Bug 1474537 - CSP 'self' should translate to 'self' and not be resolved to actual self URI. r=dveditz
☠☠ backed out by 3539fcf96993 ☠ ☠
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Fri, 20 Jul 2018 10:39:31 +0200
changeset 427523 113b601a3b59dcd2e0e838317b583379000df122
parent 427522 05b49818ba6a1498e1a131257957d18617d7125b
child 427524 d3ac68d9ead9928113b8916e6020b5d6aa261ff8
push id66680
push usercsabou@mozilla.com
push dateFri, 20 Jul 2018 21:49:32 +0000
treeherderautoland@028d311f0394 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz
bugs1474537
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1474537 - CSP 'self' should translate to 'self' and not be resolved to actual self URI. r=dveditz
dom/security/nsCSPUtils.cpp
dom/security/test/csp/test_meta_csp_self.html
dom/security/test/csp/test_report_for_import.html
dom/security/test/gtest/TestCSPParser.cpp
testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini
testing/web-platform/meta/content-security-policy/frame-src/frame-src-self-unique-origin.html.ini
testing/web-platform/meta/content-security-policy/img-src/img-src-self-unique-origin.html.ini
toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -758,16 +758,21 @@ bool
 nsCSPHostSrc::visit(nsCSPSrcVisitor* aVisitor) const
 {
   return aVisitor->visitHostSrc(*this);
 }
 
 void
 nsCSPHostSrc::toString(nsAString& outStr) const
 {
+  if (mGeneratedFromSelfKeyword) {
+    outStr.AppendASCII("'self'");
+    return;
+  }
+
   // If mHost is a single "*", we append the wildcard and return.
   if (mHost.EqualsASCII("*") &&
       mScheme.IsEmpty() &&
       mPort.IsEmpty()) {
     outStr.Append(mHost);
     return;
   }
 
--- a/dom/security/test/csp/test_meta_csp_self.html
+++ b/dom/security/test/csp/test_meta_csp_self.html
@@ -39,17 +39,17 @@ function receiveMessage(event) {
   ok(cspOBJ, "sanity: was able to parse the CSP JSON");
 
   // make sure we only got one policy
   var policies = cspOBJ["csp-policies"];
   is(policies.length, 1, "sanity: received one CSP policy");
 
   var policy = policies[0];
   var val = policy['img-src'];
-  is(val.toString(), "data://", "'self' should translate into data");
+  is(val.toString(), "'self'", "'self' should translate into data");
   SimpleTest.finish();
 }
 
 SpecialPowers.pushPrefEnv(
   {'set':[["security.data_uri.unique_opaque_origin", true]]},
   function() {
     let DATA_URI = `data:text/html,
       <html>
--- a/dom/security/test/csp/test_report_for_import.html
+++ b/dom/security/test/csp/test_report_for_import.html
@@ -47,20 +47,17 @@ function checkResults(reportStr) {
 
     is(cspReport["document-uri"], DOC_URI, "Incorrect document-uri");
     is(cspReport["referrer"],
        "http://mochi.test:8888/tests/dom/security/test/csp/test_report_for_import.html",
        "Incorrect referrer");
     is(cspReport["violated-directive"],
        "style-src",
        "Incorrect violated-directive");
-    is(cspReport["original-policy"],
-       "style-src http://mochi.test:8888; report-uri " +
-       "http://mochi.test:8888/tests/dom/security/test/csp/file_report_for_import_server.sjs?report",
-       "Incorrect original-policy");
+    is(cspReport["original-policy"], POLICY, "Incorrect original-policy");
     is(cspReport["blocked-uri"],
        "http://example.com/tests/dom/security/test/csp/file_report_for_import_server.sjs?stylesheet",
        "Incorrect blocked-uri");
 
     // we do not always set the following fields
     is(cspReport["source-file"], undefined, "Incorrect source-file");
     is(cspReport["script-sample"], undefined, "Incorrect script-sample");
     is(cspReport["line-number"], undefined, "Incorrect line-number");
--- a/dom/security/test/gtest/TestCSPParser.cpp
+++ b/dom/security/test/gtest/TestCSPParser.cpp
@@ -229,51 +229,51 @@ TEST(CSPParser, Directives)
 
 // ============================= TestKeywords ========================
 
 TEST(CSPParser, Keywords)
 {
   static const PolicyTest policies[] =
   {
     { "script-src 'self'",
-      "script-src http://www.selfuri.com" },
+      "script-src 'self'" },
     { "script-src 'unsafe-inline'",
       "script-src 'unsafe-inline'" },
     { "script-src 'unsafe-eval'",
       "script-src 'unsafe-eval'" },
     { "script-src 'unsafe-inline' 'unsafe-eval'",
       "script-src 'unsafe-inline' 'unsafe-eval'" },
     { "script-src 'none'",
       "script-src 'none'" },
     { "img-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; default-src 'self'",
-      "img-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; default-src http://www.selfuri.com" },
+      "img-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; default-src 'self'" },
   };
 
   uint32_t policyCount = sizeof(policies) / sizeof(PolicyTest);
   ASSERT_TRUE(NS_SUCCEEDED(runTestSuite(policies, policyCount, 1)));
 }
 
 // ============================= TestIgnoreUpperLowerCasePolicies ========================
 
 TEST(CSPParser, IgnoreUpperLowerCasePolicies)
 {
   static const PolicyTest policies[] =
   {
     { "script-src 'SELF'",
-      "script-src http://www.selfuri.com" },
+      "script-src 'self'" },
     { "sCriPt-src 'Unsafe-Inline'",
       "script-src 'unsafe-inline'" },
     { "SCRIPT-src 'unsafe-eval'",
       "script-src 'unsafe-eval'" },
     { "default-SRC 'unsafe-inline' 'unsafe-eval'",
       "default-src 'unsafe-inline' 'unsafe-eval'" },
     { "script-src 'NoNe'",
       "script-src 'none'" },
     { "img-sRc 'noNe'; scrIpt-src 'unsafe-EVAL' 'UNSAFE-inline'; deFAULT-src 'Self'",
-      "img-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; default-src http://www.selfuri.com" },
+      "img-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; default-src 'self'" },
     { "default-src HTTP://www.example.com",
       "default-src http://www.example.com" },
     { "default-src HTTP://WWW.EXAMPLE.COM",
       "default-src http://www.example.com" },
     { "default-src HTTPS://*.example.COM",
       "default-src https://*.example.com" },
     { "script-src 'none' test.com;",
       "script-src http://test.com" },
@@ -413,35 +413,35 @@ TEST(CSPParser, SimplePolicies)
       "default-src http://*:80" },
     { "default-src javascript:",
       "default-src javascript:" },
     { "default-src data:",
       "default-src data:" },
     { "script-src 'unsafe-eval' 'unsafe-inline' http://www.example.com",
       "script-src 'unsafe-eval' 'unsafe-inline' http://www.example.com" },
     { "object-src 'self'",
-      "object-src http://www.selfuri.com" },
+      "object-src 'self'" },
     { "style-src http://www.example.com 'self'",
-      "style-src http://www.example.com http://www.selfuri.com" },
+      "style-src http://www.example.com 'self'" },
     { "media-src http://www.example.com http://www.test.com",
       "media-src http://www.example.com http://www.test.com" },
     { "connect-src http://www.test.com example.com *.other.com;",
       "connect-src http://www.test.com http://example.com http://*.other.com"},
     { "connect-src example.com *.other.com",
       "connect-src http://example.com http://*.other.com"},
     { "style-src *.other.com example.com",
       "style-src http://*.other.com http://example.com"},
     { "default-src 'self'; img-src *;",
-      "default-src http://www.selfuri.com; img-src *" },
+      "default-src 'self'; img-src *" },
     { "object-src media1.example.com media2.example.com *.cdn.example.com;",
       "object-src http://media1.example.com http://media2.example.com http://*.cdn.example.com" },
     { "script-src trustedscripts.example.com",
       "script-src http://trustedscripts.example.com" },
     { "script-src 'self' ; default-src trustedscripts.example.com",
-      "script-src http://www.selfuri.com; default-src http://trustedscripts.example.com" },
+      "script-src 'self'; default-src http://trustedscripts.example.com" },
     { "default-src 'none'; report-uri http://localhost:49938/test",
       "default-src 'none'; report-uri http://localhost:49938/test" },
     { "   ;   default-src abc",
       "default-src http://abc" },
     { " ; ; ; ;     default-src            abc    ; ; ; ;",
       "default-src http://abc" },
     { "script-src 'none' 'none' 'none';",
       "script-src 'none'" },
@@ -471,17 +471,17 @@ TEST(CSPParser, SimplePolicies)
 
 // ============================= TestPoliciesWithInvalidSrc ========================
 
 TEST(CSPParser, PoliciesWithInvalidSrc)
 {
   static const PolicyTest policies[] =
   {
     { "script-src 'self'; SCRIPT-SRC http://www.example.com",
-      "script-src http://www.selfuri.com" },
+      "script-src 'self'" },
     { "script-src 'none' test.com; script-src example.com",
       "script-src http://test.com" },
     { "default-src **",
       "default-src 'none'" },
     { "default-src 'self",
       "default-src 'none'" },
     { "default-src 'unsafe-inlin' ",
       "default-src 'none'" },
@@ -588,17 +588,17 @@ TEST(CSPParser, BadPolicies)
 
 // ============================= TestGoodGeneratedPolicies ========================
 
 TEST(CSPParser, GoodGeneratedPolicies)
 {
   static const PolicyTest policies[] =
   {
     { "default-src 'self'; img-src *",
-      "default-src http://www.selfuri.com; img-src *" },
+      "default-src 'self'; img-src *" },
     { "report-uri /policy",
       "report-uri http://www.selfuri.com/policy"},
     { "img-src *",
       "img-src *" },
     { "media-src foo.bar",
       "media-src http://foo.bar" },
     { "frame-src *.bar",
       "frame-src http://*.bar" },
@@ -690,17 +690,17 @@ TEST(CSPParser, GoodGeneratedPolicies)
       "connect-src http://bar.com:400" },
     { "default-src http://evil.com",
       "default-src http://evil.com" },
     { "script-src https://evil.com:100",
       "script-src https://evil.com:100" },
     { "default-src bar.com; script-src https://foo.com",
       "default-src http://bar.com; script-src https://foo.com" },
     { "default-src 'self'; script-src 'self' https://*:*",
-      "default-src http://www.selfuri.com; script-src http://www.selfuri.com https://*:*" },
+      "default-src 'self'; script-src 'self' https://*:*" },
     { "img-src http://self.com:34",
       "img-src http://self.com:34" },
     { "media-src http://subd.self.com:34",
       "media-src http://subd.self.com:34" },
     { "default-src 'none'",
       "default-src 'none'" },
     { "connect-src http://self",
       "connect-src http://self" },
@@ -752,65 +752,65 @@ TEST(CSPParser, GoodGeneratedPolicies)
       "img-src http://foobar.com:4443" },
     { "media-src bar.com",
       "media-src http://bar.com" },
     { "frame-src http://bar.com",
       "frame-src http://bar.com" },
     { "font-src http://self.com/",
       "font-src http://self.com/" },
     { "script-src 'self'",
-      "script-src http://www.selfuri.com" },
+      "script-src 'self'" },
     { "default-src http://self.com/foo.png",
       "default-src http://self.com/foo.png" },
     { "script-src http://self.com/foo.js",
       "script-src http://self.com/foo.js" },
     { "object-src http://bar.com/foo.js",
       "object-src http://bar.com/foo.js" },
     { "style-src http://FOO.COM",
       "style-src http://foo.com" },
     { "img-src HTTP",
       "img-src http://http" },
     { "media-src http",
       "media-src http://http" },
     { "frame-src 'SELF'",
-      "frame-src http://www.selfuri.com" },
+      "frame-src 'self'" },
     { "DEFAULT-src 'self';",
-      "default-src http://www.selfuri.com" },
+      "default-src 'self'" },
     { "default-src 'self' http://FOO.COM",
-      "default-src http://www.selfuri.com http://foo.com" },
+      "default-src 'self' http://foo.com" },
     { "default-src 'self' HTTP://foo.com",
-      "default-src http://www.selfuri.com http://foo.com" },
+      "default-src 'self' http://foo.com" },
     { "default-src 'NONE'",
       "default-src 'none'" },
     { "script-src policy-uri ",
       "script-src http://policy-uri" },
     { "img-src 'self'; ",
-      "img-src http://www.selfuri.com" },
+      "img-src 'self'" },
     { "frame-ancestors foo-bar.com",
       "frame-ancestors http://foo-bar.com" },
     { "frame-ancestors http://a.com",
       "frame-ancestors http://a.com" },
     { "frame-ancestors 'self'",
-      "frame-ancestors http://www.selfuri.com" },
+      "frame-ancestors 'self'" },
     { "frame-ancestors http://self.com:88",
       "frame-ancestors http://self.com:88" },
     { "frame-ancestors http://a.b.c.d.e.f.g.h.i.j.k.l.x.com",
       "frame-ancestors http://a.b.c.d.e.f.g.h.i.j.k.l.x.com" },
     { "frame-ancestors https://self.com:34",
       "frame-ancestors https://self.com:34" },
     { "frame-ancestors http://sampleuser:samplepass@example.com",
       "frame-ancestors 'none'" },
     { "default-src 'none'; frame-ancestors 'self'",
-      "default-src 'none'; frame-ancestors http://www.selfuri.com" },
+      "default-src 'none'; frame-ancestors 'self'" },
     { "frame-ancestors http://self:80",
       "frame-ancestors http://self:80" },
     { "frame-ancestors http://self.com/bar",
       "frame-ancestors http://self.com/bar" },
     { "default-src 'self'; frame-ancestors 'self'",
-      "default-src http://www.selfuri.com; frame-ancestors http://www.selfuri.com" },
+      "default-src 'self'; frame-ancestors 'self'" },
     { "frame-ancestors http://bar.com/foo.png",
       "frame-ancestors http://bar.com/foo.png" },
   };
 
   uint32_t policyCount = sizeof(policies) / sizeof(PolicyTest);
   ASSERT_TRUE(NS_SUCCEEDED(runTestSuite(policies, policyCount, 1)));
 }
 
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/frame-src/frame-src-redirect.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[frame-src-redirect.html]
-  expected: TIMEOUT
-  [Redirected iframe src should evaluate both enforced and report-only policies on both original request and when following redirect]
-    expected: TIMEOUT
-
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/frame-src/frame-src-self-unique-origin.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[frame-src-self-unique-origin.html]
-  expected: TIMEOUT
-  [Iframe's url must not match with 'self'. It must be blocked.]
-    expected: TIMEOUT
-
deleted file mode 100644
--- a/testing/web-platform/meta/content-security-policy/img-src/img-src-self-unique-origin.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[img-src-self-unique-origin.html]
-  expected: TIMEOUT
-  [Image's url must not match with 'self'. Image must be blocked.]
-    expected: TIMEOUT
-
--- a/toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js
@@ -37,23 +37,19 @@ async function testPolicy(customCSP = nu
     }
 
     content_security_policy = Object.keys(customCSP)
       .map(key => `${key} ${customCSP[key]}`)
       .join("; ");
   }
 
 
-  function filterSelf(sources) {
-    return sources.map(src => src == "'self'" ? baseURL : src);
-  }
-
   function checkSource(name, policy, expected) {
     equal(JSON.stringify(policy[name].sort()),
-          JSON.stringify(filterSelf(expected[name]).sort()),
+          JSON.stringify(expected[name].sort()),
           `Expected value for ${name}`);
   }
 
   function checkCSP(csp, location) {
     let policies = csp["csp-policies"];
 
     info(`Base policy for ${location}`);