Bug 949549 - Ensure that CSP warnings reach webconsole for document hosted on app:// protocol. r=sstamm

2024-09-13 09:24:08 -07:00 · 2014-01-21 11:28:58 -05:00 · 2014-01-21 11:28:58 -05:00 · 2bb95c6160
commit 2bb95c6160
parent a4ff8c1b2f
5 changed files with 74 additions and 5 deletions
--- a/content/base/public/nsIContentSecurityPolicy.idl
+++ b/content/base/public/nsIContentSecurityPolicy.idl
@ -5,7 +5,7 @@
 #include "nsISupports.idl"

 interface nsIURI;
-interface nsIHttpChannel;
+interface nsIChannel;
 interface nsIDocShell;

 /**
@ -15,7 +15,7 @@ interface nsIDocShell;
 * one of these per document/principal.
 */

-[scriptable, uuid(ff46c14e-5b2d-4aca-8961-d0b0d987cb81)]
+[scriptable, uuid(2e7875a3-8cb5-4ebb-905b-af0a90dae594)]
 interface nsIContentSecurityPolicy : nsISupports
 {

@ -183,7 +183,7 @@ interface nsIContentSecurityPolicy : nsISupports
   * Called after the CSP object is created to fill in the appropriate request
   * and request header information needed in case a report needs to be sent.
   */
-  void scanRequestData(in nsIHttpChannel aChannel);
+  void scanRequestData(in nsIChannel aChannel);

  /**
   * Verifies ancestry as permitted by the policy.
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@ -364,7 +364,7 @@ ContentSecurityPolicy.prototype = {
                                                       .getService(Ci.nsIScriptSecurityManager)
                                                       .getChannelPrincipal(aChannel));

-    if (aChannel.referrer) {
+    if (aChannel instanceof Ci.nsIHttpChannel && aChannel.referrer) {
      let referrer = aChannel.referrer.cloneIgnoringRef();
      try { // GetUserPass throws for some protocols without userPass
        referrer.userPass = '';
--- a/content/base/src/nsDocument.cpp
+++ b/content/base/src/nsDocument.cpp
@ -2691,7 +2691,7 @@ nsDocument::InitCSP(nsIChannel* aChannel)
  aChannel->GetURI(getter_AddRefs(selfURI));

  // Store the request context for violation reports
-  csp->ScanRequestData(httpChannel);
+  csp->ScanRequestData(aChannel);

  // ----- if the doc is an app and we want a default CSP, apply it.
  if (applyAppDefaultCSP) {
--- a/content/base/test/csp/mochitest.ini
+++ b/content/base/test/csp/mochitest.ini
@ -132,3 +132,4 @@ support-files =
 [test_hash_source.html]
 [test_dual_headers_warning.html]
 [test_self_none_as_hostname_confusion.html]
+[test_bug949549.html]
--- a/content/base/test/csp/test_bug949549.html
+++ b/content/base/test/csp/test_bug949549.html
@ -0,0 +1,68 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Bug 949549</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=949549">Mozilla Bug 949549</a>
+<div id="content" style="display: none"></div>
+<pre id="test">
+<script type="application/javascript;version=1.8">
+  "use strict";
+
+  // Ensure that `scanRequestData` doesn't throw with app:// URLs
+
+  const csp = SpecialPowers.Cc["@mozilla.org/contentsecuritypolicy;1"]
+              .createInstance(SpecialPowers.Ci.nsIContentSecurityPolicy);
+
+  const gManifestURL = "http://www.example.com/chrome/dom/tests/mochitest/webapps/apps/basic.webapp";
+
+  SimpleTest.waitForExplicitFinish();
+  var launchableValue, app;
+
+  function setupTest() {
+    // We have to install an app in order for the app URL to be valid
+    // (otherwise we get a "DummyChannel" that throws NS_NOT_IMPLEMENTED)
+    launchableValue = SpecialPowers.setAllAppsLaunchable(true);
+    SpecialPowers.addPermission("webapps-manage", true, document);
+    SpecialPowers.autoConfirmAppInstall(function () {
+      let req = navigator.mozApps.install(gManifestURL);
+      req.onsuccess = function () {
+        app = this.result;
+        runTest();
+      }
+    });
+  }
+
+  function runTest() {
+    // We have to use a mochitest to test app:// urls,
+    // as app channels can't be instanciated in xpcshell.
+    // Because app protocol depends on webapps.jsm,
+    // which doesn't instanciate properly on xpcshell without many hacks
+    let appchan = SpecialPowers.Services.io.newChannel(gManifestURL, null, null);
+
+    try {
+      csp.scanRequestData(appchan);
+      ok(true, "scanRequestData hasn't thown");
+    } catch(e) {
+      ok(false, "scanRequestData throws");
+    }
+
+    cleanup()
+  }
+
+  function cleanup() {
+    SpecialPowers.setAllAppsLaunchable(launchableValue);
+    let req = navigator.mozApps.mgmt.uninstall(app);
+    req.onsuccess = function () {
+      SimpleTest.finish();
+    };
+  }
+
+  setupTest();
+</script>
+</pre>
+</body>
+</html>