Bug 1418241 - Fix SecurityPolicyViolationEvent.blockedURI.
MozReview-Commit-ID: F6QVcYyXWNx
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -477,17 +477,17 @@ nsCSPContext::reportInlineViolation(nsCo
else {
observerSubject = (aContentType == nsIContentPolicy::TYPE_SCRIPT)
? NS_LITERAL_STRING(SCRIPT_HASH_VIOLATION_OBSERVER_TOPIC)
: NS_LITERAL_STRING(STYLE_HASH_VIOLATION_OBSERVER_TOPIC);
}
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
if (selfICString) {
- selfICString->SetData(nsDependentCString("self"));
+ selfICString->SetData(nsDependentCString("inline"));
}
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
// use selfURI as the sourceFile
nsAutoCString sourceFile;
if (mSelfURI) {
mSelfURI->GetSpec(sourceFile);
}
@@ -653,17 +653,24 @@ nsCSPContext::LogViolationDetails(uint16
const nsAString& aNonce,
const nsAString& aContent)
{
for (uint32_t p = 0; p < mPolicies.Length(); p++) {
NS_ASSERTION(mPolicies[p], "null pointer in nsTArray<nsCSPPolicy>");
nsCOMPtr<nsISupportsCString> selfICString(do_CreateInstance(NS_SUPPORTS_CSTRING_CONTRACTID));
if (selfICString) {
- selfICString->SetData(nsDependentCString("self"));
+ switch (aViolationType) {
+ case nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL:
+ selfICString->SetData(nsDependentCString("eval"));
+ break;
+ default:
+ selfICString->SetData(nsDependentCString("self"));
+ break;
+ }
}
nsCOMPtr<nsISupports> selfISupports(do_QueryInterface(selfICString));
switch (aViolationType) {
CASE_CHECK_AND_REPORT(EVAL, SCRIPT, NS_LITERAL_STRING(""),
CSP_UNSAFE_EVAL, EVAL_VIOLATION_OBSERVER_TOPIC);
CASE_CHECK_AND_REPORT(INLINE_STYLE, STYLESHEET, NS_LITERAL_STRING(""),
CSP_UNSAFE_INLINE, INLINE_STYLE_VIOLATION_OBSERVER_TOPIC);
@@ -830,22 +837,16 @@ StripURIForReporting(nsIURI* aURI,
// http/https and also ftp. If it's not http/https or ftp, then treat aURI
// as if it's a globally unique identifier and just return the scheme.
aURI->GetScheme(outStrippedURI);
return;
}
// 2) If the origin of uri is not the same as the origin of the protected
// resource, then return the ASCII serialization of uri’s origin.
- if (!NS_SecurityCompareURIs(aSelfURI, aURI, false)) {
- // cross origin redirects also fall into this category, see:
- // http://www.w3.org/TR/CSP/#violation-reports
- aURI->GetPrePath(outStrippedURI);
- return;
- }
// 3) Return uri, with any fragment component removed.
aURI->GetSpecIgnoringRef(outStrippedURI);
}
nsresult
nsCSPContext::GatherSecurityPolicyViolationEventData(
nsISupports* aBlockedContentSource,