Backed out changeset c42c459d2be6 (bug 1790345) for causing mochitest failures in test_blocked_uri_in_violation_event_after_redirects.html CLOSED TREE

dom/security/nsCSPContext.cpp

@@ -993,19 +993,13 @@ void nsCSPContext::logToConsole(const char* aName,
  * Strip URI for reporting according to:
  * https://w3c.github.io/webappsec-csp/#security-violation-reports
  *
- * @param aSelfURI
- *        The URI of the CSP policy. Used for cross-origin checks.
  * @param aURI
  *        The URI of the blocked resource. In case of a redirect, this it the
  *        initial URI the request started out with, not the redirected URI.
- * @param aEffectiveDirective
- *        The effective directive that triggered this report
  * @return The ASCII serialization of the uri to be reported ignoring
  *         the ref part of the URI.
  */
-void StripURIForReporting(nsIURI* aSelfURI, nsIURI* aURI,
-                          const nsAString& aEffectiveDirective,
-                          nsACString& outStrippedURI) {
+void StripURIForReporting(nsIURI* aURI, nsACString& outStrippedURI) {
   // If the origin of aURI is a globally unique identifier (for example,
   // aURI has a scheme of data, blob, or filesystem), then
   // return the ASCII serialization of uri’s scheme.
@@ -1021,18 +1015,6 @@ void StripURIForReporting(nsIURI* aSelfURI, nsIURI* aURI,
     return;
   }
 
-  // For cross-origin URIs in frame-src also strip the path.
-  // This prevents detailed tracking of pages loaded into an iframe
-  // by the embedding page using a report-only policy.
-  if (aEffectiveDirective.EqualsLiteral("frame-src") ||
-      aEffectiveDirective.EqualsLiteral("object-src")) {
-    nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
-    if (NS_FAILED(ssm->CheckSameOriginURI(aSelfURI, aURI, false, false))) {
-      aURI->GetPrePath(outStrippedURI);
-      return;
-    }
-  }
-
   // Return aURI, with any fragment component removed.
   aURI->GetSpecIgnoringRef(outStrippedURI);
 }
@@ -1053,8 +1035,7 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
 
   // document-uri
   nsAutoCString reportDocumentURI;
-  StripURIForReporting(mSelfURI, mSelfURI, aEffectiveDirective,
-                       reportDocumentURI);
+  StripURIForReporting(mSelfURI, reportDocumentURI);
   CopyUTF8toUTF16(reportDocumentURI, aViolationEventInit.mDocumentURI);
 
   // referrer
@@ -1063,8 +1044,8 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
   // blocked-uri
   if (aBlockedURI) {
     nsAutoCString reportBlockedURI;
-    StripURIForReporting(mSelfURI, aOriginalURI ? aOriginalURI : aBlockedURI,
-                         aEffectiveDirective, reportBlockedURI);
+    StripURIForReporting(aOriginalURI ? aOriginalURI : aBlockedURI,
+                         reportBlockedURI);
     CopyUTF8toUTF16(reportBlockedURI, aViolationEventInit.mBlockedURI);
   } else {
     CopyUTF8toUTF16(aBlockedString, aViolationEventInit.mBlockedURI);
@@ -1092,7 +1073,7 @@ nsresult nsCSPContext::GatherSecurityPolicyViolationEventData(
     NS_NewURI(getter_AddRefs(sourceURI), aSourceFile);
     if (sourceURI) {
       nsAutoCString spec;
-      StripURIForReporting(mSelfURI, sourceURI, aEffectiveDirective, spec);
+      StripURIForReporting(sourceURI, spec);
       CopyUTF8toUTF16(spec, aViolationEventInit.mSourceFile);
     } else {
       aViolationEventInit.mSourceFile = aSourceFile;