Backed out changeset a4dd0dc4e354 (bug 824652) for Android M1 orange.

2013-08-05 19:21:17 -04:00 · 2013-08-05 19:21:17 -04:00 · 3eb19df999
--- a/content/base/public/nsContentUtils.h
+++ b/content/base/public/nsContentUtils.h
@ -44,7 +44,6 @@ class nsIChannel;
 class nsIConsoleService;
 class nsIContent;
 class nsIContentPolicy;
-class nsIContentSecurityPolicy;
 class nsIDocShell;
 class nsIDocument;
 class nsIDocumentLoaderFactory;
@ -472,12 +471,6 @@ public:
    return sSecurityManager;
  }

-  /**
-   * Get the ContentSecurityPolicy for a JS context.
-   **/
-  static bool GetContentSecurityPolicy(JSContext* aCx,
-                                       nsIContentSecurityPolicy** aCSP);
-
  // Returns the subject principal. Guaranteed to return non-null. May only
  // be called when nsContentUtils is initialized.
  static nsIPrincipal* GetSubjectPrincipal();
--- a/content/base/src/nsContentUtils.cpp
+++ b/content/base/src/nsContentUtils.cpp
@ -6025,34 +6025,6 @@ nsContentUtils::FindInternalContentViewer(const char* aType,
  return nullptr;
 }

-bool
-nsContentUtils::GetContentSecurityPolicy(JSContext* aCx,
-                                         nsIContentSecurityPolicy** aCSP)
-{
-  NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
-
-  // Get the security manager
-  nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
-
-  if (!ssm) {
-    NS_ERROR("Failed to get security manager service");
-    return false;
-  }
-
-  nsCOMPtr<nsIPrincipal> subjectPrincipal = ssm->GetCxSubjectPrincipal(aCx);
-  NS_ASSERTION(subjectPrincipal, "Failed to get subjectPrincipal");
-
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
-  if (NS_FAILED(rv)) {
-    NS_ERROR("CSP: Failed to get CSP from principal.");
-    return false;
-  }
-
-  csp.forget(aCSP);
-  return true;
-}
-
 // static
 bool
 nsContentUtils::IsPatternMatching(nsAString& aValue, nsAString& aPattern,
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -363,9 +363,6 @@ MOCHITEST_FILES_B = \
 	 	file_CSP_evalscript_main_spec_compliant.html^headers^ \
 		file_CSP_evalscript_main_spec_compliant_allowed.html \
 		file_CSP_evalscript_main_spec_compliant_allowed.html^headers^ \
-		file_CSP_evalscript_no_CSP_at_all.html \
-		file_CSP_evalscript_no_CSP_at_all.html^headers^ \
-		file_CSP_evalscript_no_CSP_at_all.js \
 		test_CSP_inlinestyle.html \
 		file_CSP_inlinestyle_main.html \
 		file_CSP_inlinestyle_main.html^headers^ \
--- a/content/base/test/file_CSP_evalscript_main.js
+++ b/content/base/test/file_CSP_evalscript_main.js
@ -30,16 +30,6 @@ var onevalblocked = (function(window) {
 // Defer until document is loaded so that we can write the pretty result boxes
 // out.
 addEventListener('load', function() {
-  // generateCRMFRequest test -- make sure we cannot eval the callback if CSP is in effect
-  try {
-    var script = 'console.log("dynamic script eval\'d in crypto.generateCRMFRequest should be disallowed")';
-    crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-    onevalexecuted(false, "crypto.generateCRMFRequest()",
-                   "crypto.generateCRMFRequest() should not run!");
-  } catch (e) {
-    onevalblocked(false, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }

  // setTimeout(String) test -- mutate something in the window._testResults
  // obj, then check it.
--- a/content/base/test/file_CSP_evalscript_main_allowed.js
+++ b/content/base/test/file_CSP_evalscript_main_allowed.js
@ -28,17 +28,6 @@ var onevalblocked = (function(window) {
 // Defer until document is loaded so that we can write the pretty result boxes
 // out.
 addEventListener('load', function() {
-  // test that allows crypto.generateCRMFRequest eval to run
-  try {
-      var script =
-        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
-      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest",
-                     "eval executed during crypto.generateCRMFRequest");
-  } catch (e) {
-    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }

  // setTimeout(String) test  -- should pass
  try {
--- a/content/base/test/file_CSP_evalscript_no_CSP_at_all.html
+++ b/content/base/test/file_CSP_evalscript_no_CSP_at_all.html
@ -1,12 +0,0 @@
-<html>
-  <head>
-    <title>CSP eval script tests: no CSP specified</title>
-    <script type="application/javascript"
-             src="file_CSP_evalscript_no_CSP_at_all.js"></script>
-  </head>
-  <body>
-
-    Foo. See bug 824652
-
-  </body>
-</html>
--- a/content/base/test/file_CSP_evalscript_no_CSP_at_all.html^headers^
+++ b/content/base/test/file_CSP_evalscript_no_CSP_at_all.html^headers^
@ -1 +0,0 @@
-Cache-Control: no-cache
--- a/content/base/test/file_CSP_evalscript_no_CSP_at_all.js
+++ b/content/base/test/file_CSP_evalscript_no_CSP_at_all.js
@ -1,42 +0,0 @@
-// some javascript for the CSP eval() tests
-// all of these evals should succeed, as the document loading this script
-// has script-src 'self' 'unsafe-eval'
-
-function logResult(str, passed) {
-  var elt = document.createElement('div');
-  var color = passed ? "#cfc;" : "#fcc";
-  elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
-  elt.innerHTML = str;
-  document.body.appendChild(elt);
-}
-
-// callback for when stuff is allowed by CSP
-var onevalexecuted = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptRan(shouldrun, what, data);
-      logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
-    };})(window);
-
-// callback for when stuff is blocked
-var onevalblocked = (function(window) {
-    return function(shouldrun, what, data) {
-      window.parent.scriptBlocked(shouldrun, what, data);
-      logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
-    };})(window);
-
-
-// Defer until document is loaded so that we can write the pretty result boxes
-// out.
-addEventListener('load', function() {
-  // test that allows crypto.generateCRMFRequest eval to run when there is no CSP at all in place
-  try {
-      var script =
-        'console.log("dynamic script passed to crypto.generateCRMFRequest should execute")';
-      crypto.generateCRMFRequest('CN=0', 0, 0, null, script, 384, null, 'rsa-dual-use');
-      onevalexecuted(true, "eval(script) inside crypto.generateCRMFRequest: no CSP at all",
-                     "eval executed during crypto.generateCRMFRequest where no CSP is set at all");
-  } catch (e) {
-    onevalblocked(true, "eval(script) inside crypto.generateCRMFRequest",
-                  "eval was blocked during crypto.generateCRMFRequest");
-  }
-}, false);
--- a/content/base/test/test_CSP_evalscript.html
+++ b/content/base/test/test_CSP_evalscript.html
@ -15,14 +15,13 @@
 <iframe style="width:100%;height:300px;" id='cspframe'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe2'></iframe>
 <iframe style="width:100%;height:300px;" id='cspframe3'></iframe>
-<iframe style="width:100%;height:300px;" id='cspframe4'></iframe>
 <script class="testbody" type="text/javascript">

 var path = "/tests/content/base/test/";

 var evalScriptsThatRan = 0;
 var evalScriptsBlocked = 0;
-var evalScriptsTotal = 28;
+var evalScriptsTotal = 24;


 // called by scripts that run
@ -62,7 +61,6 @@ SpecialPowers.pushPrefEnv(
      document.getElementById('cspframe').src = 'file_CSP_evalscript_main.html';
      document.getElementById('cspframe2').src = 'file_CSP_evalscript_main_spec_compliant.html';
      document.getElementById('cspframe3').src = 'file_CSP_evalscript_main_spec_compliant_allowed.html';
-      document.getElementById('cspframe4').src = 'file_CSP_evalscript_no_CSP_at_all.html';
    });
 </script>
 </pre>
--- a/dom/workers/WorkerPrivate.cpp
+++ b/dom/workers/WorkerPrivate.cpp
@ -2729,7 +2729,7 @@ WorkerPrivate::Create(JSContext* aCx, JS::Handle<JSObject*> aObj, WorkerPrivate*
      return nullptr;
    }

-    if (!nsContentUtils::GetContentSecurityPolicy(aCx, getter_AddRefs(csp))) {
+    if (!GetContentSecurityPolicy(aCx, getter_AddRefs(csp))) {
      return nullptr;
    }

@ -4375,6 +4375,34 @@ WorkerPrivate::GetCrossThreadDispatcher()
  return mCrossThreadDispatcher;
 }

+bool
+WorkerPrivate::GetContentSecurityPolicy(JSContext* aCx,
+                                        nsIContentSecurityPolicy** aCSP)
+{
+  AssertIsOnMainThread();
+
+  // Get the security manager
+  nsCOMPtr<nsIScriptSecurityManager> ssm = nsContentUtils::GetSecurityManager();
+
+  if (!ssm) {
+    NS_ERROR("Failed to get security manager service");
+    return false;
+  }
+
+  nsCOMPtr<nsIPrincipal> subjectPrincipal = ssm->GetCxSubjectPrincipal(aCx);
+  NS_ASSERTION(subjectPrincipal, "Failed to get subjectPrincipal");
+
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
+  nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
+  if (NS_FAILED(rv)) {
+    NS_ERROR("CSP: Failed to get CSP from principal.");
+    return false;
+  }
+
+  csp.forget(aCSP);
+  return true;
+}
+
 void
 WorkerPrivate::BeginCTypesCall()
 {
--- a/dom/workers/WorkerPrivate.h
+++ b/dom/workers/WorkerPrivate.h
@ -909,6 +909,10 @@ private:
                nsCOMPtr<nsIContentSecurityPolicy>& aCSP, bool aEvalAllowed,
                bool aReportCSPViolations, bool aXHRParamsAllowed);

+  static bool
+  GetContentSecurityPolicy(JSContext *aCx,
+                           nsIContentSecurityPolicy** aCsp);
+
  bool
  Dispatch(WorkerRunnable* aEvent, EventQueue* aQueue);

--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@ -44,13 +44,11 @@
 #include "nsIPrompt.h"
 #include "nsIFilePicker.h"
 #include "nsJSPrincipals.h"
-#include "nsJSUtils.h"
 #include "nsIPrincipal.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIGenKeypairInfoDlg.h"
 #include "nsIDOMCryptoDialogs.h"
 #include "nsIFormSigningDialog.h"
-#include "nsIContentSecurityPolicy.h"
 #include "jsapi.h"
 #include "jsdbgapi.h"
 #include <ctype.h>
@ -1896,39 +1894,6 @@ nsCrypto::GenerateCRMFRequest(JSContext* aContext,
    return nullptr;
  }

-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  if (!nsContentUtils::GetContentSecurityPolicy(aContext, getter_AddRefs(csp))) {
-    NS_ERROR("Error: failed to get CSP");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  bool evalAllowed = true;
-  bool reportEvalViolations = false;
-  if (csp && NS_FAILED(csp->GetAllowsEval(&reportEvalViolations, &evalAllowed))) {
-    NS_WARNING("CSP: failed to get allowsEval");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  if (reportEvalViolations) {
-    NS_NAMED_LITERAL_STRING(scriptSample, "window.crypto.generateCRMFRequest: call to eval() or related function blocked by CSP");
-
-    const char *fileName;
-    uint32_t lineNum;
-    nsJSUtils::GetCallingLocation(aContext, &fileName, &lineNum);
-    csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
-                             NS_ConvertASCIItoUTF16(fileName),
-                             scriptSample,
-                             lineNum);
-  }
-
-  if (!evalAllowed) {
-    NS_WARNING("eval() not allowed by Content Security Policy");
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
  //Put up some UI warning that someone is trying to
  //escrow the private key.
  //Don't addref this copy.  That way ths reference goes away
@ -2077,6 +2042,7 @@ nsCrypto::GenerateCRMFRequest(JSContext* aContext,
  return crmf.forget();
 }

+
 // Reminder that we inherit the memory passed into us here.
 // An implementation to let us back up certs as an event.
 nsP12Runnable::nsP12Runnable(nsIX509Cert **certArr, int32_t numCerts,