Bug 773891 - With AppsService changes

This commit is contained in:
Carmen Jimenez Cabezas 2012-10-19 12:43:17 +02:00
parent ce6b9884e5
commit 5ce3a161b8
13 changed files with 388 additions and 4 deletions

View File

@ -304,11 +304,13 @@ class Automation(object):
"installTime": 132333986000,
"manifestURL": "$manifestURL",
"localId": $localId,
"appStatus": $appStatus
"appStatus": $appStatus,
"csp": "$csp"
}""")
manifestTemplate = Template("""{
"name": "$name",
"csp": "$csp",
"description": "$description",
"launch_path": "/",
"developer": {
@ -530,6 +532,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
apps = [
{
'name': 'http_example_org',
'csp': '',
'origin': 'http://example.org',
'manifestURL': 'http://example.org/manifest.webapp',
'description': 'http://example.org App',
@ -537,6 +540,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'https_example_com',
'csp': '',
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest.webapp',
'description': 'https://example.com App',
@ -544,6 +548,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'http_test1_example_org',
'csp': '',
'origin': 'http://test1.example.org',
'manifestURL': 'http://test1.example.org/manifest.webapp',
'description': 'http://test1.example.org App',
@ -551,6 +556,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'http_test1_example_org_8000',
'csp': '',
'origin': 'http://test1.example.org:8000',
'manifestURL': 'http://test1.example.org:8000/manifest.webapp',
'description': 'http://test1.example.org:8000 App',
@ -558,6 +564,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'http_sub1_test1_example_org',
'csp': '',
'origin': 'http://sub1.test1.example.org',
'manifestURL': 'http://sub1.test1.example.org/manifest.webapp',
'description': 'http://sub1.test1.example.org App',
@ -565,6 +572,7 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'https_example_com_privileged',
'csp': '',
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest_priv.webapp',
'description': 'https://example.com Privileged App',
@ -572,11 +580,36 @@ user_pref("camino.use_system_proxy_settings", false); // Camino-only, harmless t
},
{
'name': 'https_example_com_certified',
'csp': '',
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest_cert.webapp',
'description': 'https://example.com Certified App',
'appStatus': _APP_STATUS_CERTIFIED
},
{
'name': 'https_example_csp_certified',
'csp': "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'",
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest_csp_cert.webapp',
'description': 'https://example.com Certified App with manifest policy',
'appStatus': _APP_STATUS_CERTIFIED
},
{
'name': 'https_example_csp_installed',
'csp': "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'",
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest_csp_inst.webapp',
'description': 'https://example.com Installed App with manifest policy',
'appStatus': _APP_STATUS_INSTALLED
},
{
'name': 'https_example_csp_privileged',
'csp': "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'",
'origin': 'https://example.com',
'manifestURL': 'https://example.com/manifest_csp_priv.webapp',
'description': 'https://example.com Privileged App with manifest policy',
'appStatus': _APP_STATUS_PRIVILEGED
},
];
self.setupTestApps(profileDir, apps)

View File

@ -170,6 +170,7 @@
#include "imgILoader.h"
#include "nsWrapperCacheInlines.h"
#include "nsSandboxFlags.h"
#include "nsIAppsService.h"
using namespace mozilla;
using namespace mozilla::dom;
@ -2276,6 +2277,22 @@ nsDocument::InitCSP(nsIChannel* aChannel)
NS_SUCCEEDED(principal->GetAppStatus(&appStatus))) {
applyAppDefaultCSP = ( appStatus == nsIPrincipal::APP_STATUS_PRIVILEGED ||
appStatus == nsIPrincipal::APP_STATUS_CERTIFIED);
// Bug 773981. Allow a per-app policy from the manifest.
// Just read the CSP from the manifest into cspHeaderValue.
// That way we don't have to change the rest of the function logic
if (applyAppDefaultCSP || appStatus == nsIPrincipal::APP_STATUS_INSTALLED) {
nsCOMPtr<nsIAppsService> appsService =
do_GetService(APPS_SERVICE_CONTRACTID);
if (appsService) {
uint32_t appId;
if ( NS_SUCCEEDED(principal->GetAppId(&appId)) ) {
appsService->GetCSPByLocalId(appId, cspHeaderValue);
}
}
}
}
#ifdef PR_LOGGING
else

View File

@ -373,6 +373,8 @@ MOCHITEST_FILES_B = \
file_CSP_evalscript_main.js \
file_csp_bug768029.html \
file_csp_bug768029.sjs \
file_csp_bug773891.html \
file_csp_bug773891.sjs \
test_bug540854.html \
bug540854.sjs \
test_bug548463.html \

View File

@ -48,6 +48,7 @@ MOCHITEST_CHROME_FILES = \
test_bug780529.xul \
test_csp_bug768029.html \
test_bug800386.xul \
test_csp_bug773891.html \
$(NULL)
include $(topsrcdir)/config/rules.mk

View File

@ -0,0 +1,228 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=768029
-->
<head>
<meta charset="utf-8">
<title>Test for CSP on trusted/certified and installed apps -- bug 773891</title>
<script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=773891">Mozilla Bug 773891</a>
<p id="display"></p>
<div id="content">
</div>
<pre id="test">
<script type="application/javascript;version=1.7">
Components.utils.import("resource://gre/modules/Services.jsm");
/** Test for Bug 773891 **/
// Note: we don't have to inspect all the different operations of CSP,
// we're just looking for specific differences in behavior that indicate
// a default CSP got applied.
const DEFAULT_CSP_PRIV = "default-src *; script-src *; style-src 'self' 'unsafe-inline'; object-src 'none'";
const DEFAULT_CSP_CERT = "default-src *; script-src *; style-src 'self'; object-src 'none'";
const MANIFEST_CSP_PRIV = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
const MANIFEST_CSP_INST = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
const MANIFEST_CSP_CERT = "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'";
SimpleTest.waitForExplicitFinish();
var gData = [
{
app: "https://example.com/manifest_csp_inst.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_INSTALLED,
csp: MANIFEST_CSP_INST,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug773891.html",
statusString: "installed app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_csp_cert.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_CERTIFIED,
csp: MANIFEST_CSP_CERT,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug773891.html",
statusString: "certified app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
{
app: "https://example.com/manifest_csp_priv.webapp",
appStatus: Components.interfaces.nsIPrincipal.APP_STATUS_PRIVILEGED,
csp: MANIFEST_CSP_PRIV,
origin: "https://example.com",
uri: "https://example.com/tests/content/base/test/file_csp_bug773891.html",
statusString: "privileged app",
expectedTestResults: {
max_tests: 7, /* number of bools below plus one for the status check */
cross_origin: { img: true, script: false, style: false },
same_origin: { img: true, script: true, style: true },
},
},
];
// Observer for watching allowed loads and blocked attempts
function ThingyListener(app, iframe) {
Services.obs.addObserver(this, "csp-on-violate-policy", false);
Services.obs.addObserver(this, "http-on-modify-request", false);
dump("added observers\n");
// keep track of which app ID this test is monitoring.
this._testData = app;
this._expectedResults = app.expectedTestResults;
this._resultsRecorded = { cross_origin: {}, same_origin: {}};
this._iframe = iframe;
this._countedTests = 0;
}
ThingyListener.prototype = {
observe: function(subject, topic, data) {
// make sure to only observe app-generated calls to the helper for this test.
var testpat = new RegExp("file_csp_bug773891\\.sjs");
// used to extract which kind of load this is (img, script, etc).
var typepat = new RegExp("type=([\\_a-z0-9]+)");
// used to identify whether it's cross-origin or same-origin loads
// (the applied CSP allows same-origin loads).
var originpat = new RegExp("origin=([\\_a-z0-9]+)");
if (topic === "http-on-modify-request") {
// Matching requests on this topic were allowed by the csp
var chan = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var uri = chan.URI;
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == true, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else if (topic === "csp-on-violate-policy") {
// Matching hits on this topic were blocked by the csp
var uri = subject.QueryInterface(Components.interfaces.nsIURI);
// ignore irrelevent URIs
if (!testpat.test(uri.asciiSpec)) return;
var loadType = typepat.exec(uri.asciiSpec)[1];
var originType = originpat.exec(uri.asciiSpec)[1];
// skip duplicate hits to this topic (potentially document loads
// may generate duplicate loads.
if (this._resultsRecorded[originType] &&
this._resultsRecorded[originType][loadType]) {
return;
}
var message = originType + " : " + loadType + " should be " +
(this._expectedResults[originType][loadType] ? "allowed" : "blocked");
ok(this._expectedResults[originType][loadType] == false, message);
this._resultsRecorded[originType][loadType] = true;
this._countedTests++;
}
else {
// wrong topic! Nothing to do.
return;
}
this._checkForFinish();
},
_checkForFinish: function() {
// check to see if there are load tests still pending.
// (All requests triggered by the app should hit one of the
// two observer topics.)
if (this._countedTests == this._expectedResults.max_tests) {
Services.obs.removeObserver(this, "csp-on-violate-policy");
Services.obs.removeObserver(this, "http-on-modify-request");
dump("removed observers\n");
checkedCount++;
if (checkedCount == checksTodo) {
SpecialPowers.removePermission("browser", "https://example.com");
SimpleTest.finish();
} else {
gTestRunner.next();
}
}
},
// verify the status of the app
checkAppStatus: function() {
var principal = this._iframe.contentDocument.nodePrincipal;
if (this._testData.app) {
is(principal.appStatus, this._testData.appStatus,
"iframe principal's app status doesn't match the expected app status.");
this._countedTests++;
this._checkForFinish();
}
}
}
var content = document.getElementById('content');
var checkedCount = 0; // number of apps checked
var checksTodo = gData.length;
// quick check to make sure we can test apps:
is('appStatus' in document.nodePrincipal, true,
'appStatus should be present in nsIPrincipal, if not the rest of this test will fail');
function runTest() {
for (var i = 0; i < gData.length; i++) {
let data = gData[i];
var iframe = document.createElement('iframe');
// watch for successes and failures
var examiner = new ThingyListener(data, iframe);
iframe.setAttribute('mozapp', data.app);
iframe.setAttribute('mozbrowser', 'true');
iframe.addEventListener('load', examiner.checkAppStatus.bind(examiner));
iframe.src = data.uri;
content.appendChild(iframe);
yield;
}
}
var gTestRunner = runTest();
// load the default CSP and pref it on
SpecialPowers.addPermission("browser", true, "https://example.com");
SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true],
["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV],
["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]},
function() { gTestRunner.next(); });
</script>
</pre>
</body>
</html>

View File

@ -0,0 +1,25 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=773891
-->
<head>
<meta charset="utf-8">
<title>This is an app for csp testing</title>
<link rel="stylesheet" type="text/css"
href="file_csp_bug773891.sjs?type=style&origin=same_origin" />
<link rel="stylesheet" type="text/css"
href="http://example.com/tests/content/base/test/file_csp_bug773891.sjs?type=style&origin=cross_origin" />
</head>
<body>
<script src="file_csp_bug773891.sjs?type=script&origin=same_origin"></script>
<script src="http://example.com/tests/content/base/test/file_csp_bug773891.sjs?type=script&origin=cross_origin"></script>
<img src="file_csp_bug773891.sjs?type=img&origin=same_origin" />
<img src="http://example.com/tests/content/base/test/file_csp_bug773891.sjs?type=img&origin=cross_origin" />
Test for CSP applied to (simulated) app.
</body>
</html>

View File

@ -0,0 +1,29 @@
function handleRequest(request, response) {
var query = {};
request.queryString.split('&').forEach(function(val) {
var [name, value] = val.split('=');
query[name] = unescape(value);
});
response.setHeader("Cache-Control", "no-cache", false);
if ("type" in query) {
switch (query.type) {
case "script":
response.setHeader("Content-Type", "application/javascript");
response.write("\n\ndocument.write('<pre>script loaded\\n</pre>');\n\n");
return;
case "style":
response.setHeader("Content-Type", "text/css");
response.write("\n\n.cspfoo { color:red; }\n\n");
return;
case "img":
response.setHeader("Content-Type", "image/png");
return;
}
}
response.setHeader("Content-Type", "text/plain");
response.write("ohnoes!");
}

View File

@ -27,6 +27,12 @@ function AppsService()
}
AppsService.prototype = {
getCSPByLocalId: function getCSPByLocalId(localId) {
debug("GetCSPByLocalId( " + localId + " )");
return DOMApplicationRegistry.getCSPByLocalId(localId);
},
getAppByManifestURL: function getAppByManifestURL(aManifestURL) {
debug("GetAppByManifestURL( " + aManifestURL + " )");
return DOMApplicationRegistry.getAppByManifestURL(aManifestURL);

View File

@ -68,6 +68,11 @@ let DOMApplicationRegistry = {
return AppsUtils.getAppLocalIdByManifestURL(this.webapps, aManifestURL);
},
getCSPByLocalId: function(aLocalId) {
debug("getCSPByLocalId:" + aLocalId);
return AppsUtils.getCSPByLocalId(this.webapps, aLocalId);
},
getAppByLocalId: function getAppByLocalId(aLocalId) {
debug("getAppByLocalId " + aLocalId);
return AppsUtils.getAppByLocalId(this.webapps, aLocalId);

View File

@ -25,6 +25,7 @@ let AppsUtils = {
cloneAppObject: function cloneAppObject(aApp) {
return {
name: aApp.name,
csp: aApp.csp,
installOrigin: aApp.installOrigin,
origin: aApp.origin,
receipts: aApp.receipts ? JSON.parse(JSON.stringify(aApp.receipts)) : null,
@ -90,6 +91,18 @@ let AppsUtils = {
return Ci.nsIScriptSecurityManager.NO_APP_ID;
},
getCSPByLocalId: function getCSPByLocalId(aApps, aLocalId) {
debug("getCSPByLocalId " + aLocalId);
for (let id in aApps) {
let app = aApps[id];
if (app.localId == aLocalId) {
return ( app.csp || "" );
}
}
return "";
},
getAppByLocalId: function getAppByLocalId(aApps, aLocalId) {
debug("getAppByLocalId " + aLocalId);
for (let id in aApps) {

View File

@ -139,13 +139,22 @@ let DOMApplicationRegistry = {
// Registers all the activities and system messages.
registerAppsHandlers: function registerAppsHandlers() {
this.notifyAppsRegistryStart();
#ifdef MOZ_SYS_MSG
let ids = [];
for (let id in this.webapps) {
ids.push({ id: id });
}
#ifdef MOZ_SYS_MSG
this._processManifestForIds(ids);
#else
// Read the CSPs. If MOZ_SYS_MSG is defined this is done on
// _processManifestForIds so as to not reading the manifests
// twice
this._readManifests(ids, (function readCSPs(aResults) {
aResults.forEach(function registerManifest(aResult) {
this.webapps[aResult.id].csp = manifest.csp || "";
}, this);
}).bind(this));
// Nothing else to do but notifying we're ready.
this.notifyAppsRegistryReady();
#endif
@ -419,6 +428,7 @@ let DOMApplicationRegistry = {
let app = this.webapps[aResult.id];
let manifest = aResult.manifest;
app.name = manifest.name;
app.csp = manifest.csp || "";
this._registerSystemMessages(manifest, app);
appsToRegister.push({ manifest: manifest, app: app });
}, this);
@ -884,6 +894,7 @@ let DOMApplicationRegistry = {
}
app.name = aManifest.name;
app.csp = aManifest.csp || "";
// Update the registry.
this.webapps[id] = app;
@ -1037,6 +1048,7 @@ let DOMApplicationRegistry = {
}
appObject.name = manifest.name;
appObject.csp = manifest.csp || "";
this.webapps[id] = appObject;
@ -1506,6 +1518,11 @@ let DOMApplicationRegistry = {
return AppsUtils.getAppByManifestURL(this.webapps, aManifestURL);
},
getCSPByLocalId: function(aLocalId) {
debug("getCSPByLocalId:" + aLocalId);
return AppsUtils.getCSPByLocalId(this.webapps, aLocalId);
},
getAppByLocalId: function(aLocalId) {
return AppsUtils.getAppByLocalId(this.webapps, aLocalId);
},

View File

@ -11,7 +11,7 @@
* We expose Gecko-internal helpers related to "web apps" through this
* sub-interface.
*/
[scriptable, uuid(efe22f80-f973-11e1-8a00-b7888ac0d2b9)]
[scriptable, uuid(8ac7827f-f982-40fb-be11-ba16dd665635)]
interface mozIApplication: mozIDOMApplication
{
/* Return true if this app has |permission|. */
@ -25,4 +25,7 @@ interface mozIApplication: mozIDOMApplication
/* Name copied from the manifest */
readonly attribute DOMString name;
/* CSP copied from the manifest */
readonly attribute DOMString csp;
};

View File

@ -16,7 +16,7 @@ interface mozIApplication;
* This service allows accessing some DOMApplicationRegistry methods from
* non-javascript code.
*/
[scriptable, uuid(1f0ec00c-57c7-4ad2-a648-1359aa390360)]
[scriptable, uuid(4a182c18-dbdf-4f9c-93a0-0f0cffb88ed0)]
interface nsIAppsService : nsISupports
{
mozIDOMApplication getAppByManifestURL(in DOMString manifestURL);
@ -45,4 +45,9 @@ interface nsIAppsService : nsISupports
* of the message when listening to one.
*/
mozIApplication getAppFromObserverMessage(in DOMString message);
/**
* Returns the CSP associated to this localId.
*/
DOMString getCSPByLocalId(in unsigned long localId);
};