зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1722252: Check if frame options should be ignored after checking if frame options are present. r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D121872
This commit is contained in:
Родитель
71bcf7f68f
Коммит
0c3899b477
|
@ -185,12 +185,6 @@ bool FramingChecker::CheckFrameOptions(nsIChannel* aChannel,
|
|||
return true;
|
||||
}
|
||||
|
||||
// xfo checks are ignored in case CSP frame-ancestors is present,
|
||||
// if so, there is nothing to do here.
|
||||
if (ShouldIgnoreFrameOptions(aChannel, aCsp)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIHttpChannel> httpChannel;
|
||||
nsresult rv = nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
|
||||
aChannel, getter_AddRefs(httpChannel));
|
||||
|
@ -226,6 +220,12 @@ bool FramingChecker::CheckFrameOptions(nsIChannel* aChannel,
|
|||
return true;
|
||||
}
|
||||
|
||||
// xfo checks are ignored in case CSP frame-ancestors is present,
|
||||
// if so, there is nothing to do here.
|
||||
if (ShouldIgnoreFrameOptions(aChannel, aCsp)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// iterate through all the header values (usually there's only one, but can
|
||||
// be many. If any want to deny the load, deny the load.
|
||||
nsCharSeparatedTokenizer tokenizer(xfoHeaderValue, ',');
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 1722252: "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning message even when no "x-frame-options" header present</title>
|
||||
</head>
|
||||
<body>
|
||||
<div id="cspmessage">Do not log xfo ignore warning when no xfo is set.</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,2 @@
|
|||
Content-Security-Policy: frame-ancestors http://mochi.test:8888
|
||||
Cache-Control: no-cache
|
|
@ -235,6 +235,8 @@ support-files =
|
|||
file_ignore_xfo.html^headers^
|
||||
file_ro_ignore_xfo.html
|
||||
file_ro_ignore_xfo.html^headers^
|
||||
file_no_log_ignore_xfo.html
|
||||
file_no_log_ignore_xfo.html^headers^
|
||||
file_data_csp_inheritance.html
|
||||
file_data_csp_merge.html
|
||||
file_data_doc_ignore_meta_csp.html
|
||||
|
|
|
@ -8,6 +8,7 @@
|
|||
</head>
|
||||
<body>
|
||||
<iframe style="width:100%;" id="csp_testframe"></iframe>
|
||||
<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe>
|
||||
<iframe style="width:100%;" id="csp_ro_testframe"></iframe>
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
|
@ -25,7 +26,7 @@ var testcounter = 0;
|
|||
function checkFinished() {
|
||||
testcounter++;
|
||||
if (testcounter < 3) {
|
||||
return;
|
||||
return;
|
||||
}
|
||||
// remove the listener and we are done.
|
||||
window.examiner.remove();
|
||||
|
@ -54,6 +55,19 @@ examiner.prototype = {
|
|||
}
|
||||
window.examiner = new examiner();
|
||||
|
||||
var script = SpecialPowers.loadChromeScript(() => {
|
||||
const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
|
||||
let ignoreCount = 0;
|
||||
Services.console.registerListener((msg) => {
|
||||
if(msg.message.includes("Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) {
|
||||
ignoreCount++;
|
||||
if(ignoreCount == 2) {
|
||||
ok(false, 'The "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.');
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
// 1) test XFO with CSP
|
||||
var csp_testframe = document.getElementById("csp_testframe");
|
||||
csp_testframe.onload = function() {
|
||||
|
@ -80,6 +94,18 @@ csp_ro_testframe.onerror = function() {
|
|||
}
|
||||
csp_ro_testframe.src = "file_ro_ignore_xfo.html";
|
||||
|
||||
var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
|
||||
csp_testframe_no_xfo.onload = function() {
|
||||
var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
|
||||
is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
|
||||
checkFinished();
|
||||
}
|
||||
csp_testframe_no_xfo.onerror = function() {
|
||||
ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
|
||||
checkFinished();
|
||||
}
|
||||
csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
Загрузка…
Ссылка в новой задаче