Bug 1578231: Hardcode whitelist of about: pages where we can not apply a CSP. r=jkt

Differential Revision: https://phabricator.services.mozilla.com/D44617 --HG-- extra : moz-landing-system : lando
2019-09-05 09:44:13 +00:00 · 2019-09-05 09:44:13 +00:00 · 4e4f4a0bf6
--- a/dom/security/nsContentSecurityUtils.cpp
+++ b/dom/security/nsContentSecurityUtils.cpp
@ -18,8 +18,6 @@
 void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
  // We want to get to a point where all about: pages ship with a CSP. This
  // assertion ensures that we can not deploy new about: pages without a CSP.
-  // Initially we will whitelist legacy about: pages which not yet have a CSP
-  // attached, but ultimately that whitelist should disappear.
  // Please note that any about: page should not use inline JS or inline CSS,
  // and instead should load JS and CSS from an external file (*.js, *.css)
  // which allows us to apply a strong CSP omitting 'unsafe-inline'. Ideally,
@ -27,43 +25,15 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
  // should at least be as strong as:
  // <meta http-equiv="Content-Security-Policy" content="default-src chrome:"/>

-  // Check if we are loading an about: URI at all
-  nsCOMPtr<nsIURI> documentURI = aDocument->GetDocumentURI();
-  if (!documentURI->SchemeIs("about") ||
-      Preferences::GetBool("csp.skip_about_page_has_csp_assert")) {
+  // Check if we should skip the assertion
+  if (Preferences::GetBool("csp.skip_about_page_has_csp_assert")) {
    return;
  }

-  // Potentially init the legacy whitelist of about URIs without a CSP.
-  static StaticAutoPtr<nsTArray<nsCString>> sLegacyAboutPagesWithNoCSP;
-  if (!sLegacyAboutPagesWithNoCSP ||
-      Preferences::GetBool("csp.overrule_about_uris_without_csp_whitelist")) {
-    sLegacyAboutPagesWithNoCSP = new nsTArray<nsCString>();
-    nsAutoCString legacyAboutPages;
-    Preferences::GetCString("csp.about_uris_without_csp", legacyAboutPages);
-    for (const nsACString& hostString : legacyAboutPages.Split(',')) {
-      // please note that for the actual whitelist we only store the path of
-      // about: URI. Let's reassemble the full about URI here so we don't
-      // have to remove query arguments later.
-      nsCString aboutURI;
-      aboutURI.AppendLiteral("about:");
-      aboutURI.Append(hostString);
-      sLegacyAboutPagesWithNoCSP->AppendElement(aboutURI);
-    }
-    ClearOnShutdown(&sLegacyAboutPagesWithNoCSP);
-  }
-
-  // Check if the about URI is whitelisted
-  nsAutoCString aboutSpec;
-  documentURI->GetSpec(aboutSpec);
-  ToLowerCase(aboutSpec);
-  for (auto& legacyPageEntry : *sLegacyAboutPagesWithNoCSP) {
-    // please note that we perform a substring match here on purpose,
-    // so we don't have to deal and parse out all the query arguments
-    // the various about pages rely on.
-    if (aboutSpec.Find(legacyPageEntry) == 0) {
-      return;
-    }
+  // Check if we are loading an about: URI at all
+  nsCOMPtr<nsIURI> documentURI = aDocument->GetDocumentURI();
+  if (!documentURI->SchemeIs("about")) {
+    return;
  }

  nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
@ -80,10 +50,44 @@ void nsContentSecurityUtils::AssertAboutPageHasCSP(Document* aDocument) {
      }
    }
  }
-  if (Preferences::GetBool("csp.overrule_about_uris_without_csp_whitelist")) {
+
+  // Check if we should skip the allowlist and assert right away. Please note
+  // that this pref can and should only be set for automated testing.
+  if (Preferences::GetBool("csp.skip_about_page_csp_allowlist_and_assert")) {
    NS_ASSERTION(foundDefaultSrc, "about: page must have a CSP");
    return;
  }
+
+  nsAutoCString aboutSpec;
+  documentURI->GetSpec(aboutSpec);
+  ToLowerCase(aboutSpec);
+
+  // This allowlist contains about: pages that are permanently allowed to
+  // render without a CSP applied.
+  static nsLiteralCString sAllowedAboutPagesWithNoCSP[] = {
+      // about:blank is a special about page -> no CSP
+      NS_LITERAL_CSTRING("about:blank"),
+      // about:srcdoc is a special about page -> no CSP
+      NS_LITERAL_CSTRING("about:srcdoc"),
+      // about:sync-log displays plain text only -> no CSP
+      NS_LITERAL_CSTRING("about:sync-log"),
+      // about:printpreview displays plain text only -> no CSP
+      NS_LITERAL_CSTRING("about:printpreview"),
+      // Bug 1497200: Apply Meta CSP to about:downloads
+      NS_LITERAL_CSTRING("about:downloads"),
+      // Bug 1497584: Apply Meta CSP to about:preferences
+      NS_LITERAL_CSTRING("about:preferences"),
+  };
+
+  for (const nsLiteralCString& allowlistEntry : sAllowedAboutPagesWithNoCSP) {
+    // please note that we perform a substring match here on purpose,
+    // so we don't have to deal and parse out all the query arguments
+    // the various about pages rely on.
+    if (StringBeginsWith(aboutSpec, allowlistEntry)) {
+      return;
+    }
+  }
+
  MOZ_ASSERT(foundDefaultSrc,
             "about: page must contain a CSP including default-src");
 }
--- a/dom/security/test/general/test_assert_about_page_no_csp.html
+++ b/dom/security/test/general/test_assert_about_page_no_csp.html
@ -9,31 +9,20 @@
 <iframe id="testframe"></iframe>
 <script class="testbody" type="text/javascript">

+  // Test Setup: The test overrules the allowlist of about: pages that are allowed to load
+  // without a CSP and makes sure to hit the assertion within AssertAboutPageHasCSP().
+
+  SpecialPowers.setBoolPref("csp.skip_about_page_csp_allowlist_and_assert", true);
+
  SimpleTest.waitForExplicitFinish();
  SimpleTest.expectAssertions(0, 1);

-  // Test Setup:
-  // The test overrules the whitelist of about: pages that are allowed to load without a CSP
-  // and makes sure to hit the assertion within AssertAboutPageHasCSP().
-  // However, due to the caching mechanism within AssertAboutPageHasCSP this
-  // test loads a second dummy data: URI to reset the old cache and finally resets the pref
-  // used for testing purposes.
-
-  let origWhiteList = SpecialPowers.getCharPref("csp.about_uris_without_csp");
-
-  SpecialPowers.setCharPref("csp.about_uris_without_csp", "");
-  SpecialPowers.setBoolPref("csp.overrule_about_uris_without_csp_whitelist", true);
-
  ok(true, "sanity: prefs flipped and test runs");
  let myFrame = document.getElementById("testframe");
  myFrame.src = "about:blank";
  // booom :-)

-  SpecialPowers.setCharPref("csp.about_uris_without_csp", origWhiteList);
-  myFrame.src = "data:text/html,<body>just a dumy data: URI</body>";
-
-  SpecialPowers.setBoolPref("csp.overrule_about_uris_without_csp_whitelist", false);
-
+  SpecialPowers.setBoolPref("csp.skip_about_page_csp_allowlist_and_assert", false);
  SimpleTest.finish();
 </script>
 </pre>
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2254,10 +2254,13 @@ pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);

 #if defined(DEBUG) && !defined(ANDROID)
-  pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,downloads,preferences,sync-log");
-  // the following prefs are for testing purposes only.
-  pref("csp.overrule_about_uris_without_csp_whitelist", false);
+  // For testing purposes only: Flipping this pref to true allows
+  // to skip the assertion that every about page ships with a CSP.
  pref("csp.skip_about_page_has_csp_assert", false);
+  // For testing purposes only: Flipping this pref to true allows
+  // to skip the allowlist for about: pages and do not ship with a
+  // CSP and NS_ASSERT right away.
+  pref("csp.skip_about_page_csp_allowlist_and_assert", false);
 #endif

 #ifdef EARLY_BETA_OR_EARLIER