Bug 916446 -Pass reportOnly to CSPRep.fromString so invalid pre-1.0 CSP headers aren't accidentally enforced. r=sstamm

2024-09-13 09:24:08 -07:00 · 2013-09-19 17:31:01 -04:00 · 2013-09-19 17:31:01 -04:00 · 926cd4388f
commit 926cd4388f
parent 5c68328e57
6 changed files with 145 additions and 1 deletions
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@ -243,6 +243,8 @@ CSPRep.ALLOW_DIRECTIVE   = "allow";
  *        while the policy-uri is asynchronously fetched
  * @param csp (optional)
  *        the CSP object to update once the policy has been fetched
+  * @param reportOnly (optional)
+  *        whether or not this CSP is report-only (defaults to false)
  * @returns
  *        an instance of CSPRep
  */
@ -480,7 +482,8 @@ CSPRep.fromString = function(aStr, self, docRequest, csp, reportOnly) {
  // directive to be present.
  if (!aCSPR._directives[SD.DEFAULT_SRC]) {
    cspWarn(aCSPR, CSPLocalizer.getStr("allowOrDefaultSrcRequired"));
-    return CSPRep.fromString("default-src 'none'", selfUri);
+    return CSPRep.fromString("default-src 'none'", selfUri, docRequest, csp,
+                             reportOnly);
  }
  return aCSPR;
 };
@ -498,6 +501,8 @@ CSPRep.fromString = function(aStr, self, docRequest, csp, reportOnly) {
  *        while the policy-uri is asynchronously fetched
  * @param csp (optional)
  *        the CSP object to update once the policy has been fetched
+  * @param reportOnly (optional)
+  *        whether or not this CSP is report-only (defaults to false)
  * @returns
  *        an instance of CSPRep
  */
--- a/content/base/test/csp/Makefile.in
+++ b/content/base/test/csp/Makefile.in
@ -110,6 +110,9 @@ MOCHITEST_FILES := \
  file_bug886164_5.html^headers^ \
  file_bug886164_6.html \
  file_bug886164_6.html^headers^ \
+  test_CSP_bug916446.html \
+  file_CSP_bug916446.html \
+  file_CSP_bug916446.html^headers^ \
  $(NULL)

 MOCHITEST_CHROME_FILES := \
--- a/content/base/test/csp/file_CSP_bug916446.html
+++ b/content/base/test/csp/file_CSP_bug916446.html
@ -0,0 +1,16 @@
+<!doctype html>
+<html>
+  <body>
+    <ol>
+      <li id="inline-script">Inline script (green if allowed, black if blocked)</li>
+    </ol>
+
+    <script>
+      // Use inline script to set a style attribute
+      document.getElementById("inline-script").style.color = "rgb(0, 128, 0)";
+    </script>
+
+    <img src="file_CSP.sjs?testid=img_bad&type=img/png"></img>
+
+  </body>
+</html>
--- a/content/base/test/csp/file_CSP_bug916446.html^headers^
+++ b/content/base/test/csp/file_CSP_bug916446.html^headers^
@ -0,0 +1 @@
+x-content-security-policy-report-only: options eval-script; script-src 'self' ; report-uri /csp_report
--- a/content/base/test/csp/test_CSP_bug916446.html
+++ b/content/base/test/csp/test_CSP_bug916446.html
@ -0,0 +1,118 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test for Bug 916446</title>
+   <!--
+   test that an invalid report-only policy (a stripped down version of what
+   web.tweetdeck.com was serving) defaults to "default-src 'none'" but only
+   sends reports and is not accidentally enforced
+   -->
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:200px;height:200px;" id='testframe'></iframe>
+
+<script class="testbody" type="text/javascript">
+
+// This is used to watch the blocked data bounce off CSP and allowed data
+// get sent out to the wire.
+function examiner() {
+  SpecialPowers.addObserver(this, "csp-on-violate-policy", false);
+  SpecialPowers.addObserver(this, "http-on-modify-request", false);
+}
+examiner.prototype  = {
+  completedTests: 0,
+  totalTests: 4,
+
+  observe: function(subject, topic, data) {
+    // subject should be an nsURI, and should be either allowed or blocked.
+    if (!SpecialPowers.can_QI(subject))
+      return;
+
+    var testpat = new RegExp("testid=([a-z0-9_]+)");
+
+    if (topic === "http-on-modify-request") {
+      //these things were allowed by CSP
+      var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIHttpChannel"), "URI.asciiSpec");
+      if (!testpat.test(asciiSpec)) return;
+      var testid = testpat.exec(asciiSpec)[1];
+      if (testid === "img_bad") {
+        // img_bad should be *allowed* because the policy is report-only
+        ok(true, "Inline scripts should execute (because the policy is report-only)");
+        this.completedTests++;
+      }
+    }
+
+    if(topic === "csp-on-violate-policy") {
+      // these were blocked
+      try {
+        var asciiSpec = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsIURI"), "asciiSpec");
+        if (!testpat.test(asciiSpec)) return;
+        var testid = testpat.exec(asciiSpec)[1];
+        if (testid === "img_bad") {
+          ok(true, "External loads should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
+          this.completedTests++;
+        }
+      } catch (e) {
+        // if that fails, the subject is probably a string
+        violation_msg = SpecialPowers.getPrivilegedProps(SpecialPowers.do_QueryInterface(subject, "nsISupportsCString"), "data");
+        if (/Inline Scripts will not execute/.test(violation_msg)) {
+          ok(true, "Inline scripts should trigger a violation report (because the policy should fail closed to \"default-src 'none'\")");
+          this.completedTests++;
+        }
+      }
+    }
+  },
+
+  // must eventually call this to remove the listener,
+  // or mochitests might get borked.
+  remove: function() {
+    SpecialPowers.removeObserver(this, "csp-on-violate-policy");
+    SpecialPowers.removeObserver(this, "http-on-modify-request");
+  }
+}
+
+window.examiner = new examiner();
+
+function checkInlineScriptExecuted() {
+  var green = 'rgb(0, 128, 0)';
+  var black = 'rgb(0, 0, 0)';
+  var that = this;
+  function getElementColorById(id) {
+    return window.getComputedStyle(that.contentDocument.getElementById(id)).color;
+  }
+  if (getElementColorById('inline-script') === green) {
+    ok(true, "Inline scripts should execute (because the policy is report-only)");
+    window.examiner.completedTests++;
+  }
+
+  waitToFinish();
+}
+
+function waitToFinish() {
+  setTimeout(function wait() {
+    if (window.examiner.completedTests < window.examiner.totalTests) {
+        waitToFinish();
+    } else {
+      // Cleanup
+      window.examiner.remove();
+      SimpleTest.finish();
+    }
+  }, 10);
+}
+
+SimpleTest.waitForExplicitFinish();
+
+SpecialPowers.pushPrefEnv(
+  {'set':[["security.csp.speccompliant", false]]},
+  function() {
+    var testframe = document.getElementById('testframe');
+    testframe.src = 'file_CSP_bug916446.html';
+    testframe.addEventListener('load', checkInlineScriptExecuted);
+  }
+);
+</script>
+</pre>
+</body>
+</html>
--- a/testing/mochitest/b2g.json
+++ b/testing/mochitest/b2g.json
@ -206,6 +206,7 @@
    "content/base/test/csp/test_CSP.html":"observer not working",
    "content/base/test/csp/test_bug836922_npolicies.html":"observer not working",
    "content/base/test/csp/test_bug886164.html":"observer not working",
+    "content/base/test/csp/test_CSP_bug916446.html":"observer not working",

    "content/base/test/test_CrossSiteXHR_origin.html":"https not working, bug 907770",
    "content/base/test/test_bug326337.html":"popup windows don't have specialpowers installed, could be solved with sendmessage/receivemessage",
				`@ -0,0 +1 @@`
				`x-content-security-policy-report-only: options eval-script; script-src 'self' ; report-uri /csp_report`