Bug 918397 - CSP deprecation warning and dual CSP headers warning should be mutually exclusive. r=grobinson, r=sstamm

content/base/src/nsDocument.cpp

@@ -2591,15 +2591,16 @@ nsDocument::InitCSP(nsIChannel* aChannel)
     cspROHeaderValue.Truncate();
   }
 
-  // If the old header is present, warn that it will be deprecated.
-  if (!cspOldHeaderValue.IsEmpty() || !cspOldROHeaderValue.IsEmpty()) {
-    mCSPWebConsoleErrorQueue.Add("OldCSPHeaderDeprecated");
+  // If both the new header AND the old header are present, warn that
+  // the old header will be ignored. Otherwise, if the old header is
+  // present, warn that it will be deprecated.
+  bool oldHeaderIsPresent = !cspOldHeaderValue.IsEmpty() || !cspOldROHeaderValue.IsEmpty();
+  bool newHeaderIsPresent = !cspHeaderValue.IsEmpty() || !cspROHeaderValue.IsEmpty();
 
-    // Also, if the new headers AND the old headers were present, warn
-    // that the old headers will be ignored.
-    if (!cspHeaderValue.IsEmpty() || !cspROHeaderValue.IsEmpty()) {
-      mCSPWebConsoleErrorQueue.Add("BothCSPHeadersPresent");
-    }
+  if (oldHeaderIsPresent && newHeaderIsPresent) {
+    mCSPWebConsoleErrorQueue.Add("BothCSPHeadersPresent");
+  } else if (oldHeaderIsPresent) {
+    mCSPWebConsoleErrorQueue.Add("OldCSPHeaderDeprecated");
   }
 
   // Figure out if we need to apply an app default CSP or a CSP from an app manifest

content/base/test/csp/file_dual_headers_warning.html^headers^

@@ -0,0 +1,2 @@
+Content-Security-Policy: default-src 'self' 'unsafe-inline';
+X-Content-Security-Policy: allow 'self' 'inline-script';

content/base/test/csp/mochitest.ini

@@ -104,6 +104,8 @@ support-files =
   file_CSP_bug941404_xhr.html^headers^
   file_hash_source.html
   file_hash_source.html^headers^
+  file_dual_headers_warning.html
+  file_dual_headers_warning.html^headers^
 
 [test_CSP.html]
 [test_CSP_bug663567.html]
@@ -126,3 +128,4 @@ support-files =
 [test_nonce_source.html]
 [test_CSP_bug941404.html]
 [test_hash_source.html]
+[test_dual_headers_warning.html]

content/base/test/csp/test_dual_headers_warning.html

@@ -0,0 +1,59 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=918397
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 918397</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=918397">Mozilla Bug 918397</a>
+<p id="display"></p>
+
+<iframe id="cspframe"></iframe>
+
+<pre id="test">
+<script class="testbody" type="text/javascript">
+// Load locale strings during mochitest
+var stringBundleService = SpecialPowers.Cc["@mozilla.org/intl/stringbundle;1"]
+                          .getService(SpecialPowers.Ci.nsIStringBundleService);
+var localizer = stringBundleService.createBundle("chrome://global/locale/security/security.properties");
+var depreHeadersMsg = localizer.GetStringFromName("OldCSPHeaderDeprecated", 0)
+var dualHeadersMsg = localizer.GetStringFromName("BothCSPHeadersPresent", 0)
+
+function cleanup() {
+  SpecialPowers.postConsoleSentinel();
+  SimpleTest.finish();
+}
+
+// listen on the console before loading the iframe
+SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
+  // Note: We do not want to see the deprecation warning appear in the console.
+  // This test can only be sure that the deprecation warning does not appear
+  // iff the deprecation warning appears before the dual header warning appears
+  // in the console.
+  if (aMsg.message.indexOf(depreHeadersMsg) > -1) {
+    ok(false, "Deprecated CSP header warning should not be present.");
+    return;
+  } else if (aMsg.message.indexOf(dualHeadersMsg) > -1) {
+    ok(true, "Dual CSP header warning present.");
+    SimpleTest.executeSoon(cleanup);
+  } else {
+    // if some other console message is present, we wait
+    return;
+  }
+});
+
+// get ready and test
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv(
+  {'set': [["security.csp.speccompliant", true]]},
+  function() {
+    document.getElementById('cspframe').src = 'file_dual_headers_warning.html';
+});
+</script>
+</body>
+</html>