Bug 702439 - allow subframes of CSP documents to run javascript: URLs, r=bz

2011-12-05 09:42:08 -08:00 · 2011-12-05 09:42:08 -08:00 · 630f3382fc
--- a/content/base/src/nsCSPService.cpp
+++ b/content/base/src/nsCSPService.cpp
@ -55,6 +55,8 @@
 #include "nsIAsyncVerifyRedirectCallback.h"
 #include "nsAsyncRedirectVerifyHelper.h"
 #include "mozilla/Preferences.h"
+#include "nsIScriptError.h"
+#include "nsContentUtils.h"

 using namespace mozilla;

@ -284,10 +286,28 @@ CSPService::AsyncOnChannelRedirect(nsIChannel *oldChannel,
  // the redirect is permitted, so propagate the Content Security Policy
  // and load type to the redirecting channel
  nsresult rv;
-  nsCOMPtr<nsIWritablePropertyBag2> props2 = do_QueryInterface(newChannel, &rv);
-  if (props2)
-    props2->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
-                                   channelPolicy);
+  nsCOMPtr<nsIWritablePropertyBag2> props2 = do_QueryInterface(newChannel);
+  if (props2) {
+    rv = props2->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
+                                        channelPolicy);
+    if (NS_SUCCEEDED(rv)) {
+      return NS_OK;
+    }
+  }

-  return NS_OK;
+  // The redirecting channel isn't a writable property bag, we won't be able
+  // to enforce the load policy if it redirects again, so we stop it now.
+  nsXPIDLString message;
+  nsCAutoString newUriSpec;
+  newUri->GetSpec(newUriSpec);
+  const PRUnichar *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() };
+  if (NS_SUCCEEDED(rv)) {
+    nsContentUtils::ReportToConsole(nsContentUtils::eDOM_PROPERTIES,
+                                   "InvalidRedirectChannelWarning",
+                                    formatParams, 1, nsnull, EmptyString(),
+                                    0, 0, nsIScriptError::warningFlag,
+                                    "Redirect Error");
+  }
+
+  return NS_BINDING_FAILED;
 }
--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -528,6 +528,9 @@ _TEST_FILES2 = \
 		test_bug693875.html \
 		test_nodelist_holes.html \
 		test_xhr_abort_after_load.html \
+		test_bug702439.html \
+		test_bug702439.html^headers^ \
+		file_bug702439.html \
 		$(NULL)

 _CHROME_FILES =	\
--- a/content/base/test/file_bug702439.html
+++ b/content/base/test/file_bug702439.html
@ -0,0 +1,11 @@
+<html>
+<!--
+    This document is a child frame of a CSP document and the
+    test verifies that it is permitted to run javascript: URLs
+    if the parent has a policy that allows them.
+-->
+<body onload="document.getElementById('a').click()">
+<a id="a" href="javascript:parent.javascript_link_ran = true;
+                parent.checkResult();">click</a>
+</body>
+</html>
--- a/content/base/test/test_bug702439.html
+++ b/content/base/test/test_bug702439.html
@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=702439
+
+This test verifies that child iframes of CSP documents are
+permitted to execute javascript: URLs assuming the policy
+allows this.
+-->
+<head>
+  <title>Test for Bug 428847</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+var javascript_link_ran = false;
+
+// check that the script in the child frame's javascript: URL ran
+function checkResult()
+{
+  is(javascript_link_ran, true,
+     "javascript URL didn't execute");
+
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+</script>
+<iframe id="i" src="file_bug702439.html"></iframe>
+</body>
+</html>
--- a/content/base/test/test_bug702439.html^headers^
+++ b/content/base/test/test_bug702439.html^headers^
@ -0,0 +1 @@
+X-Content-Security-Policy: default-src *; options inline-script
--- a/dom/locales/en-US/chrome/dom/dom.properties
+++ b/dom/locales/en-US/chrome/dom/dom.properties
@ -127,3 +127,4 @@ RemovedFullScreenElement=Exited full-screen because full-screen element was remo
 AddedWindowedPluginWhileFullScreen=Exited full-screen because windowed plugin was added to document.
 HTMLMultipartXHRWarning=HTML parsing in XMLHttpRequest is not supported for multipart responses.
 HTMLSyncXHRWarning=HTML parsing in XMLHttpRequest is not supported in the synchronous mode.
+InvalidRedirectChannelWarning=Unable to redirect to %S because the channel doesn't implement nsIWritablePropertyBag2.
--- a/netwerk/base/public/nsNetUtil.h
+++ b/netwerk/base/public/nsNetUtil.h
@ -232,7 +232,7 @@ NS_NewChannel(nsIChannel           **result,
            if (loadFlags != nsIRequest::LOAD_NORMAL)
                rv |= chan->SetLoadFlags(loadFlags);
            if (channelPolicy) {
-                nsCOMPtr<nsIWritablePropertyBag2> props = do_QueryInterface(chan, &rv);
+                nsCOMPtr<nsIWritablePropertyBag2> props = do_QueryInterface(chan);
                if (props) {
                    props->SetPropertyAsInterface(NS_CHANNEL_PROP_CHANNEL_POLICY,
                                                  channelPolicy);
				`@ -0,0 +1 @@`
				`X-Content-Security-Policy: default-src *; options inline-script`