зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1542194: Update blocked-uri in CSP reporting by treating frame naviations as redirects r=freddyb,dveditz,mixedpuppy
Differential Revision: https://phabricator.services.mozilla.com/D103697
This commit is contained in:
Родитель
bb82df49f5
Коммит
6692f87581
|
@ -172,11 +172,31 @@ bool subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
|
|||
nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadInfo->GetCsp();
|
||||
|
||||
if (csp) {
|
||||
// Generally aOriginalURI denotes the URI before a redirect and hence
|
||||
// will always be a nullptr here. Only exception are frame navigations
|
||||
// which we want to treat as a redirect for the purpose of CSP reporting
|
||||
// and in particular the `blocked-uri` in the CSP report where we want
|
||||
// to report the prePath information.
|
||||
nsCOMPtr<nsIURI> originalURI = nullptr;
|
||||
ExtContentPolicyType extType =
|
||||
nsContentUtils::InternalContentPolicyTypeToExternal(contentType);
|
||||
if (extType == ExtContentPolicy::TYPE_SUBDOCUMENT &&
|
||||
!aLoadInfo->GetOriginalFrameSrcLoad() &&
|
||||
mozilla::StaticPrefs::
|
||||
security_csp_truncate_blocked_uri_for_frame_navigations()) {
|
||||
nsAutoCString prePathStr;
|
||||
nsresult rv = aContentLocation->GetPrePath(prePathStr);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
rv = NS_NewURI(getter_AddRefs(originalURI), prePathStr);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
|
||||
// obtain the enforcement decision
|
||||
rv = csp->ShouldLoad(contentType, cspEventListener, aContentLocation,
|
||||
nullptr, // no redirect, aOriginal URL is null.
|
||||
!isPreload && aLoadInfo->GetSendCSPViolationEvents(),
|
||||
cspNonce, parserCreatedScript, aDecision);
|
||||
rv = csp->ShouldLoad(
|
||||
contentType, cspEventListener, aContentLocation,
|
||||
originalURI, // no redirect, unless it's a frame navigation.
|
||||
!isPreload && aLoadInfo->GetSendCSPViolationEvents(), cspNonce,
|
||||
parserCreatedScript, aDecision);
|
||||
|
||||
if (NS_CP_REJECTED(*aDecision)) {
|
||||
NS_SetRequestBlockingReason(
|
||||
|
|
|
@ -9475,6 +9475,11 @@
|
|||
value: 40
|
||||
mirror: always
|
||||
|
||||
- name: security.csp.truncate_blocked_uri_for_frame_navigations
|
||||
type: bool
|
||||
value: true
|
||||
mirror: always
|
||||
|
||||
# Allows loading ui resources in CheckLoadURIFlags
|
||||
# TODO Bug 1654488: Remove pref in CheckLoadURIFlags
|
||||
# which allows all UI resources to load
|
||||
|
|
|
@ -25,6 +25,12 @@ Services.prefs.setIntPref(
|
|||
4096
|
||||
);
|
||||
|
||||
// Do not trunacate the blocked-uri in CSP reports for frame navigations.
|
||||
Services.prefs.setBoolPref(
|
||||
"security.csp.truncate_blocked_uri_for_frame_navigations",
|
||||
false
|
||||
);
|
||||
|
||||
// ExtensionContent.jsm needs to know when it's running from xpcshell,
|
||||
// to use the right timeout for content scripts executed at document_idle.
|
||||
ExtensionTestUtils.mockAppInfo();
|
||||
|
@ -830,6 +836,8 @@ function computeBaseURLs(tests, expectedSources, forbiddenSources = {}) {
|
|||
|
||||
function* iterSources(test, sources) {
|
||||
for (let [source, attrs] of Object.entries(sources)) {
|
||||
// if a source defines attributes (e.g. liveSrc in PAGE_SOURCES etc.) then all
|
||||
// attributes in the source must be matched by the test (see const TEST).
|
||||
if (Object.keys(attrs).every(attr => attrs[attr] === test[attr])) {
|
||||
yield `${BASE_URL}/${test.src}?source=${source}`;
|
||||
}
|
||||
|
@ -1082,6 +1090,9 @@ const TESTS = [
|
|||
},
|
||||
// TODO: <frame> element, which requires a frameset document.
|
||||
{
|
||||
// the blocked-uri for frame-navigations is the pre-path URI. For the
|
||||
// purpose of this test we do not strip the blocked-uri by setting the
|
||||
// preference 'truncate_blocked_uri_for_frame_navigations'
|
||||
element: ["iframe", {}],
|
||||
src: "iframe.html",
|
||||
},
|
||||
|
|
Загрузка…
Ссылка в новой задаче