestry.
* Also sends violation reports if necessary.
* @param docShell
* the docShell for this policy's resource.
* @return
* true if the frame ancestry is allowed by this policy.
*/
permitsAncestry:
function(docShell) {
if (!docShell) { return false; }
CSPdebug(" in permitsAncestry(), docShell = " + docShell);
// walk up this docShell tree until we hit chrome
var dst = docShell.QueryInterface(Ci.nsIInterfaceRequestor)
.getInterface(Ci.nsIDocShellTreeItem);
// collect ancestors and make sure they're allowed.
var ancestors = [];
while (dst.parent) {
dst = dst.parent;
let it = dst.QueryInterface(Ci.nsIInterfaceRequestor)
.getInterface(Ci.nsIWebNavigation);
if (it.currentURI) {
if (it.currentURI.scheme === "chrome") {
break;
}
let ancestor = it.currentURI;
CSPdebug(" found frame ancestor " + ancestor.asciiSpec);
ancestors.push(ancestor);
}
}
// scan the discovered ancestors
let cspContext = CSPRep.SRC_DIRECTIVES.FRAME_ANCESTORS;
for (let i in ancestors) {
let ancestor = ancestors[i].prePath;
if (!this._policy.permits(ancestor, cspContext)) {
// report the frame-ancestor violation
let directive = this._policy._directives[cspContext];
let violatedPolicy = (directive._isImplicit
? 'allow' : 'frame-ancestors ')
+ directive.toString();
// send an nsIURI object to the observers (more interesting than a string)
this._observerService.notifyObservers(
ancestors[i],
CSP_VIOLATION_TOPIC,
violatedPolicy);
this.sendReports(ancestors[i].asciiSpec, violatedPolicy);
// need to lie if we are testing in report-only mode
return this._reportOnlyMode;
}
}
return true;
},
/**
* Delegate method called by the service when sub-elements of the protected
* document are being loaded. Given a bit of information about the request,
* decides whether or not the policy is satisfied.
*/
shouldLoad:
function csp_shouldLoad(aContentType,
aContentLocation,
aRequestOrigin,
aContext,
aMimeTypeGuess,
aExtra) {
// don't filter chrome stuff
if (aContentLocation.scheme === 'chrome') {
return Ci.nsIContentPolicy.ACCEPT;
}
// interpret the context, and then pass off to the decision structure
CSPdebug("shouldLoad location = " + aContentLocation.asciiSpec);
CSPdebug("shouldLoad content type = " + aContentType);
var cspContext = ContentSecurityPolicy._MAPPINGS[aContentType];
// CSPdebug("shouldLoad CSP directive =" + cspContext);
// if the mapping is null, there's no policy, let it through.
if (!cspContext) {
return Ci.nsIContentPolicy.ACCEPT;
}
// otherwise, honor the translation
// var source = aContentLocation.scheme + "://" + aContentLocation.hostPort;
var res = this._policy.permits(aContentLocation, cspContext)
? Ci.nsIContentPolicy.ACCEPT
: Ci.nsIContentPolicy.REJECT_SERVER;
// frame-ancestors is taken care of early on (as this document is loaded)
// If the result is *NOT* ACCEPT, then send report
if (res != Ci.nsIContentPolicy.ACCEPT) {
CSPdebug("blocking request for " + aContentLocation.asciiSpec);
try {
let directive = this._policy._directives[cspContext];
let violatedPolicy = (directive._isImplicit
? 'allow' : cspContext)
+ ' ' + directive.toString();
this._observerService.notifyObservers(
aContentLocation,
CSP_VIOLATION_TOPIC,
violatedPolicy);
this.sendReports(aContentLocation, violatedPolicy);
} catch(e) {
CSPdebug('---------------- ERROR: ' + e);
}
}
return (this._reportOnlyMode ? Ci.nsIContentPolicy.ACCEPT : res);
},
shouldProcess:
function csp_shouldProcess(aContentType,
aContentLocation,
aRequestOrigin,
aContext,
aMimeType,
aExtra) {
// frame-ancestors check is done outside the ContentPolicy
var res = Ci.nsIContentPolicy.ACCEPT;
CSPdebug("shouldProcess aContext=" + aContext);
return res;
},
};
function NSGetModule(aComMgr, aFileSpec)
XPCOMUtils.generateModule([ContentSecurityPolicy]);

214
content/base/src/nsCSPService.cpp Normal file
View File

@ -0,0 +1,214 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Mozilla Corporation.
* Portions created by the Initial Developer are Copyright (C) 2009
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Brandon Sterne <bsterne@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either of the GNU General Public License Version 2 or later (the "GPL"),
* or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "prlog.h"
#include "nsString.h"
#include "nsCOMPtr.h"
#include "nsIURI.h"
#include "nsIPrincipal.h"
#include "nsIObserver.h"
#include "nsIDocument.h"
#include "nsIContent.h"
#include "nsContentUtils.h"
#include "nsCSPService.h"
#include "IContentSecurityPolicy.h"
/* Keeps track of whether or not CSP is enabled */
static PRBool gCSPEnabled = PR_TRUE;
#ifdef PR_LOGGING
static PRLogModuleInfo* gCspPRLog;
#endif
CSPService::CSPService()
{
nsContentUtils::AddBoolPrefVarCache("security.csp.enable", &gCSPEnabled);
#ifdef PR_LOGGING
if (!gCspPRLog)
gCspPRLog = PR_NewLogModule("CSP");
#endif
}
CSPService::~CSPService()
{
}
NS_IMPL_ISUPPORTS1(CSPService, nsIContentPolicy)
/* nsIContentPolicy implementation */
NS_IMETHODIMP
CSPService::ShouldLoad(PRUint32 aContentType,
nsIURI *aContentLocation,
nsIURI *aRequestOrigin,
nsISupports *aRequestContext,
const nsACString &aMimeTypeGuess,
nsISupports *aExtra,
PRInt16 *aDecision)
{
if (!aContentLocation)
return NS_ERROR_FAILURE;
#ifdef PR_LOGGING
{
nsCAutoString location;
aContentLocation->GetSpec(location);
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("CSPService::ShouldLoad called for %s", location.get()));
}
#endif
// default decision, CSP can revise it if there's a policy to enforce
*aDecision = nsIContentPolicy::ACCEPT;
// No need to continue processing if CSP is disabled
if (!gCSPEnabled)
return NS_OK;
// find the nsDocument that initiated this request and see if it has a
// CSP policy object
nsresult rv;
nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIPrincipal> principal;
nsCOMPtr<IContentSecurityPolicy> csp;
nsCOMPtr<nsIContent> node(do_QueryInterface(aRequestContext));
if (node) {
doc = node->GetOwnerDoc();
}
if (!doc) {
doc = do_QueryInterface(aRequestContext);
}
if (doc) {
principal = doc->NodePrincipal();
principal->GetCsp(getter_AddRefs(csp));
if (csp) {
#ifdef PR_LOGGING
nsAutoString policy;
csp->GetPolicy(policy);
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("Document has CSP: %s",
NS_ConvertUTF16toUTF8(policy).get()));
#endif
// obtain the enforcement decision
csp->ShouldLoad(aContentType,
aContentLocation,
aRequestOrigin,
aRequestContext,
aMimeTypeGuess,
aExtra,
aDecision);
}
}
#ifdef PR_LOGGING
else {
nsCAutoString uriSpec;
aContentLocation->GetSpec(uriSpec);
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("COULD NOT get nsIDocument for location: %s", uriSpec.get()));
}
#endif
return NS_OK;
}
NS_IMETHODIMP
CSPService::ShouldProcess(PRUint32 aContentType,
nsIURI *aContentLocation,
nsIURI *aRequestOrigin,
nsISupports *aRequestContext,
const nsACString &aMimeTypeGuess,
nsISupports *aExtra,
PRInt16 *aDecision)
{
if (!aContentLocation)
return NS_ERROR_FAILURE;
// default decision is to accept the item
*aDecision = nsIContentPolicy::ACCEPT;
// No need to continue processing if CSP is disabled
if (!gCSPEnabled)
return NS_OK;
// find the nsDocument that initiated this request and see if it has a
// CSP policy object
nsresult rv;
nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIPrincipal> principal;
nsCOMPtr<IContentSecurityPolicy> csp;
nsCOMPtr<nsIContent> node(do_QueryInterface(aRequestContext));
if (node) {
doc = node->GetOwnerDoc();
}
if (!doc) {
doc = do_QueryInterface(aRequestContext);
}
if (doc) {
principal = doc->NodePrincipal();
principal->GetCsp(getter_AddRefs(csp));
if (csp) {
#ifdef PR_LOGGING
nsAutoString policy;
csp->GetPolicy(policy);
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("shouldProcess - document has policy: %s",
NS_ConvertUTF16toUTF8(policy).get()));
#endif
// obtain the enforcement decision
csp->ShouldProcess(aContentType,
aContentLocation,
aRequestOrigin,
aRequestContext,
aMimeTypeGuess,
aExtra,
aDecision);
}
}
#ifdef PR_LOGGING
else {
nsCAutoString uriSpec;
aContentLocation->GetSpec(uriSpec);
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("COULD NOT get nsIDocument for location: %s", uriSpec.get()));
}
#endif
return NS_OK;
}

57
content/base/src/nsCSPService.h Normal file
View File

@ -0,0 +1,57 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Mozilla Corporation.
* Portions created by the Initial Developer are Copyright (C) 2009
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Brandon Sterne <bsterne@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either of the GNU General Public License Version 2 or later (the "GPL"),
* or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nsXPCOM.h"
#include "nsIContentPolicy.h"
#define CSPSERVICE_CONTRACTID "@mozilla.org/cspservice;1"
#define CSPSERVICE_CID \
{ 0x8d2f40b2, 0x4875, 0x4c95, \
{ 0x97, 0xd9, 0x3f, 0x7d, 0xca, 0x2c, 0xb4, 0x60 } }
class CSPService : public nsIContentPolicy
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSICONTENTPOLICY
CSPService();
virtual ~CSPService();
private:
PRBool mEnabled;
};

118
content/base/src/nsDocument.cpp
View File

@ -181,6 +181,9 @@ static NS_DEFINE_CID(kDOMEventGroupCID, NS_DOMEVENTGROUP_CID);
#include "nsSVGUtils.h"
#endif // MOZ_SMIL
// FOR CSP (autogenerated by xpidl)
#include "IContentSecurityPolicy.h"
#ifdef MOZ_LOGGING
// so we can get logging even in release builds
@ -188,8 +191,12 @@ static NS_DEFINE_CID(kDOMEventGroupCID, NS_DOMEVENTGROUP_CID);
#endif
#include "prlog.h"
/* Keeps track of whether or not CSP is enabled */
static PRBool gCSPEnabled = PR_TRUE;
#ifdef PR_LOGGING
static PRLogModuleInfo* gDocumentLeakPRLog;
static PRLogModuleInfo* gCspPRLog;
#endif
void
@ -1495,8 +1502,13 @@ nsDocument::nsDocument(const char* aContentType)
if (gDocumentLeakPRLog)
PR_LOG(gDocumentLeakPRLog, PR_LOG_DEBUG,
("DOCUMENT %p created", this));
if (!gCspPRLog)
gCspPRLog = PR_NewLogModule("CSP");
#endif
nsContentUtils::AddBoolPrefVarCache("security.csp.enable", &gCSPEnabled);
// Start out mLastStyleSheetSet as null, per spec
SetDOMStringToNull(mLastStyleSheetSet);
}
@ -2251,10 +2263,114 @@ nsDocument::StartDocumentLoad(const char* aCommand, nsIChannel* aChannel,
RetrieveRelevantHeaders(aChannel);
mChannel = aChannel;
nsresult rv = InitCSP();
NS_ENSURE_SUCCESS(rv, rv);
return NS_OK;
}
nsresult
nsDocument::InitCSP()
{
if (gCSPEnabled) {
nsAutoString cspHeaderValue;
nsAutoString cspROHeaderValue;
this->GetHeaderData(nsGkAtoms::headerCSP, cspHeaderValue);
this->GetHeaderData(nsGkAtoms::headerCSPReportOnly, cspROHeaderValue);
PRBool system = PR_FALSE;
nsIScriptSecurityManager *ssm = nsContentUtils::GetSecurityManager();
if (NS_SUCCEEDED(ssm->IsSystemPrincipal(NodePrincipal(), &system)) && system) {
// only makes sense to register new CSP if this document is not priviliged
return NS_OK;
}
if (cspHeaderValue.IsEmpty() && cspROHeaderValue.IsEmpty()) {
// no CSP header present, stop processing
return NS_OK;
}
#ifdef PR_LOGGING
PR_LOG(gCspPRLog, PR_LOG_DEBUG, ("CSP header specified for document %p", this));
#endif
nsresult rv;
nsCOMPtr<IContentSecurityPolicy> mCSP;
mCSP = do_CreateInstance("@mozilla.org/contentsecuritypolicy;1", &rv);
if (NS_FAILED(rv)) {
#ifdef PR_LOGGING
PR_LOG(gCspPRLog, PR_LOG_DEBUG, ("Failed to create CSP object: %x", rv));
#endif
return rv;
}
// Store the request context for violation reports
nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(mChannel);
mCSP->ScanRequestData(httpChannel);
// Start parsing the policy
nsCOMPtr<nsIURI> chanURI;
mChannel->GetURI(getter_AddRefs(chanURI));
#ifdef PR_LOGGING
PR_LOG(gCspPRLog, PR_LOG_DEBUG, ("CSP Loaded"));
#endif
// ReportOnly mode is enabled *only* if there are no regular-strength CSP
// headers present. If there are, then we ignore the ReportOnly mode and
// toss a warning into the error console, proceeding with enforcing the
// regular-strength CSP.
if (cspHeaderValue.IsEmpty()) {
mCSP->SetReportOnlyMode(true);
mCSP->RefinePolicy(cspROHeaderValue, chanURI);
#ifdef PR_LOGGING
{
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("CSP (report only) refined, policy: \"%s\"",
NS_ConvertUTF16toUTF8(cspROHeaderValue).get()));
}
#endif
} else {
//XXX(sstamm): maybe we should post a warning when both read only and regular
// CSP headers are present.
mCSP->RefinePolicy(cspHeaderValue, chanURI);
#ifdef PR_LOGGING
{
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("CSP refined, policy: \"%s\"",
NS_ConvertUTF16toUTF8(cspHeaderValue).get()));
}
#endif
}
//Copy into principal
nsIPrincipal* principal = GetPrincipal();
if (principal) {
principal->SetCsp(mCSP);
#ifdef PR_LOGGING
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("Inserted CSP into principal %p", principal));
}
else {
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("Couldn't copy CSP into absent principal %p", principal));
#endif
}
}
#ifdef PR_LOGGING
else { //CSP was not enabled!
PR_LOG(gCspPRLog, PR_LOG_DEBUG,
("CSP is disabled, skipping CSP init for document %p", this));
}
#endif
return NS_OK;
}
void
nsDocument::StopDocumentLoad()
{
@ -6642,6 +6758,8 @@ nsDocument::RetrieveRelevantHeaders(nsIChannel *aChannel)
"content-disposition",
"refresh",
"x-dns-prefetch-control",
"x-content-security-policy",
"x-content-security-policy-read-only",
// add more http headers if you need
// XXXbz don't add content-location support without reading bug
// 238654 and its dependencies/dups first.

2
content/base/src/nsDocument.h
View File

@ -1211,6 +1211,8 @@ private:
void PostUnblockOnloadEvent();
void DoUnblockOnload();
nsresult InitCSP();
/**
* See if aDocument is a child of this. If so, return the frame element in
* this document that holds currentDoc (or an ancestor).

2
content/base/src/nsGkAtomList.h
View File

@ -1007,6 +1007,8 @@ GK_ATOM(withParam, "with-param")
GK_ATOM(wizard, "wizard")
GK_ATOM(wrap, "wrap")
GK_ATOM(headerDNSPrefetchControl,"x-dns-prefetch-control")
GK_ATOM(headerCSP, "x-content-security-policy")
GK_ATOM(headerCSPReportOnly, "x-content-security-policy-report-only")
GK_ATOM(xml, "xml")
GK_ATOM(xmlns, "xmlns")
GK_ATOM(xmp, "xmp")

4
content/base/test/Makefile.in
View File

@ -333,6 +333,10 @@ _TEST_FILES = test_bug5141.html \
test_bug503481b.html \
file_bug503481b_inner.html \
test_viewport_scroll.html \
test_CSP.html \
file_CSP.sjs \
file_CSP_main.html \
file_CSP_main.js \
$(NULL)
# Disabled; see bug 492181

44
content/base/test/file_CSP.sjs Normal file
View File

@ -0,0 +1,44 @@
// SJS file for CSP mochitests
function handleRequest(request, response)
{
var query = {};
request.queryString.split('&').forEach(function (val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
var isPreflight = request.method == "OPTIONS";
//avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
if ("main" in query) {
var xhr = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"]
.createInstance(Components.interfaces.nsIXMLHttpRequest);
//serve the main page with a CSP header!
// -- anything served from 'self' (localhost:8888) will be allowed,
// -- anything served from other hosts (example.com:80) will be blocked.
// -- XHR tests are set up in the file_CSP_main.js file which is sourced.
response.setHeader("X-Content-Security-Policy",
"allow 'self'",
false);
xhr.open("GET", "http://localhost:8888/tests/content/base/test/file_CSP_main.html", false);
xhr.send(null);
if(xhr.status == 200) {
response.write(xhr.responseText);
}
} else {
if ("type" in query) {
response.setHeader("Content-Type", unescape(query['type']), false);
} else {
response.setHeader("Content-Type", "text/html", false);
}
if ("content" in query) {
response.setHeader("Content-Type", "text/html", false);
response.write(unescape(query['content']));
}
}
}

55
content/base/test/file_CSP_main.html Normal file
View File

@ -0,0 +1,55 @@
<html>
<head>
<link rel='stylesheet' type='text/css'
href='http://example.org/tests/content/base/test/file_CSP.sjs?testid=style_bad&type=text/css' />
<link rel='stylesheet' type='text/css'
href='file_CSP.sjs?testid=style_good&type=text/css' />
<style>
/* CSS font embedding tests */
@font-face {
font-family: "arbitrary_good";
src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
}
@font-face {
font-family: "arbitrary_bad";
src: url('http://example.org/tests/content/base/test/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
}
.div_arbitrary_good { font-family: "arbitrary_good"; }
.div_arbitrary_bad { font-family: "arbitrary_bad"; }
</style>
</head>
<body>
<!-- these should be stopped by CSP. :) -->
<img src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=img_bad&type=img/png" />
<audio src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=media_bad&type=audio/vorbis"></audio>
<script src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
<iframe src='http://example.org/tests/content/base/test/file_CSP.sjs?testid=frame_bad&content=FAIL'></iframe>
<object width="10" height="10">
<param name="movie" value="http://example.org/tests/content/base/test/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash">
<embed src="http://example.org/tests/content/base/test/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"></embed>
</object>
<!-- these should load ok. :) -->
<img src="file_CSP.sjs?testid=img_good&type=img/png" />
<audio src="file_CSP.sjs?testid=media_good&type=audio/vorbis"></audio>
<script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
<iframe src='file_CSP.sjs?testid=frame_good&content=PASS'></iframe>
<object width="10" height="10">
<param name="movie" value="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash">
<embed src="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"></embed>
</object>
<!-- XHR tests... they're taken care of in this script,
and since the URI doesn't have any 'testid' values,
it will just be ignored by the test framework. -->
<script src='file_CSP_main.js'></script>
<!-- Support elements for the @font-face test -->
<div class="div_arbitrary_good">arbitrary good</div>
<div class="div_arbitrary_bad">arbitrary_bad</div>
</body>
</html>

16
content/base/test/file_CSP_main.js Normal file
View File

@ -0,0 +1,16 @@
// some javascript for the CSP XHR tests
//
try {
var xhr_good = new XMLHttpRequest();
var xhr_good_uri ="http://localhost:8888/tests/content/base/test/file_CSP.sjs?testid=xhr_good";
xhr_good.open("GET", xhr_good_uri, true);
xhr_good.send(null);
} catch(e) {}
try {
var xhr_bad = new XMLHttpRequest();
var xhr_bad_uri ="http://example.com/tests/content/base/test/file_CSP.sjs?testid=xhr_bad";
xhr_bad.open("GET", xhr_bad_uri, true);
xhr_bad.send(null);
} catch(e) {}

127
content/base/test/test_CSP.html Normal file
View File

@ -0,0 +1,127 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Test for Content Security Policy Connections</title>
<script type="text/javascript" src="/MochiKit/packed.js"></script>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe style="width:200px;height:200px;" id='cspframe'></iframe>
<script class="testbody" type="text/javascript">
var path = "/tests/content/base/test/";
// These are test results: -1 means it hasn't run,
// true/false is the pass/fail result.
window.tests = {
img_good: -1,
img_bad: -1,
style_good: -1,
style_bad: -1,
frame_good: -1,
frame_bad: -1,
script_good: -1,
script_bad: -1,
xhr_good: -1,
xhr_bad: -1,
media_good: -1,
media_bad: -1,
font_good: -1,
font_bad: -1,
object_good: -1,
object_bad: -1,
};
// This is used to watch the blocked data bounce off CSP and allowed data
// get sent out to the wire.
function examiner() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var obsvc = Components.classes['@mozilla.org/observer-service;1']
.getService(Components.interfaces.nsIObserverService);
obsvc.addObserver(this, "csp-on-violate-policy", false);
obsvc.addObserver(this, "http-on-modify-request", false);
}
examiner.prototype = {
observe: function(subject, topic, data) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
// subject should be an nsURI, and should be either allowed or blocked.
if(!subject.QueryInterface)
return;
var testpat = new RegExp("testid=([a-z0-9_]+)");
//_good things better be allowed!
//_bad things better be stopped!
if (topic === "http-on-modify-request") {
//these things were allowed by CSP
var uri = subject.QueryInterface(Components.interfaces.nsIHttpChannel).URI;
if (!testpat.test(uri.asciiSpec)) return;
var testid = testpat.exec(uri.asciiSpec)[1];
window.testResult(testid,
/_good/.test(testid),
uri.asciiSpec + " allowed by csp");
}
if(topic === "csp-on-violate-policy") {
//these were blocked... record that they were blocked
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
if (!testpat.test(uri.asciiSpec)) return;
var testid = testpat.exec(uri.asciiSpec)[1];
window.testResult(testid,
/_bad/.test(testid),
uri.asciiSpec + " blocked by \"" + data + "\"");
}
},
// must eventually call this to remove the listener,
// or mochitests might get borked.
remove: function() {
netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
var obsvc = Components.classes['@mozilla.org/observer-service;1']
.getService(Components.interfaces.nsIObserverService);
obsvc.removeObserver(this, "csp-on-violate-policy");
obsvc.removeObserver(this, "http-on-modify-request");
}
}
window.examiner = new examiner();
window.testResult = function(testname, result, msg) {
//test already complete.... forget it... remember the first result.
if (window.tests[testname] != -1)
return;
window.tests[testname] = result;
is(result, true, testname + ' test: ' + msg);
// if any test is incomplete, keep waiting
for (var v in window.tests)
if(tests[v] == -1)
return;
// ... otherwise, finish
window.examiner.remove();
SimpleTest.finish();
}
SimpleTest.waitForExplicitFinish();
// save this for last so that our listeners are registered.
// ... this loads the testbed of good and bad requests.
document.getElementById('cspframe').src = 'file_CSP.sjs?main=1';
</script>
</pre>
</body>
</html>

497
content/base/test/unit/test_csputils.js Normal file
View File

@ -0,0 +1,497 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Content Security Policy Data Structures testing code.
*
* The Initial Developer of the Original Code is
* Mozilla Corporation
*
* Contributor(s):
* Sid Stamm <sid@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
//load('CSPUtils.jsm');
Components.utils.import('resource://gre/modules/CSPUtils.jsm');
// load the HTTP server
do_load_httpd_js();
var httpServer = new nsHttpServer();
const POLICY_FROM_URI = "allow 'self'; img-src *";
const POLICY_PORT = 9000;
const POLICY_URI = "http://localhost:" + POLICY_PORT + "/policy";
// helper to assert that an object or array must have a given key
function do_check_has_key(foo, key, stack) {
if (!stack)
stack = Components.stack.caller;
var keys = [];
for(let k in keys) { keys.push(k); }
var text = key + " in [" + keys.join(",") + "]";
for(var x in foo) {
if(x == key) {
//succeed
++_passedChecks;
dump("TEST-PASS | " + stack.filename + " | [" + stack.name + " : " +
stack.lineNumber + "] " + text + "\n");
return;
}
}
do_throw(text, stack);
}
// helper to use .equals on stuff
function do_check_equivalent(foo, bar, stack) {
if (!stack)
stack = Components.stack.caller;
var text = foo + ".equals(" + bar + ")";
if(foo.equals && foo.equals(bar)) {
++_passedChecks;
dump("TEST-PASS | " + stack.filename + " | [" + stack.name + " : " +
stack.lineNumber + "] " + text + "\n");
return;
}
do_throw(text, stack);
}
var tests = [];
function test(fcn) {
tests.push(fcn);
}
test(
function test_CSPHost_fromstring() {
var h;
h = CSPHost.fromString("*");
do_check_neq(null, h); // "* lone wildcard should work"
h = CSPHost.fromString("foo.bar");
do_check_neq(null, h); // "standard tuple failed"
h = CSPHost.fromString("*.bar");
do_check_neq(null, h); // "wildcard failed"
h = CSPHost.fromString("foo.*.bar");
do_check_eq(null, h); // "wildcard in wrong place worked"
h = CSPHost.fromString("com");
do_check_eq(null, h); // "lone symbol should fail"
h = CSPHost.fromString("f00b4r.com");
do_check_neq(null, h); // "Numbers in hosts should work"
h = CSPHost.fromString("foo-bar.com");
do_check_neq(null, h); // "dashes in hosts should work"
h = CSPHost.fromString("foo!bar.com");
do_check_eq(null, h); // "special chars in hosts should fail"
});
test(
function test_CSPHost_clone() {
h = CSPHost.fromString("*.a.b.c");
h2 = h.clone();
for(var i in h._segments) {
// "cloned segments should match"
do_check_eq(h._segments[i], h2._segments[i]);
}
});
test(
function test_CSPHost_permits() {
var h = CSPHost.fromString("*.b.c");
var h2 = CSPHost.fromString("a.b.c");
do_check_true( h.permits(h2)); //"CSPHost *.b.c should allow CSPHost a.b.c"
do_check_true( h.permits("a.b.c")); //"CSPHost *.b.c should allow string a.b.c"
do_check_false(h.permits("b.c")); //"CSPHost *.b.c should not allow string b.c"
do_check_false(h.permits("a.a.c")); //"CSPHost *.b.c should not allow string a.a.c"
do_check_false(h2.permits(h)); //"CSPHost a.b.c should not allow CSPHost *.b.c"
do_check_false(h2.permits("b.c")); //"CSPHost a.b.c should not allow string b.c"
do_check_true( h2.permits("a.b.c")); //"CSPHost a.b.c should allow string a.b.c"
});
test(
function test_CSPHost_intersectWith() {
var h = CSPHost.fromString("*.b.c");
//"*.a.b.c ^ *.b.c should be *.a.b.c"
do_check_eq("*.a.b.c", h.intersectWith(CSPHost.fromString("*.a.b.c")).toString());
//"*.b.c ^ *.d.e should not work (null)"
do_check_eq(null, h.intersectWith(CSPHost.fromString("*.d.e")));
});
///////////////////// Test the Source object //////////////////////
test(
function test_CSPSource_fromString() {
// can't do these tests because "self" is not defined.
//"basic source should not be null.");
do_check_neq(null, CSPSource.fromString("a.com"));
//"ldh characters should all work for host.");
do_check_neq(null, CSPSource.fromString("a2-c.com"));
//"wildcard should work in first token for host.");
do_check_neq(null, CSPSource.fromString("*.a.com"));
//print(" --- Ignore the following two errors if they print ---");
//"wildcard should not work in non-first token for host.");
do_check_eq(null, CSPSource.fromString("x.*.a.com"));
//"funny characters (#) should not work for host.");
do_check_eq(null, CSPSource.fromString("a#2-c.com"));
//print(" --- Stop ignoring errors that print ---\n");
//"failed to parse host with port.");
do_check_neq(null, CSPSource.create("a.com:23"));
//"failed to parse host with scheme.");
do_check_neq(null, CSPSource.create("https://a.com"));
//"failed to parse host with scheme and port.");
do_check_neq(null, CSPSource.create("https://a.com:200"));
});
test(
function test_CSPSource_fromString_withSelf() {
var src;
src = CSPSource.create("a.com", "https://foobar.com:443");
//"src should inherit port *
do_check_true(src.permits("https://a.com:443"));
//"src should inherit and require https scheme
do_check_false(src.permits("http://a.com"));
//"src should inherit scheme 'https'"
do_check_true(src.permits("https://a.com"));
src = CSPSource.create("http://a.com", "https://foobar.com:443");
//"src should inherit and require http scheme"
do_check_false(src.permits("https://a.com"));
//"src should inherit scheme 'http'"
do_check_true(src.permits("http://a.com"));
//"src should inherit port and scheme from parent"
//"src should inherit default port for 'http'"
do_check_true(src.permits("http://a.com:80"));
src = CSPSource.create("'self'", "https://foobar.com:443");
//"src should inherit port *
do_check_true(src.permits("https://foobar.com:443"));
//"src should inherit and require https scheme
do_check_false(src.permits("http://foobar.com"));
//"src should inherit scheme 'https'"
do_check_true(src.permits("https://foobar.com"));
//"src should reject other hosts"
do_check_false(src.permits("https://a.com"));
});
///////////////////// Test the source list //////////////////////
test(
function test_CSPSourceList_fromString() {
var sd = CSPSourceList.fromString("'none'");
//"'none' -- should parse"
do_check_neq(null,sd);
// "'none' should be a zero-length list"
do_check_eq(0, sd._sources.length);
do_check_true(sd.isNone());
sd = CSPSourceList.fromString("*");
//"'*' should be a zero-length list"
do_check_eq(0, sd._sources.length);
//print(" --- Ignore the following three errors if they print ---");
//"funny char in host"
do_check_true(CSPSourceList.fromString("f!oo.bar").isNone());
//"funny char in scheme"
do_check_true(CSPSourceList.fromString("ht!ps://f-oo.bar").isNone());
//"funny char in port"
do_check_true(CSPSourceList.fromString("https://f-oo.bar:3f").isNone());
//print(" --- Stop ignoring errors that print ---\n");
});
test(
function test_CSPSourceList_fromString_twohost() {
var str = "foo.bar:21 https://ras.bar";
var parsed = "foo.bar:21 https://ras.bar";
var sd = CSPSourceList.fromString(str, "http://self.com:80");
//"two-host list should parse"
do_check_neq(null,sd);
//"two-host list should parse to two hosts"
do_check_eq(2, sd._sources.length);
//"two-host list should contain original data"
do_check_eq(parsed, sd.toString());
});
test(
function test_CSPSourceList_permits() {
var nullSourceList = CSPSourceList.fromString("'none'");
var simpleSourceList = CSPSourceList.fromString("a.com", "http://self.com");
var doubleSourceList = CSPSourceList.fromString("https://foo.com http://bar.com:88",
"http://self.com:88");
var allSourceList = CSPSourceList.fromString("*");
//'none' should permit none."
do_check_false( nullSourceList.permits("http://a.com"));
//a.com should permit a.com"
do_check_true( simpleSourceList.permits("http://a.com"));
//wrong host"
do_check_false( simpleSourceList.permits("http://b.com"));
//double list permits http://bar.com:88"
do_check_true( doubleSourceList.permits("http://bar.com:88"));
//double list permits https://bar.com:88"
do_check_false( doubleSourceList.permits("https://bar.com:88"));
//double list does not permit http://bar.com:443"
do_check_false( doubleSourceList.permits("http://bar.com:443"));
//"double list permits https://foo.com:88" (should not inherit port)
do_check_false( doubleSourceList.permits("https://foo.com:88"));
//"double list does not permit foo.com on http"
do_check_false( doubleSourceList.permits("http://foo.com"));
//"* does not permit specific host"
do_check_true( allSourceList.permits("http://x.com:23"));
//"* does not permit a long host with no port"
do_check_true( allSourceList.permits("http://a.b.c.d.e.f.g.h.i.j.k.l.x.com"));
});
test(
function test_CSPSourceList_intersect() {
// for this test, 'self' values are irrelevant
// policy a /\ policy b intersects policies, not context (where 'self'
// values come into play)
var nullSourceList = CSPSourceList.fromString("'none'");
var simpleSourceList = CSPSourceList.fromString("a.com");
var doubleSourceList = CSPSourceList.fromString("https://foo.com http://bar.com:88");
var singleFooSourceList = CSPSourceList.fromString("https://foo.com");
var allSourceList = CSPSourceList.fromString("*");
//"Intersection of one source with 'none' source list should be none.");
do_check_true(nullSourceList.intersectWith(simpleSourceList).isNone());
//"Intersection of two sources with 'none' source list should be none.");
do_check_true(nullSourceList.intersectWith(doubleSourceList).isNone());
//"Intersection of '*' with 'none' source list should be none.");
do_check_true(nullSourceList.intersectWith(allSourceList).isNone());
//"Intersection of one source with '*' source list should be one source.");
do_check_equivalent(allSourceList.intersectWith(simpleSourceList),
simpleSourceList);
//"Intersection of two sources with '*' source list should be two sources.");
do_check_equivalent(allSourceList.intersectWith(doubleSourceList),
doubleSourceList);
//"Non-overlapping source lists should intersect to 'none'");
do_check_true(simpleSourceList.intersectWith(doubleSourceList).isNone());
//"subset and superset should intersect to subset.");
do_check_equivalent(singleFooSourceList,
doubleSourceList.intersectWith(singleFooSourceList));
//TODO: write more tests?
});
///////////////////// Test the Whole CSP rep object //////////////////////
test(
function test_CSPRep_fromString() {
// check default init
//ASSERT(!(new CSPRep())._isInitialized, "Uninitialized rep thinks it is.")
var cspr;
var cspr_allowval;
// check default policy "allow *"
cspr = CSPRep.fromString("allow *", "http://self.com:80");
//"ALLOW directive is missing when specified in fromString"
do_check_has_key(cspr._directives, CSPRep.SRC_DIRECTIVES.ALLOW);
// ... and check that the other directives were auto-filled with the
// ALLOW one.
var SD = CSPRep.SRC_DIRECTIVES;
cspr_allowval = cspr._directives[SD.ALLOW];
for(var d in CSPRep.SRC_DIRECTIVES) {
//"Missing key " + d
do_check_has_key(cspr._directives, SD[d]);
//"Implicit directive " + d + " has non-allow value."
do_check_eq(cspr._directives[SD[d]].toString(), cspr_allowval.toString());
}
});
test(
function test_CSPRep_fromString_oneDir() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;
var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.IMG_SRC,
SD.FRAME_ANCESTORS, SD.FRAME_SRC];
// check one-directive policies
cspr = CSPRep.fromString("allow bar.com; script-src https://foo.com",
"http://self.com");
for(var x in DEFAULTS) {
//DEFAULTS[x] + " does not use default rule."
do_check_false(cspr.permits("http://bar.com:22", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule."
do_check_true(cspr.permits("http://bar.com:80", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule."
do_check_false(cspr.permits("https://foo.com:400", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule."
do_check_false(cspr.permits("https://foo.com", DEFAULTS[x]));
}
//"script-src false positive in policy.
do_check_false(cspr.permits("http://bar.com:22", SD.SCRIPT_SRC));
//"script-src false negative in policy.
do_check_true(cspr.permits("https://foo.com:443", SD.SCRIPT_SRC));
});
test(
function test_CSPRep_fromString_twodir() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;
var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.FRAME_ANCESTORS, SD.FRAME_SRC];
// check two-directive policies
var polstr = "allow allow.com; "
+ "script-src https://foo.com; "
+ "img-src bar.com:*";
cspr = CSPRep.fromString(polstr, "http://self.com");
for(var x in DEFAULTS) {
do_check_true(cspr.permits("http://allow.com", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule.
do_check_false(cspr.permits("https://foo.com:400", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule.
do_check_false(cspr.permits("http://bar.com:400", DEFAULTS[x]));
//DEFAULTS[x] + " does not use default rule.
}
//"img-src does not use default rule.
do_check_false(cspr.permits("http://allow.com:22", SD.IMG_SRC));
//"img-src does not use default rule.
do_check_false(cspr.permits("https://foo.com:400", SD.IMG_SRC));
//"img-src does not use default rule.
do_check_true(cspr.permits("http://bar.com:88", SD.IMG_SRC));
//"script-src does not use default rule.
do_check_false(cspr.permits("http://allow.com:22", SD.SCRIPT_SRC));
//"script-src does not use default rule.
do_check_true(cspr.permits("https://foo.com:443", SD.SCRIPT_SRC));
//"script-src does not use default rule.
do_check_false(cspr.permits("http://bar.com:400", SD.SCRIPT_SRC));
});
test(function test_CSPRep_fromString_withself() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;
var self = "https://self.com:34";
// check one-directive policies
cspr = CSPRep.fromString("allow 'self'; script-src 'self' https://*:*",
self);
//"img-src does not enforce default rule, 'self'.
do_check_false(cspr.permits("https://foo.com:400", SD.IMG_SRC));
//"img-src does not allow self
CSPdebug(cspr);
do_check_true(cspr.permits(self, SD.IMG_SRC));
//"script-src is too relaxed
do_check_false(cspr.permits("http://evil.com", SD.SCRIPT_SRC));
//"script-src should allow self
do_check_true(cspr.permits(self, SD.SCRIPT_SRC));
//"script-src is too strict on host/port
do_check_true(cspr.permits("https://evil.com:100", SD.SCRIPT_SRC));
});
///////////////////// TEST POLICY_URI //////////////////////
test(function test_CSPRep_fromPolicyURI() {
var cspr;
var SD = CSPRep.SRC_DIRECTIVES;
var self = "http://localhost:" + POLICY_PORT;
cspr = CSPRep.fromString("policy-uri " + POLICY_URI, self);
cspr_static = CSPRep.fromString(POLICY_FROM_URI, self);
//"policy-uri failed to load"
do_check_neq(null,cspr);
// other directives inherit self
for(var i in SD) {
//SD[i] + " parsed wrong from policy uri"
do_check_equivalent(cspr._directives[SD[i]],
cspr_static._directives[SD[i]]);
}
});
/*
test(function test_CSPRep_fromPolicyURI_failswhenmixed() {
var cspr;
var self = "http://localhost:" + POLICY_PORT;
var closed_policy = CSPRep.fromString("allow 'none'");
var my_uri_policy = "policy-uri " + POLICY_URI;
//print(" --- Ignore the following two errors if they print ---");
cspr = CSPRep.fromString("allow *; " + my_uri_policy, self);
//"Parsing should fail when 'policy-uri' is mixed with allow directive"
do_check_equivalent(cspr, closed_policy);
cspr = CSPRep.fromString("img-src 'self'; " + my_uri_policy, self);
//"Parsing should fail when 'policy-uri' is mixed with other directives"
do_check_equivalent(cspr, closed_policy);
//print(" --- Stop ignoring errors that print ---\n");
});
*/
// TODO: test reporting
// TODO: test refinements (?)
// TODO: test 'eval' and 'inline' keywords
function run_test() {
function policyresponder(request,response) {
response.setStatusLine(request.httpVersion, 200, "OK");
response.setHeader("Content-Type", "text/csp", false);
response.bodyOutputStream.write(POLICY_FROM_URI, POLICY_FROM_URI.length);
}
//server.registerDirectory("/", nsILocalFileForBasePath);
httpServer.registerPathHandler("/policy", policyresponder);
httpServer.start(POLICY_PORT);
for(let i in tests) {
tests[i]();
}
//teardown
httpServer.stop(function() { });
do_test_finished();
}

61
layout/build/nsLayoutModule.cpp
View File

@ -268,6 +268,7 @@ static void Shutdown();
#endif
#include "nsGeolocation.h"
#include "nsCSPService.h"
// Transformiix
/* {0C351177-0159-4500-86B0-A219DFDE4258} */
@ -848,6 +849,60 @@ NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsGeolocation, Init)
NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(nsGeolocationService, nsGeolocationService::GetGeolocationService)
static NS_METHOD
CSPServiceRegistration(nsIComponentManager *aCompMgr,
nsIFile *aPath,
const char *registryLocation,
const char *componentType,
const nsModuleComponentInfo *info)
{
nsresult rv;
nsCOMPtr<nsIServiceManager> servman = do_QueryInterface((nsISupports*)aCompMgr, &rv);
if (NS_FAILED(rv))
return rv;
nsCOMPtr<nsICategoryManager> catman;
rv = servman->GetServiceByContractID(NS_CATEGORYMANAGER_CONTRACTID,
NS_GET_IID(nsICategoryManager),
getter_AddRefs(catman));
if (NS_FAILED(rv))
return rv;
nsXPIDLCString previous;
rv = catman->AddCategoryEntry("content-policy",
"CSPService",
CSPSERVICE_CONTRACTID,
PR_TRUE,
PR_TRUE,
getter_Copies(previous));
return rv;
}
static NS_METHOD
CSPServiceUnregistration(nsIComponentManager *aCompMgr,
nsIFile *aPath,
const char *registryLocation,
const nsModuleComponentInfo *info){
nsresult rv;
nsCOMPtr<nsIServiceManager> servman = do_QueryInterface((nsISupports*)aCompMgr, &rv);
if (NS_FAILED(rv)) return rv;
nsCOMPtr<nsICategoryManager> catman;
rv = servman->GetServiceByContractID(NS_CATEGORYMANAGER_CONTRACTID,
NS_GET_IID(nsICategoryManager),
getter_AddRefs(catman));
if (NS_FAILED(rv)) return rv;
rv = catman->DeleteCategoryEntry("content-policy",
"CSPService",
PR_TRUE);
return rv;
}
NS_GENERIC_FACTORY_CONSTRUCTOR(CSPService)
// The list of components we register
static const nsModuleComponentInfo gComponents[] = {
#ifdef DEBUG
@ -1453,6 +1508,12 @@ static const nsModuleComponentInfo gComponents[] = {
"@mozilla.org/focus-manager;1",
CreateFocusManager },
{ "Content Security Policy Service",
CSPSERVICE_CID,
CSPSERVICE_CONTRACTID,
CSPServiceConstructor,
CSPServiceRegistration,
CSPServiceUnregistration },
{ "Event Listener Service",
NS_EVENTLISTENERSERVICE_CID,

2
modules/libpref/src/init/all.js
View File

@ -950,6 +950,8 @@ pref("security.xpconnect.plugin.unrestricted", true);
// security-sensitive dialogs should delay button enabling. In milliseconds.
pref("security.dialog_enable_delay", 2000);
pref("security.csp.enable", true);
// Modifier key prefs: default to Windows settings,
// menu access key = alt, accelerator key = control.
// Use 17 for Ctrl, 18 for Alt, 224 for Meta, 0 for none. Mac settings in macprefs.js