Bug 1597645 - Make sure XSLT inherits the CSP r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D53997

--HG--
extra : moz-landing-system : lando

dom/security/test/csp/file_xslt_inherits_csp.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="file_xslt_inherits_csp.xsl"?>
+
+<root>
+    <t>This is some Title</t>
+</root>

dom/security/test/csp/file_xslt_inherits_csp.xml^headers^

@@ -0,0 +1,2 @@
+Content-Security-Policy: script-src 'self'
+Cache-Control: no-cache

dom/security/test/csp/file_xslt_inherits_csp.xsl

@@ -0,0 +1,26 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.1">
+    <xsl:output method="html"/>
+    <xsl:variable name="title" select="/root/t"/>
+    <xsl:template match="/">
+    <html>
+        <head>
+            <title>
+                <xsl:value-of select="$title"/>
+            </title>
+            <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+        </head>
+        <body>
+            <p>
+                Below is some inline JavaScript generating some red text.
+            </p>
+
+            <p id="bug"/>
+            <script>
+               document.body.append("JS DID EXCECUTE");
+            </script>
+
+            <a onClick='document.body.append("JS DID EXCECUTE");' href="#">link with lineOnClick</a>
+        </body>
+    </html>
+    </xsl:template>
+</xsl:stylesheet>

dom/security/test/csp/mochitest.ini

@@ -402,3 +402,8 @@ support-files =
   file_navigate_to.sjs
   file_navigate_to_request.html
 [test_independent_iframe_csp.html]
+[test_xslt_inherits_csp.html]
+support-files =
+  file_xslt_inherits_csp.xml
+  file_xslt_inherits_csp.xml^headers^
+  file_xslt_inherits_csp.xsl

dom/security/test/csp/test_xslt_inherits_csp.html

@@ -0,0 +1,33 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1597645: Make sure XSLT inherits the CSP r=ckerschb</title>
+  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<body>
+    <iframe src="file_xslt_inherits_csp.xml"></iframe>
+
+<script class="testbody">
+    SimpleTest.requestCompleteLog();
+    SimpleTest.waitForExplicitFinish();
+
+    let frame = document.querySelector("iframe");
+
+    window.addEventListener("load",()=>{
+    let link = frame.contentWindow.document.querySelector("a");
+    link.click(); //
+
+        requestAnimationFrame(()=>{
+            // Wait one Frame to let the browser catch up
+            // before checking the dom.
+            let res = !frame.contentWindow.document.body.innerText.includes("JS DID EXCECUTE");
+            ok(res, "The CSP did block injected JS ");
+            SimpleTest.finish();
+        });
+    })
+</script>
+</html>

dom/xslt/base/txURIUtils.cpp

@@ -9,6 +9,7 @@
 #include "nsIHttpChannelInternal.h"
 #include "nsIPrincipal.h"
 #include "mozilla/LoadInfo.h"
+#include "mozilla/dom/nsCSPContext.h"
 
 using mozilla::dom::Document;
 using mozilla::net::LoadInfo;
@@ -70,6 +71,13 @@ void URIUtils::ResetWithSource(Document* aNewDoc, nsINode* aSourceNode) {
   aNewDoc->SetPrincipals(sourcePrincipal, sourceStoragePrincipal);
   aNewDoc->SetBaseURI(sourceDoc->GetDocBaseURI());
 
+  // Inherit the csp if there is one
+  nsCOMPtr<nsIContentSecurityPolicy> csp = sourceDoc->GetCsp();
+  if (csp) {
+    RefPtr<nsCSPContext> cspToInherit = new nsCSPContext();
+    cspToInherit->InitFromOther(static_cast<nsCSPContext*>(csp.get()));
+    aNewDoc->SetCsp(cspToInherit);
+  }
   // Copy charset
   aNewDoc->SetDocumentCharacterSetSource(
       sourceDoc->GetDocumentCharacterSetSource());