diff --git a/dom/apps/AppsService.js b/dom/apps/AppsService.js index 1100ad6c495d..e0a7ea041c36 100644 --- a/dom/apps/AppsService.js +++ b/dom/apps/AppsService.js @@ -37,22 +37,6 @@ AppsService.prototype = { localId == Ci.nsIScriptSecurityManager.UNKNOWN_APP_ID); }, - getManifestCSPByLocalId: function getCSPByLocalId(localId) { - debug("GetManifestCSPByLocalId( " + localId + " )"); - if (this.isInvalidId(localId)) { - return null; - } - throw Cr.NS_ERROR_NOT_IMPLEMENTED; - }, - - getDefaultCSPByLocalId: function getCSPByLocalId(localId) { - debug("GetDefaultCSPByLocalId( " + localId + " )"); - if (this.isInvalidId(localId)) { - return null; - } - throw Cr.NS_ERROR_NOT_IMPLEMENTED; - }, - getAppByManifestURL: function getAppByManifestURL(aManifestURL) { debug("GetAppByManifestURL( " + aManifestURL + " )"); throw Cr.NS_ERROR_NOT_IMPLEMENTED; diff --git a/dom/apps/AppsServiceChild.jsm b/dom/apps/AppsServiceChild.jsm index e8adfe4ce2a9..e570c2ebbacc 100644 --- a/dom/apps/AppsServiceChild.jsm +++ b/dom/apps/AppsServiceChild.jsm @@ -371,16 +371,6 @@ this.DOMApplicationRegistry = { return AppsUtils.getAppLocalIdByManifestURL(this.webapps, aManifestURL); }, - getManifestCSPByLocalId: function(aLocalId) { - debug("getManifestCSPByLocalId:" + aLocalId); - return AppsUtils.getManifestCSPByLocalId(this.webapps, aLocalId); - }, - - getDefaultCSPByLocalId: function(aLocalId) { - debug("getDefaultCSPByLocalId:" + aLocalId); - return AppsUtils.getDefaultCSPByLocalId(this.webapps, aLocalId); - }, - getAppLocalIdByStoreId: function(aStoreId) { debug("getAppLocalIdByStoreId:" + aStoreId); return AppsUtils.getAppLocalIdByStoreId(this.webapps, aStoreId); diff --git a/dom/apps/AppsUtils.jsm b/dom/apps/AppsUtils.jsm index 6df9bbc84a0e..3ca3f8552a22 100644 --- a/dom/apps/AppsUtils.jsm +++ b/dom/apps/AppsUtils.jsm @@ -262,43 +262,6 @@ this.AppsUtils = { return Ci.nsIScriptSecurityManager.NO_APP_ID; }, - getManifestCSPByLocalId: function getManifestCSPByLocalId(aApps, aLocalId) { - debug("getManifestCSPByLocalId " + aLocalId); - for (let id in aApps) { - let app = aApps[id]; - if (app.localId == aLocalId) { - return ( app.csp || "" ); - } - } - - return ""; - }, - - getDefaultCSPByLocalId: function(aApps, aLocalId) { - debug("getDefaultCSPByLocalId " + aLocalId); - for (let id in aApps) { - let app = aApps[id]; - if (app.localId == aLocalId) { - // Use the app status to choose the right default CSP. - try { - switch (app.appStatus) { - case Ci.nsIPrincipal.APP_STATUS_CERTIFIED: - return Services.prefs.getCharPref("security.apps.certified.CSP.default"); - break; - case Ci.nsIPrincipal.APP_STATUS_PRIVILEGED: - return Services.prefs.getCharPref("security.apps.privileged.CSP.default"); - break; - case Ci.nsIPrincipal.APP_STATUS_INSTALLED: - return ""; - break; - } - } catch(e) {} - } - } - - return "default-src 'self'; object-src 'none'"; - }, - getAppByLocalId: function getAppByLocalId(aApps, aLocalId) { debug("getAppByLocalId " + aLocalId); for (let id in aApps) { diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp index 99cf667c359b..8c8a67cfb58f 100644 --- a/dom/base/nsDocument.cpp +++ b/dom/base/nsDocument.cpp @@ -203,7 +203,6 @@ #include "nsWrapperCacheInlines.h" #include "nsSandboxFlags.h" #include "nsIAddonPolicyService.h" -#include "nsIAppsService.h" #include "mozilla/dom/AnimatableBinding.h" #include "mozilla/dom/AnonymousContent.h" #include "mozilla/dom/BindingUtils.h" @@ -2544,32 +2543,9 @@ nsDocument::InitCSP(nsIChannel* aChannel) NS_ConvertASCIItoUTF16 cspHeaderValue(tCspHeaderValue); NS_ConvertASCIItoUTF16 cspROHeaderValue(tCspROHeaderValue); - // Figure out if we need to apply an app default CSP or a CSP from an app manifest - nsCOMPtr principal = NodePrincipal(); - - uint16_t appStatus = principal->GetAppStatus(); - bool applyAppDefaultCSP = false; - bool applyAppManifestCSP = false; - - nsAutoString appManifestCSP; - nsAutoString appDefaultCSP; - if (appStatus != nsIPrincipal::APP_STATUS_NOT_INSTALLED) { - nsCOMPtr appsService = do_GetService(APPS_SERVICE_CONTRACTID); - if (appsService) { - uint32_t appId = principal->GetAppId(); - appsService->GetManifestCSPByLocalId(appId, appManifestCSP); - if (!appManifestCSP.IsEmpty()) { - applyAppManifestCSP = true; - } - appsService->GetDefaultCSPByLocalId(appId, appDefaultCSP); - if (!appDefaultCSP.IsEmpty()) { - applyAppDefaultCSP = true; - } - } - } - // Check if this is a document from a WebExtension. nsString addonId; + nsCOMPtr principal = NodePrincipal(); principal->GetAddonId(addonId); bool applyAddonCSP = !addonId.IsEmpty(); @@ -2581,9 +2557,7 @@ nsDocument::InitCSP(nsIChannel* aChannel) } // If there's no CSP to apply, go ahead and return early - if (!applyAppDefaultCSP && - !applyAppManifestCSP && - !applyAddonCSP && + if (!applyAddonCSP && !applySignedContentCSP && cspHeaderValue.IsEmpty() && cspROHeaderValue.IsEmpty()) { @@ -2593,53 +2567,19 @@ nsDocument::InitCSP(nsIChannel* aChannel) nsAutoCString aspec; chanURI->GetAsciiSpec(aspec); MOZ_LOG(gCspPRLog, LogLevel::Debug, - ("no CSP for document, %s, %s", - aspec.get(), - applyAppDefaultCSP ? "is app" : "not an app")); + ("no CSP for document, %s", + aspec.get())); } return NS_OK; } - MOZ_LOG(gCspPRLog, LogLevel::Debug, ("Document is an app or CSP header specified %p", this)); - - // If Document is an app check to see if we already set CSP and return early - // if that is indeed the case. - // - // In general (see bug 947831), we should not be setting CSP on a principal - // that aliases another document. For non-app code this is not a problem - // since we only share the underlying principal with nested browsing - // contexts for which a header cannot be set (e.g., about:blank and - // about:srcodoc iframes) and thus won't try to set the CSP again. This - // check ensures that we do not try to set CSP for an app. - if (applyAppDefaultCSP || applyAppManifestCSP) { - nsCOMPtr csp; - rv = principal->GetCsp(getter_AddRefs(csp)); - NS_ENSURE_SUCCESS(rv, rv); - - if (csp) { - MOZ_LOG(gCspPRLog, LogLevel::Debug, ("%s %s %s", - "This document is sharing principal with another document.", - "Since the document is an app, CSP was already set.", - "Skipping attempt to set CSP.")); - return NS_OK; - } - } + MOZ_LOG(gCspPRLog, LogLevel::Debug, ("Document is an add-on or CSP header specified %p", this)); nsCOMPtr csp; rv = principal->EnsureCSP(this, getter_AddRefs(csp)); NS_ENSURE_SUCCESS(rv, rv); - // ----- if the doc is an app and we want a default CSP, apply it. - if (applyAppDefaultCSP) { - csp->AppendPolicy(appDefaultCSP, false, false); - } - - // ----- if the doc is an app and specifies a CSP in its manifest, apply it. - if (applyAppManifestCSP) { - csp->AppendPolicy(appManifestCSP, false, false); - } - // ----- if the doc is an addon, apply its CSP. if (applyAddonCSP) { nsCOMPtr aps = do_GetService("@mozilla.org/addons/policy-service;1"); diff --git a/dom/base/nsFrameLoader.cpp b/dom/base/nsFrameLoader.cpp index b1a44e7905fe..b2c83fdef4bc 100644 --- a/dom/base/nsFrameLoader.cpp +++ b/dom/base/nsFrameLoader.cpp @@ -15,6 +15,7 @@ #include "mozIApplication.h" #include "nsDocShell.h" +#include "nsIAppsService.h" #include "nsIDOMHTMLIFrameElement.h" #include "nsIDOMHTMLFrameElement.h" #include "nsIDOMMozBrowserFrame.h" diff --git a/dom/devicestorage/test/test_app_permissions.html b/dom/devicestorage/test/test_app_permissions.html index 234d576ee3c4..9d6ecad1900f 100644 --- a/dom/devicestorage/test/test_app_permissions.html +++ b/dom/devicestorage/test/test_app_permissions.html @@ -643,16 +643,10 @@ createTestFile('.txt'); var gTestRunner = runTest(); SpecialPowers.addPermission("browser", true, gTestUri); -// We are more permissive with CSP in our testing environment.... -const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'"; -const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'"; - SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true], ["device.storage.enabled", true], ["device.storage.testing", true], - ["device.storage.prompt.testing", false], - ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV], - ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]}, + ["device.storage.prompt.testing", false]]}, function() { gTestRunner.next(); }); diff --git a/dom/devicestorage/test/test_fs_app_permissions.html b/dom/devicestorage/test/test_fs_app_permissions.html index 76ee0fcbbc78..103b9b6cf71a 100644 --- a/dom/devicestorage/test/test_fs_app_permissions.html +++ b/dom/devicestorage/test/test_fs_app_permissions.html @@ -818,16 +818,10 @@ function createTestFile(extension) { let gTestRunner = runTest(); SpecialPowers.addPermission("browser", true, gTestUri); -// We are more permissive with CSP in our testing environment.... -const DEFAULT_CSP_PRIV = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'"; -const DEFAULT_CSP_CERT = "default-src *; script-src 'self'; style-src 'self'; object-src 'none'"; - SpecialPowers.pushPrefEnv({'set': [["dom.mozBrowserFramesEnabled", true], ["device.storage.enabled", true], ["device.storage.testing", true], - ["device.storage.prompt.testing", false], - ["security.apps.privileged.CSP.default", DEFAULT_CSP_PRIV], - ["security.apps.certified.CSP.default", DEFAULT_CSP_CERT]]}, + ["device.storage.prompt.testing", false]]}, function() { gTestRunner.next(); }); diff --git a/dom/interfaces/apps/nsIAppsService.idl b/dom/interfaces/apps/nsIAppsService.idl index f388438fe0cd..4e91a50ecadc 100644 --- a/dom/interfaces/apps/nsIAppsService.idl +++ b/dom/interfaces/apps/nsIAppsService.idl @@ -46,16 +46,6 @@ interface nsIAppsService : nsISupports */ DOMString getManifestURLByLocalId(in unsigned long localId); - /** - * Returns the manifest CSP associated to this localId. - */ - DOMString getManifestCSPByLocalId(in unsigned long localId); - - /** - * Returns the default CSP associated to this localId. - */ - DOMString getDefaultCSPByLocalId(in unsigned long localId); - /** * Returns the basepath for core apps */ diff --git a/dom/security/test/csp/file_bug768029.sjs b/dom/security/test/csp/file_bug768029.sjs deleted file mode 100644 index 9ae353055ef9..000000000000 --- a/dom/security/test/csp/file_bug768029.sjs +++ /dev/null @@ -1,29 +0,0 @@ -function handleRequest(request, response) { - - var query = {}; - - request.queryString.split('&').forEach(function(val) { - var [name, value] = val.split('='); - query[name] = unescape(value); - }); - response.setHeader("Cache-Control", "no-cache", false); - - if ("type" in query) { - switch (query.type) { - case "script": - response.setHeader("Content-Type", "application/javascript"); - response.write("\n\ndocument.write('
script loaded\\n
');\n\n"); - return; - case "style": - response.setHeader("Content-Type", "text/css"); - response.write("\n\n.cspfoo { color:red; }\n\n"); - return; - case "img": - response.setHeader("Content-Type", "image/png"); - return; - } - } - - response.setHeader("Content-Type", "text/plain"); - response.write("ohnoes!"); -} diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index e900b7639103..bb398deb821a 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -2139,9 +2139,6 @@ pref("security.notification_enable_delay", 500); pref("security.csp.enable", true); pref("security.csp.experimentalEnabled", false); -// Default Content Security Policy to apply to privileged apps. -pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"); - // Default Content Security Policy to apply to signed contents. pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");