зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1806080
- Mixed content level 2 makes csp directive: block-all-mixed-content obsolete. r=freddyb
Differential Revision: https://phabricator.services.mozilla.com/D164895
This commit is contained in:
Родитель
906efb8be5
Коммит
50ae345109
|
@ -96,6 +96,10 @@ IgnoringSrcBecauseOfDirective=Ignoring ‘%1$S’ because of ‘%2$S’ directiv
|
|||
# %1$S is the ignored src
|
||||
# %2$S is the directive which supports src
|
||||
IgnoringSourceWithinDirective = Ignoring source “%1$S” (Not supported within ‘%2$S’).
|
||||
# LOCALIZATION NOTE (IgnoringSourceWithinDirective):
|
||||
# %1$S is the ignored src
|
||||
obsoleteBlockAllMixedContent = Ignoring ‘%1$S’ because mixed content display upgrading makes block-all-mixed-content obsolete.
|
||||
|
||||
|
||||
# CSP Errors:
|
||||
# LOCALIZATION NOTE (couldntParseInvalidSource):
|
||||
|
|
|
@ -923,6 +923,15 @@ nsCSPDirective* nsCSPParser::directiveName() {
|
|||
|
||||
// special case handling for block-all-mixed-content
|
||||
if (directive == nsIContentSecurityPolicy::BLOCK_ALL_MIXED_CONTENT) {
|
||||
// If mixed content upgrade is enabled block-all-mixed content is obsolete
|
||||
if (mozilla::StaticPrefs::
|
||||
security_mixed_content_upgrade_display_content()) {
|
||||
// log to the console that if mixed content display upgrading is enabled
|
||||
// block-all-mixed-content is obsolete.
|
||||
AutoTArray<nsString, 1> params = {mCurToken};
|
||||
logWarningErrorToConsole(nsIScriptError::warningFlag,
|
||||
"obsoleteBlockAllMixedContent", params);
|
||||
}
|
||||
return new nsBlockAllMixedContentDirective(directive);
|
||||
}
|
||||
|
||||
|
|
|
@ -5,15 +5,21 @@ support-files =
|
|||
download_page.html
|
||||
download_server.sjs
|
||||
|
||||
[browser_test_mixed_content_download.js]
|
||||
skip-if = win10_2004 && debug # Bug 1723573
|
||||
[browser_mixed_content_auto_upgrade_display_console.js]
|
||||
support-files = file_mixed_content_auto_upgrade_display_console.html
|
||||
[browser_auto_upgrading_identity.js]
|
||||
support-files =
|
||||
auto_upgrading_identity.html
|
||||
auto_upgrading_identity.png
|
||||
[browser_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.js]
|
||||
support-files =
|
||||
file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html
|
||||
pass.png
|
||||
test.ogv
|
||||
test.wav
|
||||
[browser_mixed_content_auth_download.js]
|
||||
support-files =
|
||||
file_auth_download_page.html
|
||||
file_auth_download_server.sjs
|
||||
[browser_mixed_content_auto_upgrade_display_console.js]
|
||||
support-files = file_mixed_content_auto_upgrade_display_console.html
|
||||
[browser_test_mixed_content_download.js]
|
||||
skip-if = win10_2004 && debug # Bug 1723573
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
/*
|
||||
* Description of the Test:
|
||||
* We load an https page which uses a CSP including block-all-mixed-content.
|
||||
* The page embedded an audio, img and video. ML2 should upgrade them and
|
||||
* CSP should not be triggered.
|
||||
*/
|
||||
|
||||
const PRE_PATH = getRootDirectory(gTestPath).replace(
|
||||
"chrome://mochitests/content",
|
||||
"https://example.com"
|
||||
);
|
||||
var gTestBrowser = null;
|
||||
let expectedMessages = 3;
|
||||
function on_new_message(msgObj) {
|
||||
const message = msgObj.message;
|
||||
|
||||
// Check if csp warns about block-all-mixed content being obsolete
|
||||
if (message.includes("Content Security Policy")) {
|
||||
ok(
|
||||
message.includes("block-all-mixed-content obsolete"),
|
||||
"CSP warns about block-all-mixed content being obsolete"
|
||||
);
|
||||
}
|
||||
if (message.includes("Mixed Content:")) {
|
||||
ok(
|
||||
message.includes("Upgrading insecure display request"),
|
||||
"msg included a mixed content upgrade"
|
||||
);
|
||||
expectedMessages--;
|
||||
}
|
||||
}
|
||||
|
||||
add_task(async function() {
|
||||
await SpecialPowers.pushPrefEnv({
|
||||
set: [["security.mixed_content.upgrade_display_content", true]],
|
||||
});
|
||||
Services.console.registerListener(on_new_message);
|
||||
// Starting the test
|
||||
var url =
|
||||
PRE_PATH +
|
||||
"file_csp_block_all_mixedcontent_and_mixed_content_display_upgrade.html";
|
||||
|
||||
await BrowserTestUtils.withNewTab(
|
||||
{
|
||||
gBrowser,
|
||||
url,
|
||||
waitForLoad: true,
|
||||
},
|
||||
async function(browser) {
|
||||
let loadedElements = await ContentTask.spawn(
|
||||
browser,
|
||||
[],
|
||||
async function() {
|
||||
// Check image loaded
|
||||
let image = content.document.getElementById("some-img");
|
||||
let imageLoaded =
|
||||
image && image.complete && image.naturalHeight !== 0;
|
||||
// Check audio loaded
|
||||
let audio = content.document.getElementById("some-audio");
|
||||
let audioLoaded = audio && audio.readyState >= 2;
|
||||
// Check video loaded
|
||||
let video = content.document.getElementById("some-video");
|
||||
//let videoPlayable = await once(video, "loadeddata").then(_ => true);
|
||||
let videoLoaded = video && video.readyState === 4;
|
||||
return { audio: audioLoaded, img: imageLoaded, video: videoLoaded };
|
||||
}
|
||||
);
|
||||
is(true, loadedElements.img, "Image loaded and was upgraded " + url);
|
||||
is(true, loadedElements.video, "Video loaded and was upgraded " + url);
|
||||
is(true, loadedElements.audio, "Audio loaded and was upgraded " + url);
|
||||
}
|
||||
);
|
||||
|
||||
await BrowserTestUtils.waitForCondition(() => expectedMessages === 0);
|
||||
|
||||
// Clean up
|
||||
Services.console.unregisterListener(on_new_message);
|
||||
});
|
|
@ -0,0 +1,14 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>Bug 1806080 - ML2 with CSP block-all-mixed-content </title>
|
||||
<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
|
||||
</head>
|
||||
<body>
|
||||
<!--upgradeable resources--->
|
||||
<img id="some-img" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/pass.png" width="100px">
|
||||
<video id="some-video" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.ogv" width="100px">
|
||||
<audio id="some-audio" src="http://test1.example.com/browser/dom/security/test/mixedcontentblocker/test.wav" width="100px">
|
||||
</body>
|
||||
</html>
|
Двоичный файл не отображается.
После Ширина: | Высота: | Размер: 1.6 KiB |
Двоичный файл не отображается.
Двоичный файл не отображается.
Загрузка…
Ссылка в новой задаче