Bug 1439425 - Ignore empty CSP directives. r?ckerschb
MozReview-Commit-ID: 67Ach2vCs8A
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -1166,16 +1166,20 @@ nsCSPParser::directive()
// one directive and one src.
if (mCurDir.Length() < 1) {
const char16_t* params[] = { u"directive missing" };
logWarningErrorToConsole(nsIScriptError::warningFlag, "failedToParseUnrecognizedSource",
params, ArrayLength(params));
return;
}
+ if (CSP_IsEmptyDirective(mCurValue, mCurToken)) {
+ return;
+ }
+
// Try to create a new CSPDirective
nsCSPDirective* cspDir = directiveName();
if (!cspDir) {
// if we can not create a CSPDirective, we can skip parsing the srcs for that array
return;
}
// special case handling for block-all-mixed-content, which is only specified
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -303,16 +303,22 @@ CSP_CreateHostSrcFromSelfURI(nsIURI* aSe
nsAutoString portStr;
portStr.AppendInt(port);
hostsrc->setPort(portStr);
}
return hostsrc;
}
bool
+CSP_IsEmptyDirective(const nsAString& aValue, const nsAString& aDir)
+{
+ return (aDir.Length() == 0 &&
+ aValue.Length() == 0);
+}
+bool
CSP_IsValidDirective(const nsAString& aDir)
{
uint32_t numDirs = (sizeof(CSPStrDirectives) / sizeof(CSPStrDirectives[0]));
for (uint32_t i = 0; i < numDirs; i++) {
if (aDir.LowerCaseEqualsASCII(CSPStrDirectives[i])) {
return true;
}
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -206,16 +206,17 @@ nsresult CSP_AppendCSPFromHeader(nsICont
const nsAString& aHeaderValue,
bool aReportOnly);
/* =============== Helpers ================== */
class nsCSPHostSrc;
nsCSPHostSrc* CSP_CreateHostSrcFromSelfURI(nsIURI* aSelfURI);
+bool CSP_IsEmptyDirective(const nsAString& aValue, const nsAString& aDir);
bool CSP_IsValidDirective(const nsAString& aDir);
bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
bool CSP_IsQuotelessKeyword(const nsAString& aKey);
CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType);
class nsCSPSrcVisitor;
copy from dom/security/test/csp/file_self_none_as_hostname_confusion.html
copy to dom/security/test/csp/file_empty_directive.html
copy from dom/security/test/csp/file_self_none_as_hostname_confusion.html^headers^
copy to dom/security/test/csp/file_empty_directive.html^headers^
--- a/dom/security/test/csp/file_self_none_as_hostname_confusion.html^headers^
+++ b/dom/security/test/csp/file_empty_directive.html^headers^
@@ -1,1 +1,1 @@
-Content-Security-Policy: default-src 'self' SELF;
+Content-Security-Policy: ;
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -103,16 +103,18 @@ support-files =
file_dual_header_testserver.sjs
file_hash_source.html^headers^
file_scheme_relative_sources.js
file_scheme_relative_sources.sjs
file_ignore_unsafe_inline.html
file_ignore_unsafe_inline_multiple_policies_server.sjs
file_self_none_as_hostname_confusion.html
file_self_none_as_hostname_confusion.html^headers^
+ file_empty_directive.html
+ file_empty_directive.html^headers^
file_path_matching.html
file_path_matching_incl_query.html
file_path_matching.js
file_path_matching_redirect.html
file_path_matching_redirect_server.sjs
file_testserver.sjs
file_report_uri_missing_in_report_only_header.html
file_report_uri_missing_in_report_only_header.html^headers^
@@ -263,16 +265,17 @@ skip-if = toolkit == 'android' # Times o
[test_policyuri_regression_from_multipolicy.html]
[test_nonce_source.html]
[test_bug941404.html]
[test_form-action.html]
[test_hash_source.html]
[test_scheme_relative_sources.html]
[test_ignore_unsafe_inline.html]
[test_self_none_as_hostname_confusion.html]
+[test_empty_directive.html]
[test_path_matching.html]
[test_path_matching_redirect.html]
[test_report_uri_missing_in_report_only_header.html]
[test_report.html]
[test_301_redirect.html]
[test_302_redirect.html]
[test_303_redirect.html]
[test_307_redirect.html]
copy from dom/security/test/csp/test_self_none_as_hostname_confusion.html
copy to dom/security/test/csp/test_empty_directive.html
--- a/dom/security/test/csp/test_self_none_as_hostname_confusion.html
+++ b/dom/security/test/csp/test_empty_directive.html
@@ -1,55 +1,51 @@
<!DOCTYPE HTML>
<html>
<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=587377
+https://bugzilla.mozilla.org/show_bug.cgi?id=1439425
-->
<head>
<meta charset="utf-8">
- <title>Test for Bug 587377</title>
+ <title>Test for Bug 1439425</title>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=587377">Mozilla Bug 587377</a>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1439425">Mozilla Bug 1439425</a>
<p id="display"></p>
<iframe id="cspframe"></iframe>
<pre id="test">
<script class="testbody" type="text/javascript">
-// Load locale string during mochitest
-var stringBundleService = SpecialPowers.Cc["@mozilla.org/intl/stringbundle;1"]
- .getService(SpecialPowers.Ci.nsIStringBundleService);
-var localizer = stringBundleService.createBundle("chrome://global/locale/security/csp.properties");
-var confusionMsg = localizer.formatStringFromName("hostNameMightBeKeyword", ["SELF", "self"], 2);
+let consoleCount = 0;
function cleanup() {
SpecialPowers.postConsoleSentinel();
- SimpleTest.finish();
-};
+}
-// To prevent the test from asserting twice and calling SimpleTest.finish() twice,
-// startTest will be marked false as soon as the confusionMsg is detected.
-startTest = false;
+function finish() {
+ SimpleTest.finish();
+}
+
SpecialPowers.registerConsoleListener(function ConsoleMsgListener(aMsg) {
- if (startTest) {
- if (aMsg.message.indexOf(confusionMsg) > -1) {
- startTest = false;
- ok(true, "CSP header with a hostname similar to keyword should be warned");
- SimpleTest.executeSoon(cleanup);
- } else {
- // don't see the warning yet? wait.
- return;
- }
+ if (aMsg.message == "SENTINEL") {
+ is(consoleCount, 0);
+ SimpleTest.executeSoon(finish);
+ } else {
+ ++consoleCount;
+ ok(false, "Must never see a console warning here");
}
});
// set up and start testing
SimpleTest.waitForExplicitFinish();
-document.getElementById('cspframe').src = 'file_self_none_as_hostname_confusion.html';
-startTest = true;
+let frame = document.getElementById('cspframe');
+frame.onload = () => {
+ SimpleTest.executeSoon(cleanup);
+};
+frame.src = 'file_empty_directive.html';
</script>
</pre>
</body>
</html>