Mercurial > mozreview > gecko / changeset / 4115c8b95732e1a04decd487896e27f949d4f76a
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1418241 - Fix SecurityPolicyViolationEvent.blockedURI. draft
authorChung-Sheng Fu <cfu@mozilla.com>
Thu, 21 Dec 2017 11:14:52 +0800
changeset 713898 4115c8b95732e1a04decd487896e27f949d4f76a
parent 713897 52d6ce492b7274a900c20fab95bbe8fc20f1afe8
child 744471 7dd489ce24c2b5904ae8fb4209f1b335225be8d1
push id93794
push userbmo:cfu@mozilla.com
push dateThu, 21 Dec 2017 07:02:17 +0000
bugs1418241
milestone59.0a1
Bug 1418241 - Fix SecurityPolicyViolationEvent.blockedURI. MozReview-Commit-ID: F6QVcYyXWNx
dom/security/nsCSPContext.cpp file | annotate | diff | comparison | revisions 
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -477,17 +477,17 @@ nsCSPContext::reportInlineViolation(nsCo
   else {
     observerSubject = (aContentType == nsIContentPolicy::TYPE_SCRIPT)
                       ? NS_LITERAL_STRING(SCRIPT_HASH_VIOLATION_OBSERVER_TOPIC)
                       : NS_LITERAL_STRING(STYLE_HASH_VIOLATION_OBSERVER_TOPIC);
   }
 
   nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
   if (selfICString) {
-    selfICString->SetData(nsDependentCString("self"));
+    selfICString->SetData(nsDependentCString("inline"));
   }
   nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
 
   // use selfURI as the sourceFile
   nsAutoCString sourceFile;
   if (mSelfURI) {
     mSelfURI->GetSpec(sourceFile);
   }
@@ -653,17 +653,24 @@ nsCSPContext::LogViolationDetails(uint16
                                   const nsAString& aNonce,
                                   const nsAString& aContent)
 {
   for (uint32_t p = 0; p < mPolicies.Length(); p++) {
     NS_ASSERTION(mPolicies[p], "null pointer in nsTArray<nsCSPPolicy>");
 
     nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
     if (selfICString) {
-      selfICString->SetData(nsDependentCString("self"));
+      switch (aViolationType) {
+        case nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL:
+          selfICString->SetData(nsDependentCString("eval"));
+          break;
+        default:
+          selfICString->SetData(nsDependentCString("self"));
+          break;
+      }
     }
     nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
 
     switch (aViolationType) {
       CASE_CHECK_AND_REPORT(EVAL,              SCRIPT,     NS_LITERAL_STRING(""),
                             CSP_UNSAFE_EVAL,   EVAL_VIOLATION_OBSERVER_TOPIC);
       CASE_CHECK_AND_REPORT(INLINE_STYLE,      STYLESHEET, NS_LITERAL_STRING(""),
                             CSP_UNSAFE_INLINE, INLINE_STYLE_VIOLATION_OBSERVER_TOPIC);
@@ -830,22 +837,16 @@ StripURIForReporting(nsIURI* aURI,
     // http/https and also ftp. If it's not http/https or ftp, then treat aURI
     // as if it's a globally unique identifier and just return the scheme.
     aURI->GetScheme(outStrippedURI);
     return;
   }
 
   // 2) If the origin of uri is not the same as the origin of the protected
   // resource, then return the ASCII serialization of uri’s origin.
-  if (!NS_SecurityCompareURIs(aSelfURI, aURI, false)) {
-    // cross origin redirects also fall into this category, see:
-    // http://www.w3.org/TR/CSP/#violation-reports
-    aURI->GetPrePath(outStrippedURI);
-    return;
-  }
 
   // 3) Return uri, with any fragment component removed.
   aURI->GetSpecIgnoringRef(outStrippedURI);
 }
 
 nsresult
 nsCSPContext::GatherSecurityPolicyViolationEventData(
   nsISupports* aBlockedContentSource,
gecko
Deployed from af051c2a8da7 at 2024-04-29T16:08:02Z.