Bug 1722252: Check if frame options should be ignored after checking if frame options are present. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D121872

dom/security/FramingChecker.cpp

@@ -185,12 +185,6 @@ bool FramingChecker::CheckFrameOptions(nsIChannel* aChannel,
     return true;
   }
 
-  // xfo checks are ignored in case CSP frame-ancestors is present,
-  // if so, there is nothing to do here.
-  if (ShouldIgnoreFrameOptions(aChannel, aCsp)) {
-    return true;
-  }
-
   nsCOMPtr<nsIHttpChannel> httpChannel;
   nsresult rv = nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
       aChannel, getter_AddRefs(httpChannel));
@@ -226,6 +220,12 @@ bool FramingChecker::CheckFrameOptions(nsIChannel* aChannel,
     return true;
   }
 
+  // xfo checks are ignored in case CSP frame-ancestors is present,
+  // if so, there is nothing to do here.
+  if (ShouldIgnoreFrameOptions(aChannel, aCsp)) {
+    return true;
+  }
+
   // iterate through all the header values (usually there's only one, but can
   // be many.  If any want to deny the load, deny the load.
   nsCharSeparatedTokenizer tokenizer(xfoHeaderValue, ',');

dom/security/test/csp/file_no_log_ignore_xfo.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1722252: "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning message even when no "x-frame-options" header present</title>
+</head>
+<body>
+<div id="cspmessage">Do not log xfo ignore warning when no xfo is set.</div>
+</body>
+</html>

dom/security/test/csp/file_no_log_ignore_xfo.html^headers^

@@ -0,0 +1,2 @@
+Content-Security-Policy: frame-ancestors http://mochi.test:8888
+Cache-Control: no-cache

dom/security/test/csp/mochitest.ini

@@ -235,6 +235,8 @@ support-files =
   file_ignore_xfo.html^headers^
   file_ro_ignore_xfo.html
   file_ro_ignore_xfo.html^headers^
+  file_no_log_ignore_xfo.html
+  file_no_log_ignore_xfo.html^headers^
   file_data_csp_inheritance.html
   file_data_csp_merge.html
   file_data_doc_ignore_meta_csp.html

dom/security/test/csp/test_ignore_xfo.html

@@ -8,6 +8,7 @@
 </head>
 <body>
 <iframe style="width:100%;" id="csp_testframe"></iframe>
+<iframe style="width:100%;" id="csp_testframe_no_xfo"></iframe>
 <iframe style="width:100%;" id="csp_ro_testframe"></iframe>
 
 <script class="testbody" type="text/javascript">
@@ -25,7 +26,7 @@ var testcounter = 0;
 function checkFinished() {
   testcounter++;
   if (testcounter < 3) {
-  	return;
+    return;
   }
   // remove the listener and we are done.
   window.examiner.remove();
@@ -54,6 +55,19 @@ examiner.prototype  = {
 }
 window.examiner = new examiner();
 
+var script = SpecialPowers.loadChromeScript(() => {
+  const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
+  let ignoreCount = 0;
+  Services.console.registerListener((msg) => {
+    if(msg.message.includes("Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.")) {
+      ignoreCount++;
+      if(ignoreCount == 2) {
+        ok(false, 'The "Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive." warning should only appear once for the csp_testframe.');
+      }
+    }
+  });
+});
+
 // 1) test XFO with CSP
 var csp_testframe = document.getElementById("csp_testframe");
 csp_testframe.onload = function() {
@@ -80,6 +94,18 @@ csp_ro_testframe.onerror = function() {
 }
 csp_ro_testframe.src = "file_ro_ignore_xfo.html";
 
+var csp_testframe_no_xfo = document.getElementById("csp_testframe_no_xfo");
+csp_testframe_no_xfo.onload = function() {
+  var msg = csp_testframe_no_xfo.contentDocument.getElementById("cspmessage");
+  is(msg.innerHTML, "Do not log xfo ignore warning when no xfo is set.", "Loading frame with with no XFO and CSP");
+  checkFinished();
+}
+csp_testframe_no_xfo.onerror = function() {
+  ok(false, "sanity: should not fire onerror for csp_testframe_no_xfo");
+  checkFinished();
+}
+csp_testframe_no_xfo.src = "file_no_log_ignore_xfo.html";
+
 </script>
 </body>
 </html>