Bug 1396320: Fix CSP sandbox regression for allow-scripts. r=dveditz

2017-09-07 09:11:38 +02:00 · 2017-09-07 09:11:38 +02:00 · d43805d4f6
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@ -3016,13 +3016,14 @@ nsDocument::InitCSP(nsIChannel* aChannel)
  rv = csp->GetCSPSandboxFlags(&cspSandboxFlags);
  NS_ENSURE_SUCCESS(rv, rv);

-  mSandboxFlags |= cspSandboxFlags;
-
  // Probably the iframe sandbox attribute already caused the creation of a
  // new NullPrincipal. Only create a new NullPrincipal if CSP requires so
  // and no one has been created yet.
  bool needNewNullPrincipal =
    (cspSandboxFlags & SANDBOXED_ORIGIN) && !(mSandboxFlags & SANDBOXED_ORIGIN);
+
+  mSandboxFlags |= cspSandboxFlags;
+  
  if (needNewNullPrincipal) {
    principal = NullPrincipal::CreateWithInheritedAttributes(principal);
    principal->SetCsp(csp);
--- a/dom/security/test/csp/file_sandbox_13.html
+++ b/dom/security/test/csp/file_sandbox_13.html
@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head> <meta charset="utf-8"> </head>
+<script type="text/javascript">
+  function ok(result, desc) {
+    window.parent.postMessage({ok: result, desc: desc}, "*");
+  }
+
+  function doStuff() {
+    ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
+  }
+</script>
+<script src='file_sandbox_fail.js'></script>
+<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
+  I am sandboxed but with only inline "allow-scripts"
+
+ <!-- Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; sandbox allow-scripts -->
+
+ <!-- these should be stopped by CSP -->
+ <img src="/tests/dom/security/test/csp/file_CSP.sjs?testid=img13_bad&type=img/png" />
+ <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img13a_bad&type=img/png"> </img>
+ <script src='/tests/dom/security/test/csp/file_CSP.sjs?testid=script13_bad&type=text/javascript'></script>
+ <script src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=script13a_bad&type=text/javascript'></script>
+</body>
+</html>
--- a/dom/security/test/csp/file_sandbox_allow_scripts.html
+++ b/dom/security/test/csp/file_sandbox_allow_scripts.html
@ -0,0 +1,12 @@
+<!DOCTYPE HTML>
+<html>
+  <head>
+  <meta charset='utf-8'>
+  <title>Bug 1396320: Fix CSP sandbox regression for allow-scripts</title>
+  </head>
+<body>
+<script type='application/javascript'>
+  window.parent.postMessage({result: document.domain }, '*');
+</script>
+</body>
+</html>
--- a/dom/security/test/csp/file_sandbox_allow_scripts.html^headers^
+++ b/dom/security/test/csp/file_sandbox_allow_scripts.html^headers^
@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts;
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@ -182,6 +182,7 @@ support-files =
  file_sandbox_10.html
  file_sandbox_11.html
  file_sandbox_12.html
+  file_sandbox_13.html
  file_require_sri_meta.sjs
  file_require_sri_meta.js
  file_sendbeacon.html
@ -323,3 +324,7 @@ skip-if = toolkit == 'android'
 support-files =
  file_uir_top_nav.html
  file_uir_top_nav_dummy.html
+[test_sandbox_allow_scripts.html]
+support-files =
+  file_sandbox_allow_scripts.html
+  file_sandbox_allow_scripts.html^headers^
--- a/dom/security/test/csp/test_sandbox.html
+++ b/dom/security/test/csp/test_sandbox.html
@ -111,7 +111,7 @@ var testCases = [
    // * using sandbox flag 'allow-scripts' in CSP and not as iframe attribute
    // * not using allow-same-origin in CSP (so a new NullPrincipal is created).
    csp: "default-src 'none'; script-src 'unsafe-inline'; sandbox allow-scripts",
-    file: "file_sandbox_5.html",
+    file: "file_sandbox_13.html",
    results: { img13_bad: -1, img13a_bad: -1, script13_bad: -1, script13a_bad: -1 },
    nrOKmessages: 2 // sends 2 ok message
  },
--- a/dom/security/test/csp/test_sandbox_allow_scripts.html
+++ b/dom/security/test/csp/test_sandbox_allow_scripts.html
@ -0,0 +1,31 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1396320: Fix CSP sandbox regression for allow-scripts</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe style="width:100%;" id="testframe"></iframe>
+<script class="testbody" type="text/javascript">
+
+/* Description of the test:
+ * Load an iframe using a CSP of 'sandbox allow-scripts' and make sure
+ * the security context of the iframe is sandboxed (cross origin)
+ */
+SimpleTest.waitForExplicitFinish();
+
+window.addEventListener("message", receiveMessage);
+function receiveMessage(event) {
+  is(event.data.result, "",
+  	"document.domain of sandboxed iframe should be opaque");
+  window.removeEventListener("message", receiveMessage);
+  SimpleTest.finish();
+}
+
+let testframe = document.getElementById("testframe");
+testframe.src = "file_sandbox_allow_scripts.html";
+
+</script>
+</body>
+</html>
				`@ -0,0 +1 @@`
				`Content-Security-Policy: sandbox allow-scripts;`