Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-22 01:35:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9be69aefcb
gecko-dev/dom/security/nsContentSecurityUtils.cpp
Christoph Kerschbaumer 507cd448aa Bug 1566386: Assert that every about: page on Android ships with a CSP. r=snorp 
Differential Revision: https://phabricator.services.mozilla.com/D45193

--HG--
extra : moz-landing-system : lando
2019-09-10 06:26:14 +00:00

96 lines
3.4 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* A namespace class for static content security utilities. */
#include "nsContentSecurityUtils.h"
#include "nsIContentSecurityPolicy.h"
#include "nsIURI.h"
#include "mozilla/dom/Document.h"
#if defined(DEBUG)
/* static */
void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
// We want to get to a point where all about: pages ship with a CSP. This
// assertion ensures that we can not deploy new about: pages without a CSP.
// Please note that any about: page should not use inline JS or inline CSS,
// and instead should load JS and CSS from an external file (*.js, *.css)
// which allows us to apply a strong CSP omitting 'unsafe-inline'. Ideally,
// the CSP allows precisely the resources that need to be loaded; but it
// should at least be as strong as:
// <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>
// Check if we should skip the assertion
if (Preferences::GetBool("csp.skip_about_page_has_csp_assert")) {
return;
}
// Check if we are loading an about: URI at all
nsCOMPtr<nsIURI> documentURI = aDocument->GetDocumentURI();
if (!documentURI->SchemeIs("about")) {
return;
}
nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
bool foundDefaultSrc = false;
if (csp) {
uint32_t policyCount = 0;
csp->GetPolicyCount(&policyCount);
nsAutoString parsedPolicyStr;
for (uint32_t i = 0; i < policyCount; ++i) {
csp->GetPolicyString(i, parsedPolicyStr);
if (parsedPolicyStr.Find("default-src") >= 0) {
foundDefaultSrc = true;
break;
}
}
}
// Check if we should skip the allowlist and assert right away. Please note
// that this pref can and should only be set for automated testing.
if (Preferences::GetBool("csp.skip_about_page_csp_allowlist_and_assert")) {
NS_ASSERTION(foundDefaultSrc, "about: page must have a CSP");
return;
}
nsAutoCString aboutSpec;
documentURI->GetSpec(aboutSpec);
ToLowerCase(aboutSpec);
// This allowlist contains about: pages that are permanently allowed to
// render without a CSP applied.
static nsLiteralCString sAllowedAboutPagesWithNoCSP[] = {
// about:blank is a special about page -> no CSP
NS_LITERAL_CSTRING("about:blank"),
// about:srcdoc is a special about page -> no CSP
NS_LITERAL_CSTRING("about:srcdoc"),
// about:sync-log displays plain text only -> no CSP
NS_LITERAL_CSTRING("about:sync-log"),
// about:printpreview displays plain text only -> no CSP
NS_LITERAL_CSTRING("about:printpreview"),
// Bug 1497200: Apply Meta CSP to about:downloads
NS_LITERAL_CSTRING("about:downloads"),
# if defined(ANDROID)
NS_LITERAL_CSTRING("about:config"),
# endif
};
for (const nsLiteralCString& allowlistEntry : sAllowedAboutPagesWithNoCSP) {
// please note that we perform a substring match here on purpose,
// so we don't have to deal and parse out all the query arguments
// the various about pages rely on.
if (StringBeginsWith(aboutSpec, allowlistEntry)) {
return;
}
}
MOZ_ASSERT(foundDefaultSrc,
"about: page must contain a CSP including default-src");
}
#endif
Reference in New Issue View Git Blame Copy Permalink