Bug 1542807 part 5 - Don't apply CSP rules for the document to fonts loaded from User and UserAgent origin sheets. r=ckerschb

As for document.fonts, I don't think we intentionally meant to apply CSP to User/UserAgent fonts. The document certainly has no authority to block those from loading. (We already have a separate principal for these which is further evidence that this was unintentional and we can use the same bit (mUseOriginPrincipal) to avoid CSP.) Differential Revision: https://phabricator.services.mozilla.com/D111695
2021-06-11 18:10:39 +00:00 · 2021-06-11 18:10:39 +00:00 · 2047e29464
--- a/dom/base/nsContentPolicyUtils.h
+++ b/dom/base/nsContentPolicyUtils.h
@ -143,6 +143,7 @@ inline const char* NS_CP_ContentTypeName(nsContentPolicyType contentType) {
    CASE_RETURN(TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT);
    CASE_RETURN(TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT);
    CASE_RETURN(TYPE_INTERNAL_FETCH_PRELOAD);
+    CASE_RETURN(TYPE_UA_FONT);
    case nsIContentPolicy::TYPE_INVALID:
      break;
      // Do not add default: so that compilers can catch the missing case.
@ -190,7 +191,8 @@ inline const char* NS_CP_ContentTypeName(ExtContentPolicyType contentType) {
    if (NS_CP_REJECTED(*decision)) {                                           \
      return NS_OK;                                                            \
    }                                                                          \
-    if (contentType != nsIContentPolicy::TYPE_DOCUMENT) {                      \
+    if (contentType != nsIContentPolicy::TYPE_DOCUMENT &&                      \
+        contentType != nsIContentPolicy::TYPE_UA_FONT) {                       \
      *decision = nsIContentPolicy::ACCEPT;                                    \
      nsCOMPtr<nsINode> n = do_QueryInterface(context);                        \
      if (!n) {                                                                \
--- a/dom/base/nsDataDocumentContentPolicy.cpp
+++ b/dom/base/nsDataDocumentContentPolicy.cpp
@ -84,6 +84,7 @@ nsDataDocumentContentPolicy::ShouldLoad(nsIURI* aContentLocation,
        case ExtContentPolicy::TYPE_IMAGE:
        case ExtContentPolicy::TYPE_IMAGESET:
        case ExtContentPolicy::TYPE_FONT:
+        case ExtContentPolicy::TYPE_UA_FONT:
        // This one is a bit sketchy, but nsObjectLoadingContent takes care of
        // only getting here if it is an image.
        case ExtContentPolicy::TYPE_OBJECT:
--- a/dom/base/nsIContentPolicy.idl
+++ b/dom/base/nsIContentPolicy.idl
@ -413,6 +413,12 @@ interface nsIContentPolicy : nsISupports
     */
    TYPE_INTERNAL_FETCH_PRELOAD = 54,

+    /**
+     * Indicates a font loaded via @font-face rule in an UA style sheet.
+     * (CSP does not apply.)
+     */
+    TYPE_UA_FONT = 55,
+
    /* When adding new content types, please update
     * NS_CP_ContentTypeName, nsCSPContext, CSP_ContentTypeToDirective,
     * DoContentSecurityChecks, all nsIContentPolicy implementations, the
@ -569,6 +575,7 @@ enum class ExtContentPolicyType : uint8_t {
  TYPE_WEB_MANIFEST = nsIContentPolicy::TYPE_WEB_MANIFEST,
  TYPE_SAVEAS_DOWNLOAD = nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD,
  TYPE_SPECULATIVE = nsIContentPolicy::TYPE_SPECULATIVE,
+  TYPE_UA_FONT = nsIContentPolicy::TYPE_UA_FONT,
 };

 typedef ExtContentPolicyType ExtContentPolicy;
--- a/dom/cache/DBSchema.cpp
+++ b/dom/cache/DBSchema.cpp
@ -338,7 +338,8 @@ static_assert(
        nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD == 51 &&
        nsIContentPolicy::TYPE_INTERNAL_CHROMEUTILS_COMPILED_SCRIPT == 52 &&
        nsIContentPolicy::TYPE_INTERNAL_FRAME_MESSAGEMANAGER_SCRIPT == 53 &&
-        nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD == 54,
+        nsIContentPolicy::TYPE_INTERNAL_FETCH_PRELOAD == 54 &&
+        nsIContentPolicy::TYPE_UA_FONT == 55,
    "nsContentPolicyType values are as expected");

 namespace {
--- a/dom/fetch/InternalRequest.cpp
+++ b/dom/fetch/InternalRequest.cpp
@ -245,6 +245,7 @@ RequestDestination InternalRequest::MapContentPolicyTypeToRequestDestination(
      return RequestDestination::_empty;
    case nsIContentPolicy::TYPE_FONT:
    case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD:
+    case nsIContentPolicy::TYPE_UA_FONT:
      return RequestDestination::Font;
    case nsIContentPolicy::TYPE_MEDIA:
      return RequestDestination::_empty;
--- a/dom/security/SecFetch.cpp
+++ b/dom/security/SecFetch.cpp
@ -75,6 +75,7 @@ nsCString MapInternalContentPolicyTypeToDest(nsContentPolicyType aType) {
      return "empty"_ns;
    case nsIContentPolicy::TYPE_FONT:
    case nsIContentPolicy::TYPE_INTERNAL_FONT_PRELOAD:
+    case nsIContentPolicy::TYPE_UA_FONT:
      return "font"_ns;
    case nsIContentPolicy::TYPE_MEDIA:
      return "empty"_ns;
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@ -339,6 +339,7 @@ CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType) {
      return nsIContentSecurityPolicy::NO_DIRECTIVE;

    case nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD:
+    case nsIContentPolicy::TYPE_UA_FONT:
      return nsIContentSecurityPolicy::NO_DIRECTIVE;

    // Fall through to error for all other directives
--- a/dom/security/nsContentSecurityManager.cpp
+++ b/dom/security/nsContentSecurityManager.cpp
@ -529,7 +529,8 @@ static nsresult DoContentSecurityChecks(nsIChannel* aChannel,
      break;
    }

-    case ExtContentPolicy::TYPE_FONT: {
+    case ExtContentPolicy::TYPE_FONT:
+    case ExtContentPolicy::TYPE_UA_FONT: {
      mimeTypeGuess.Truncate();
      break;
    }
--- a/dom/security/nsHTTPSOnlyStreamListener.cpp
+++ b/dom/security/nsHTTPSOnlyStreamListener.cpp
@ -192,6 +192,7 @@ void nsHTTPSOnlyStreamListener::RecordUpgradeTelemetry(nsIRequest* request,
        break;

      case ExtContentPolicy::TYPE_FONT:
+      case ExtContentPolicy::TYPE_UA_FONT:
        typeKey = "font"_ns;
        break;

--- a/dom/security/nsMixedContentBlocker.cpp
+++ b/dom/security/nsMixedContentBlocker.cpp
@ -536,6 +536,7 @@ nsresult nsMixedContentBlocker::ShouldLoad(bool aHadInsecureImageRedirect,
    case ExtContentPolicy::TYPE_DTD:
    case ExtContentPolicy::TYPE_FETCH:
    case ExtContentPolicy::TYPE_FONT:
+    case ExtContentPolicy::TYPE_UA_FONT:
    case ExtContentPolicy::TYPE_IMAGESET:
    case ExtContentPolicy::TYPE_OBJECT:
    case ExtContentPolicy::TYPE_SCRIPT:
--- a/layout/style/FontFaceSet.cpp
+++ b/layout/style/FontFaceSet.cpp
@ -1344,6 +1344,10 @@ bool FontFaceSet::IsFontLoadAllowed(const gfxFontFaceSrc& aSrc) {
    return false;
  }

+  if (aSrc.mUseOriginPrincipal) {
+    return true;
+  }
+
  gfxFontSrcPrincipal* gfxPrincipal = aSrc.mURI->InheritsSecurityContext()
                                          ? nullptr
                                          : aSrc.LoadPrincipal(*mUserFontSet);
@ -1401,7 +1405,8 @@ nsresult FontFaceSet::SyncLoadFontData(gfxUserFontEntry* aFontToLoad,
      getter_AddRefs(channel), aFontFaceSrc->mURI->get(), mDocument,
      principal ? principal->NodePrincipal() : nullptr,
      nsILoadInfo::SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT,
-      nsIContentPolicy::TYPE_FONT);
+      aFontFaceSrc->mUseOriginPrincipal ? nsIContentPolicy::TYPE_UA_FONT
+                                        : nsIContentPolicy::TYPE_FONT);

  NS_ENSURE_SUCCESS(rv, rv);

--- a/toolkit/components/extensions/webrequest/ChannelWrapper.cpp
+++ b/toolkit/components/extensions/webrequest/ChannelWrapper.cpp
@ -804,6 +804,7 @@ MozContentPolicyType GetContentPolicyType(ExtContentPolicyType aType) {
    case ExtContentPolicy::TYPE_DTD:
      return MozContentPolicyType::Xml_dtd;
    case ExtContentPolicy::TYPE_FONT:
+    case ExtContentPolicy::TYPE_UA_FONT:
      return MozContentPolicyType::Font;
    case ExtContentPolicy::TYPE_MEDIA:
      return MozContentPolicyType::Media;