Bug 1316393 - Circumvent CSP base-uri restriction in JSON Viewer. r=Honza

devtools/client/jsonview/converter-child.js

@@ -206,21 +206,22 @@ function initialHTML(doc) {
     os = "linux";
   }
 
-  let base = doc.createElement("base");
-  base.href = "resource://devtools/client/jsonview/";
+  // The base URI is prepended to all URIs instead of using a <base> element
+  // because the latter can be blocked by a CSP base-uri directive (bug 1316393)
+  let baseURI = "resource://devtools/client/jsonview/";
 
   let style = doc.createElement("link");
   style.rel = "stylesheet";
   style.type = "text/css";
-  style.href = "css/main.css";
+  style.href = baseURI + "css/main.css";
 
   let script = doc.createElement("script");
-  script.src = "lib/require.js";
-  script.dataset.main = "viewer-config";
+  script.src = baseURI + "lib/require.js";
+  script.dataset.main = baseURI + "viewer-config.js";
   script.defer = true;
 
   let head = doc.createElement("head");
-  head.append(base, style, script);
+  head.append(style, script);
 
   return "<!DOCTYPE html>\n" +
     startTag("html", {

devtools/client/jsonview/test/browser.ini

@@ -4,6 +4,8 @@ subsuite = devtools
 support-files =
   array_json.json
   array_json.json^headers^
+  csp_json.json
+  csp_json.json^headers^
   doc_frame_script.js
   head.js
   invalid_json.json
@@ -27,6 +29,7 @@ skip-if = (os == 'linux' && bits == 32 && debug) # bug 1328915, disable linux32
 [browser_jsonview_copy_rawdata.js]
 subsuite = clipboard
 skip-if = (os == 'linux' && bits == 32 && debug) # bug 1328915, disable linux32 debug devtools for timeouts
+[browser_jsonview_csp_json.js]
 [browser_jsonview_empty_object.js]
 [browser_jsonview_filter.js]
 [browser_jsonview_invalid_json.js]

devtools/client/jsonview/test/browser_jsonview_csp_json.js

@@ -0,0 +1,17 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const TEST_JSON_URL = URL_ROOT + "csp_json.json";
+
+add_task(function* () {
+  info("Test CSP JSON started");
+
+  yield addJsonViewTab(TEST_JSON_URL);
+
+  let count = yield getElementCount(".jsonPanelBox .treeTable .treeRow");
+  is(count, 1, "There must be one row");
+});

devtools/client/jsonview/test/csp_json.json

@@ -0,0 +1 @@
+{"csp": true}

devtools/client/jsonview/test/csp_json.json^headers^

@@ -0,0 +1,2 @@
+Content-Type: application/json
+Content-Security-Policy: default-src 'none'; base-uri 'none';

devtools/client/jsonview/viewer-config.js

@@ -21,7 +21,7 @@
  * of the code base, so it's consistent and modules can be easily reused.
  */
 require.config({
-  baseUrl: ".",
+  baseUrl: "resource://devtools/client/jsonview/",
   paths: {
     "devtools/client/shared": "resource://devtools/client/shared",
     "devtools/shared": "resource://devtools/shared",