Bug 1806080 - Mixed content level 2 makes csp directive: block-all-mixed-content obsolete. r=freddyb

Differential Revision: https://phabricator.services.mozilla.com/D164895

dom/locales/en-US/chrome/security/csp.properties

@@ -96,6 +96,10 @@ IgnoringSrcBecauseOfDirective=Ignoring ‘%1$S’ because of ‘%2$S’ directiv
 # %1$S is the ignored src
 # %2$S is the directive  which supports src
 IgnoringSourceWithinDirective = Ignoring source “%1$S” (Not supported within ‘%2$S’).
+# LOCALIZATION NOTE (IgnoringSourceWithinDirective):
+# %1$S is the ignored src
+obsoleteBlockAllMixedContent = Ignoring ‘%1$S’ because mixed content display upgrading makes block-all-mixed-content obsolete.
+
 
 # CSP Errors:
 # LOCALIZATION NOTE (couldntParseInvalidSource):

dom/security/nsCSPParser.cpp

@@ -923,6 +923,15 @@ nsCSPDirective* nsCSPParser::directiveName() {
 
   // special case handling for block-all-mixed-content
   if (directive == nsIContentSecurityPolicy::BLOCK_ALL_MIXED_CONTENT) {
+    // If mixed content upgrade is enabled block-all-mixed content is obsolete
+    if (mozilla::StaticPrefs::
+            security_mixed_content_upgrade_display_content()) {
+      // log to the console that if mixed content display upgrading is enabled
+      // block-all-mixed-content is obsolete.
+      AutoTArray<nsString, 1> params = {mCurToken};
+      logWarningErrorToConsole(nsIScriptError::warningFlag,
+                               "obsoleteBlockAllMixedContent", params);
+    }
     return new nsBlockAllMixedContentDirective(directive);
   }
 

dom/security/test/mixedcontentblocker/browser.ini

@@ -5,15 +5,21 @@ support-files =
   download_page.html
   download_server.sjs
 
-[browser_test_mixed_content_download.js]
-skip-if = win10_2004 && debug # Bug 1723573
-[browser_mixed_content_auto_upgrade_display_console.js]
-support-files = file_mixed_content_auto_upgrade_display_console.html
 [browser_auto_upgrading_identity.js]
 support-files =
   auto_upgrading_identity.html
   auto_upgrading_identity.png
+[browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js]
+support-files =
+  file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
+  pass.png
+  test.ogv
+  test.wav
 [browser_mixed_content_auth_download.js]
 support-files =
   file_auth_download_page.html
   file_auth_download_server.sjs
+[browser_mixed_content_auto_upgrade_display_console.js]
+support-files = file_mixed_content_auto_upgrade_display_console.html
+[browser_test_mixed_content_download.js]
+skip-if = win10_2004 && debug # Bug 1723573

dom/security/test/mixedcontentblocker/browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js

@@ -0,0 +1,78 @@
+/*
+ * Description of the Test:
+ * We load an https page which uses a CSP including block-all-mixed-content.
+ * The page embedded an audio, img and video. ML2 should upgrade them and
+ * CSP should not be triggered.
+ */
+
+const PRE_PATH = getRootDirectory(gTestPath).replace(
+  "chrome://mochitests/content",
+  "https://example.com"
+);
+var gTestBrowser = null;
+let expectedMessages = 3;
+function on_new_message(msgObj) {
+  const message = msgObj.message;
+
+  // Check if csp warns about block-all-mixed content being obsolete
+  if (message.includes("Content Security Policy")) {
+    ok(
+      message.includes("block-all-mixed-content obsolete"),
+      "CSP warns about block-all-mixed content being obsolete"
+    );
+  }
+  if (message.includes("Mixed Content:")) {
+    ok(
+      message.includes("Upgrading insecure display request"),
+      "msg included a mixed content upgrade"
+    );
+    expectedMessages--;
+  }
+}
+
+add_task(async function() {
+  await SpecialPowers.pushPrefEnv({
+    set: [["security.mixed_content.upgrade_display_content", true]],
+  });
+  Services.console.registerListener(on_new_message);
+  // Starting the test
+  var url =
+    PRE_PATH +
+    "file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html";
+
+  await BrowserTestUtils.withNewTab(
+    {
+      gBrowser,
+      url,
+      waitForLoad: true,
+    },
+    async function(browser) {
+      let loadedElements = await ContentTask.spawn(
+        browser,
+        [],
+        async function() {
+          // Check image loaded
+          let image = content.document.getElementById("some-img");
+          let imageLoaded =
+            image && image.complete && image.naturalHeight !== 0;
+          // Check audio loaded
+          let audio = content.document.getElementById("some-audio");
+          let audioLoaded = audio && audio.readyState >= 2;
+          // Check video loaded
+          let video = content.document.getElementById("some-video");
+          //let videoPlayable = await once(video, "loadeddata").then(_ => true);
+          let videoLoaded = video && video.readyState === 4;
+          return { audio: audioLoaded, img: imageLoaded, video: videoLoaded };
+        }
+      );
+      is(true, loadedElements.img, "Image loaded and was upgraded " + url);
+      is(true, loadedElements.video, "Video loaded and was upgraded " + url);
+      is(true, loadedElements.audio, "Audio loaded and was upgraded " + url);
+    }
+  );
+
+  await BrowserTestUtils.waitForCondition(() => expectedMessages === 0);
+
+  // Clean up
+  Services.console.unregisterListener(on_new_message);
+});

dom/security/test/mixedcontentblocker/file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html

@@ -0,0 +1,14 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1806080 - ML2 with CSP block-all-mixed-content </title>
+  <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+   <!--upgradeable resources--->
+  <img id="some-img" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/pass.png" width="100px">
+  <video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.ogv" width="100px">
+  <audio id="some-audio" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.wav" width="100px">
+</body>
+</html>