зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1439425 - Ignore empty CSP directives. r=ckerschb
MozReview-Commit-ID: 67Ach2vCs8A --HG-- rename : dom/security/test/csp/file_self_none_as_hostname_confusion.html => dom/security/test/csp/file_empty_directive.html rename : dom/security/test/csp/file_self_none_as_hostname_confusion.html^headers^ => dom/security/test/csp/file_empty_directive.html^headers^ rename : dom/security/test/csp/test_self_none_as_hostname_confusion.html => dom/security/test/csp/test_empty_directive.html extra : rebase_source : 1270d3d1aa8d53389e8708d29d2e363e52c02029
This commit is contained in:
Родитель
659fc0cc75
Коммит
0d79353b7d
|
@ -1171,6 +1171,10 @@ nsCSPParser::directive()
|
|||
return;
|
||||
}
|
||||
|
||||
if (CSP_IsEmptyDirective(mCurValue, mCurToken)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Try to create a new CSPDirective
|
||||
nsCSPDirective* cspDir = directiveName();
|
||||
if (!cspDir) {
|
||||
|
|
|
@ -307,6 +307,12 @@ CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI)
|
|||
return hostsrc;
|
||||
}
|
||||
|
||||
bool
|
||||
CSP_IsEmptyDirective(const nsAString& aValue, const nsAString& aDir)
|
||||
{
|
||||
return (aDir.Length() == 0 &&
|
||||
aValue.Length() == 0);
|
||||
}
|
||||
bool
|
||||
CSP_IsValidDirective(const nsAString& aDir)
|
||||
{
|
||||
|
|
|
@ -211,6 +211,7 @@ nsresult CSP_AppendCSPFromHeader(nsIContentSecurityPolicy* aCsp,
|
|||
class nsCSPHostSrc;
|
||||
|
||||
nsCSPHostSrc* CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI);
|
||||
bool CSP_IsEmptyDirective(const nsAString& aValue, const nsAString& aDir);
|
||||
bool CSP_IsValidDirective(const nsAString& aDir);
|
||||
bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
|
||||
bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf8">
|
||||
<title>Bug 587377 - CSP keywords "'self'" and "'none'" are easy to confuse with host names "self" and "none"</title>
|
||||
<!-- Any copyright is dedicated to the Public Domain.
|
||||
- http://creativecommons.org/publicdomain/zero/1.0/ -->
|
||||
</head>
|
||||
<body>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1 @@
|
|||
Content-Security-Policy: ;
|
|
@ -108,6 +108,8 @@ support-files =
|
|||
file_ignore_unsafe_inline_multiple_policies_server.sjs
|
||||
file_self_none_as_hostname_confusion.html
|
||||
file_self_none_as_hostname_confusion.html^headers^
|
||||
file_empty_directive.html
|
||||
file_empty_directive.html^headers^
|
||||
file_path_matching.html
|
||||
file_path_matching_incl_query.html
|
||||
file_path_matching.js
|
||||
|
@ -268,6 +270,7 @@ skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
|
|||
[test_scheme_relative_sources.html]
|
||||
[test_ignore_unsafe_inline.html]
|
||||
[test_self_none_as_hostname_confusion.html]
|
||||
[test_empty_directive.html]
|
||||
[test_path_matching.html]
|
||||
[test_path_matching_redirect.html]
|
||||
[test_report_uri_missing_in_report_only_header.html]
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=1439425
|
||||
-->
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Test for Bug 1439425</title>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1439425">Mozilla Bug 1439425</a>
|
||||
<p id="display"></p>
|
||||
|
||||
<iframe id="cspframe"></iframe>
|
||||
|
||||
<pre id="test">
|
||||
|
||||
<script class="testbody" type="text/javascript">
|
||||
let consoleCount = 0;
|
||||
|
||||
function cleanup() {
|
||||
SpecialPowers.postConsoleSentinel();
|
||||
}
|
||||
|
||||
function finish() {
|
||||
SimpleTest.finish();
|
||||
}
|
||||
|
||||
SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
|
||||
if (aMsg.message == "SENTINEL") {
|
||||
is(consoleCount, 0);
|
||||
SimpleTest.executeSoon(finish);
|
||||
} else {
|
||||
++consoleCount;
|
||||
ok(false, "Must never see a console warning here");
|
||||
}
|
||||
});
|
||||
|
||||
// set up and start testing
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
let frame = document.getElementById('cspframe');
|
||||
frame.onload = () => {
|
||||
SimpleTest.executeSoon(cleanup);
|
||||
};
|
||||
frame.src = 'file_empty_directive.html';
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
Загрузка…
Ссылка в новой задаче