Bug 1367531: CSP should only check host (not including path) when performing frame ancestors checks. r=dveditz

2017-06-06 09:12:13 +02:00 · 2017-06-06 09:12:13 +02:00 · 4956d67907
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@ -135,6 +135,7 @@ nsCSPParser::nsCSPParser(cspTokens& aTokens,
 , mUnsafeInlineKeywordSrc(nullptr)
 , mChildSrc(nullptr)
 , mFrameSrc(nullptr)
+ , mParsingFrameAncestorsDir(false)
 , mTokens(aTokens)
 , mSelfURI(aSelfURI)
 , mPolicy(nullptr)
@ -813,6 +814,7 @@ nsCSPParser::sourceExpression()
  if (nsCSPHostSrc *cspHost = hostSource()) {
    // Do not forget to set the parsed scheme.
    cspHost->setScheme(parsedScheme);
+    cspHost->setWithinFrameAncestorsDir(mParsingFrameAncestorsDir);
    return cspHost;
  }
  // Error was reported in hostSource()
@ -1220,6 +1222,9 @@ nsCSPParser::directive()
  mStrictDynamic = false;
  mUnsafeInlineKeywordSrc = nullptr;

+  mParsingFrameAncestorsDir =
+    CSP_IsDirective(mCurDir[0], nsIContentSecurityPolicy::FRAME_ANCESTORS_DIRECTIVE);
+
  // Try to parse all the srcs by handing the array off to directiveValue
  nsTArray<nsCSPBaseSrc*> srcs;
  directiveValue(srcs);
--- a/dom/security/nsCSPParser.h
+++ b/dom/security/nsCSPParser.h
@ -251,6 +251,10 @@ class nsCSPParser {
    nsCSPChildSrcDirective* mChildSrc;
    nsCSPDirective*         mFrameSrc;

+    // cache variable to let nsCSPHostSrc know that it's within
+    // the frame-ancestors directive.
+    bool                    mParsingFrameAncestorsDir;
+
    cspTokens          mTokens;
    nsIURI*            mSelfURI;
    nsCSPPolicy*       mPolicy;
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@ -522,6 +522,7 @@ nsCSPSchemeSrc::toString(nsAString& outStr) const
 nsCSPHostSrc::nsCSPHostSrc(const nsAString& aHost)
  : mHost(aHost)
  , mGeneratedFromSelfKeyword(false)
+  , mWithinFrameAncstorsDir(false)
 {
  ToLowerCase(mHost);
 }
@ -705,6 +706,11 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
    rv = url->GetFilePath(uriPath);
    NS_ENSURE_SUCCESS(rv, false);

+    if (mWithinFrameAncstorsDir) {
+      // no path matching for frame-ancestors to not leak any path information.
+      return true;
+    }
+
    nsString decodedUriPath;
    CSP_PercentDecodeStr(NS_ConvertUTF8toUTF16(uriPath), decodedUriPath);

--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@ -257,7 +257,10 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
    void appendPath(const nsAString &aPath);

    inline void setGeneratedFromSelfKeyword() const
-      { mGeneratedFromSelfKeyword = true;}
+      { mGeneratedFromSelfKeyword = true; }
+
+    inline void setWithinFrameAncestorsDir(bool aValue) const
+      { mWithinFrameAncstorsDir = aValue; }

    inline void getScheme(nsAString& outStr) const
      { outStr.Assign(mScheme); };
@ -277,6 +280,7 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
    nsString mPort;
    nsString mPath;
    mutable bool mGeneratedFromSelfKeyword;
+    mutable bool mWithinFrameAncstorsDir;
 };

 /* =============== nsCSPKeywordSrc ============ */