Bug 783049 - CSP : use existing/old parser for X-Content-Security-Policy header, new/CSP 1.0 spec compliant parser for Content-Security-Policy header - Part 1 (r=bz)

2024-09-13 09:24:08 -07:00 · 2013-01-09 10:57:03 -08:00 · 2013-01-09 10:57:03 -08:00 · dea7953b9b
commit dea7953b9b
parent 8dc94fdb33
4 changed files with 43 additions and 10 deletions
--- a/content/base/public/nsIContentSecurityPolicy.idl
+++ b/content/base/public/nsIContentSecurityPolicy.idl
@ -13,7 +13,7 @@ interface nsIDocShell;
 * Describes an XPCOM component used to model an enforce CSPs.
 */

-[scriptable, uuid(AB36A2BF-CB32-4AA6-AB41-6B4E4444A221)]
+[scriptable, uuid(d1680bb4-1ac0-4772-9437-1188375e44f2)]
 interface nsIContentSecurityPolicy : nsISupports
 {

@ -96,7 +96,7 @@ interface nsIContentSecurityPolicy : nsISupports
   * Updates the policy currently stored in the CSP to be "refined" or
   * tightened by the one specified in the string policyString.
   */
-  void refinePolicy(in AString policyString, in nsIURI selfURI);
+  void refinePolicy(in AString policyString, in nsIURI selfURI, in boolean specCompliant);

  /**
   * Verifies ancestry as permitted by the policy.
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@ -436,6 +436,26 @@ CSPRep.fromString = function(aStr, self, docRequest, csp) {
  return CSPRep.fromString("default-src 'none'", self);
 };

+/**
+  * Factory to create a new CSPRep, parsed from a string, compliant
+  * with the CSP 1.0 spec.
+  *
+  * @param aStr
+  *        string rep of a CSP
+  * @param self (optional)
+  *        URI representing the "self" source
+  * @param docRequest (optional)
+  *        request for the parent document which may need to be suspended
+  *        while the policy-uri is asynchronously fetched
+  * @param csp (optional)
+  *        the CSP object to update once the policy has been fetched
+  * @returns
+  *        an instance of CSPRep
+  */
+CSPRep.fromStringSpecCompliant = function(aStr, self, docRequest, csp) {
+  // bug #746878 goes here
+};
+
 CSPRep.prototype = {
  /**
   * Returns a space-separated list of all report uris defined, or 'none' if there are none.
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@ -87,7 +87,7 @@ function ContentSecurityPolicy() {
 }

 ContentSecurityPolicy.prototype = {
-  classID:          Components.ID("{AB36A2BF-CB32-4AA6-AB41-6B4E4444A221}"),
+  classID:          Components.ID("{d1680bb4-1ac0-4772-9437-1188375e44f2}"),
  QueryInterface:   XPCOMUtils.generateQI([Ci.nsIContentSecurityPolicy]),

  get isInitialized() {
@ -197,9 +197,10 @@ ContentSecurityPolicy.prototype = {
   * the effective policy has to be refined.
   */
  refinePolicy:
-  function csp_refinePolicy(aPolicy, selfURI) {
+  function csp_refinePolicy(aPolicy, selfURI, aSpecCompliant) {
    CSPdebug("REFINE POLICY: " + aPolicy);
    CSPdebug("         SELF: " + selfURI.asciiSpec);
+    CSPdebug("CSP 1.0 COMPLIANT : " + aSpecCompliant);
    // For nested schemes such as view-source: make sure we are taking the
    // innermost URI to use as 'self' since that's where we will extract the
    // scheme, host and port from
@ -215,10 +216,22 @@ ContentSecurityPolicy.prototype = {
    // (1) parse and create a CSPRep object
    // Note that we pass the full URI since when it's parsed as 'self' to construct a
    // CSPSource only the scheme, host, and port are kept.
-    var newpolicy = CSPRep.fromString(aPolicy,
-				      selfURI,
-                                      this._docRequest,
-                                      this);
+
+    // If we want to be CSP 1.0 spec compliant, use the new parser.
+    // The old one will be deprecated in the future and will be
+    // removed at that time.
+    var newpolicy;
+    if (aSpecCompliant) {
+      newpolicy = CSPRep.fromStringSpecCompliant(aPolicy,
+                                                 selfURI,
+                                                 this._docRequest,
+                                                 this);
+    } else {
+      newpolicy = CSPRep.fromString(aPolicy,
+                                    selfURI,
+                                    this._docRequest,
+                                    this);
+    }

    // (2) Intersect the currently installed CSPRep object with the new one
    var intersect = this._policy.intersectWith(newpolicy);
--- a/content/base/src/contentSecurityPolicy.manifest
+++ b/content/base/src/contentSecurityPolicy.manifest
@ -1,2 +1,2 @@
-component {AB36A2BF-CB32-4AA6-AB41-6B4E4444A221} contentSecurityPolicy.js
-contract @mozilla.org/contentsecuritypolicy;1 {AB36A2BF-CB32-4AA6-AB41-6B4E4444A221}
+component {d1680bb4-1ac0-4772-9437-1188375e44f2} contentSecurityPolicy.js
+contract @mozilla.org/contentsecuritypolicy;1 {d1680bb4-1ac0-4772-9437-1188375e44f2}