Bug 1242019 - Truncate data URIs in CSP log messages. r=ckerschb

MozReview-Commit-ID: DaiGESRI1rb --HG-- extra : transplant_source : %EC%7B%3F%20O%3A%A7g%BAl%82%BC-Xg%23%84%E2%3C%EE
2016-09-12 14:30:43 -07:00 · 2016-09-12 14:30:43 -07:00 · 694c12c743
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@ -1072,6 +1072,12 @@ class CSPReportSenderRunnable final : public Runnable

      if (blockedURI) {
        blockedURI->GetSpec(blockedDataStr);
+        bool isData = false;
+        rv = blockedURI->SchemeIs("data", &isData);
+        if (NS_SUCCEEDED(rv) && isData) {
+          blockedDataStr.Truncate(40);
+          blockedDataStr.AppendASCII("...");
+        }
      } else if (blockedString) {
        blockedString->GetData(blockedDataStr);
      }
--- a/dom/security/test/csp/file_data-uri_blocked.html
+++ b/dom/security/test/csp/file_data-uri_blocked.html
--- a/dom/security/test/csp/file_data-uri_blocked.html^headers^
+++ b/dom/security/test/csp/file_data-uri_blocked.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: default-src 'self'; img-src 'none'
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -188,6 +188,8 @@ support-files =
  file_require_sri_meta.js
  file_sendbeacon.html
  file_upgrade_insecure_docwrite_iframe.sjs
+  file_data-uri_blocked.html
+  file_data-uri_blocked.html^headers^

 [test_base-uri.html]
 [test_blob_data_schemes.html]
@ -282,3 +284,4 @@ tags = mcb
 [test_require_sri_meta.html]
 [test_sendbeacon.html]
 [test_upgrade_insecure_docwrite_iframe.html]
+[test_bug1242019.html]
--- a/dom/security/test/csp/test_bug1242019.html
+++ b/dom/security/test/csp/test_bug1242019.html
@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1242019
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1242019</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1242019">Mozilla Bug 1242019</a>
+<p id="display"></p>
+
+<iframe id="cspframe"></iframe>
+
+<pre id="test">
+
+<script class="testbody" type="text/javascript">
+function cleanup() {
+  SpecialPowers.postConsoleSentinel();
+  SimpleTest.finish();
+};
+
+var expectedURI = "data:image/png;base64,iVBORw0KGgoAAAANSU"
+
+SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
+  // look for the message with data uri and see the data uri is truncated to 40 chars
+  data_start = aMsg.message.indexOf(expectedURI) 
+  if (data_start > -1) {
+    data_uri = "";
+    data_uri = aMsg.message.substr(data_start);
+    // this will either match the elipsis after the URI or the . at the end of the message
+    data_uri = data_uri.substr(0, data_uri.indexOf("."));
+    if (data_uri == "") {
+      return;
+    }
+
+    ok(data_uri.length == 40, "Data URI only shows 40 characters in the console");
+    SimpleTest.executeSoon(cleanup);
+  }
+});
+
+// set up and start testing
+SimpleTest.waitForExplicitFinish();
+document.getElementById('cspframe').src = 'file_data-uri_blocked.html';
+</script>
+</pre>
+</body>
+</html>
				`@ -0,0 +1 @@`
				`Content-Security-Policy: default-src 'self'; img-src 'none'`