Bug 1490977: Assert content privileged about page has CSP. r=smaug

dom/base/nsDocument.cpp

@@ -5295,7 +5295,8 @@ AssertContentPrivilegedAboutPageHasCSP(nsIURI* aDocumentURI, nsIPrincipal* aPrin
 
   // Potentially init the legacy whitelist of about URIs without a CSP.
   static StaticAutoPtr<nsTArray<nsCString>> sLegacyAboutPagesWithNoCSP;
-  if (!sLegacyAboutPagesWithNoCSP) {
+  if (!sLegacyAboutPagesWithNoCSP ||
+      Preferences::GetBool("csp.overrule_content_privileged_about_uris_without_csp_whitelist")) {
     sLegacyAboutPagesWithNoCSP = new nsTArray<nsCString>();
     nsAutoCString legacyAboutPages;
     Preferences::GetCString("csp.content_privileged_about_uris_without_csp",
@@ -5334,6 +5335,10 @@ AssertContentPrivilegedAboutPageHasCSP(nsIURI* aDocumentURI, nsIPrincipal* aPrin
        csp->GetPolicyString(0, parsedPolicyStr);
      }
   }
+  if (Preferences::GetBool("csp.overrule_content_privileged_about_uris_without_csp_whitelist")) {
+    NS_ASSERTION(parsedPolicyStr.Find("default-src") >= 0, "about: page must have a CSP");
+    return;
+  }
   MOZ_ASSERT(parsedPolicyStr.Find("default-src") >= 0,
     "about: page must contain a CSP including default-src");
 }

dom/security/test/general/mochitest.ini

@@ -42,3 +42,5 @@ skip-if = toolkit == 'android'
 [test_same_site_cookies_toplevel_set_cookie.html]
 [test_same_site_cookies_iframe.html]
 [test_same_site_cookies_about.html]
+[test_assert_about_page_no_csp.html]
+skip-if = !debug || toolkit == 'android'

dom/security/test/general/test_assert_about_page_no_csp.html

@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1490977: Test Assertion if content privileged about: page has no CSP</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe id="testframe"></iframe>
+<script class="testbody" type="text/javascript">
+
+  SimpleTest.waitForExplicitFinish();
+  SimpleTest.expectAssertions(0, 1);
+
+  // Test Setup:
+  // The test overrules the whitelist of about: pages that are allowed to load without a CSP
+  // and makes sure to hit the assertion within AssertContentPrivilegedAboutPageHasCSP().
+  // However, due to the caching mechanism within AssertContentPrivilegedAboutPageHasCSP this
+  // test loads a second dummy data: URI to reset the old cache and finally resets the pref
+  // used for testing purposes.
+
+  let origWhiteList = SpecialPowers.getCharPref("csp.content_privileged_about_uris_without_csp");
+
+  SpecialPowers.setCharPref("csp.content_privileged_about_uris_without_csp", "");
+  SpecialPowers.setBoolPref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", true);
+
+  ok(true, "sanity: prefs flipped and test runs");
+  let myFrame = document.getElementById("testframe");
+  myFrame.src = "about:blank";
+  // booom :-)
+
+  SpecialPowers.setCharPref("csp.content_privileged_about_uris_without_csp", origWhiteList);
+  myFrame.src = "data:text/html,<body>just a dumy data: URI</body>";
+
+  SpecialPowers.setBoolPref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
+
+  SimpleTest.finish();
+</script>
+</pre>
+</body>
+</html>

modules/libpref/init/all.js

@@ -2583,6 +2583,8 @@ pref("security.notification_enable_delay", 500);
 
 #if defined(DEBUG) && !defined(ANDROID)
 pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc");
+// the following pref is for testing purposes only.
+pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
 #endif
 
 // Default Content Security Policy to apply to signed contents.