author | Noemi Erli <nerli@mozilla.com> |
Thu, 26 Sep 2019 17:00:16 +0300 | |
changeset 495142 | 1d189ae70326e415f8590e3aeee24885fb8418bc |
parent 495141 | d89319819e435d737512719f56f844e6eeeb0303 |
child 495143 | 14c641ae451bb5816cf3bc3049ba88817b40920c |
child 495326 | 55d7658978ed751dcb334083dedfb4e083d761cd |
push id | 96461 |
push user | nerli@mozilla.com |
push date | Thu, 26 Sep 2019 14:05:30 +0000 |
treeherder | autoland@1d189ae70326 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
bugs | 1583932 |
milestone | 71.0a1 |
backs out | c3579f540cd7c4ba60530659205675fd9aa80cc9 |
first release with | nightly linux32
1d189ae70326
/
71.0a1
/
20190926213542
/
files
nightly linux64
1d189ae70326
/
71.0a1
/
20190926213542
/
files
nightly mac
1d189ae70326
/
71.0a1
/
20190926213542
/
files
nightly win32
1d189ae70326
/
71.0a1
/
20190926213542
/
files
nightly win64
1d189ae70326
/
71.0a1
/
20190926213542
/
files
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
releases | nightly linux32
71.0a1
/
20190926213542
/
pushlog to previous
nightly linux64
71.0a1
/
20190926213542
/
pushlog to previous
nightly mac
71.0a1
/
20190926213542
/
pushlog to previous
nightly win32
71.0a1
/
20190926213542
/
pushlog to previous
nightly win64
71.0a1
/
20190926213542
/
pushlog to previous
|
--- a/dom/interfaces/security/nsIContentSecurityPolicy.idl +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -324,16 +324,17 @@ interface nsIContentSecurityPolicy : nsI * * aOriginalURIIfRedirect must be passed only if this loading is the result * of a redirect. In this case, aOriginalURIIfRedirect must be the original * URL. */ short shouldLoad(in nsContentPolicyType aContentType, in nsICSPEventListener aCSPEventListener, in nsIURI aContentLocation, + in nsIURI aRequestOrigin, in nsISupports aContext, in ACString aMimeTypeGuess, in nsIURI aOriginalURIIfRedirect, in bool aSendViolationReports, in AString aNonce); %{ C++ // nsIObserver topic to fire when the policy encounters a violation.
--- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -112,17 +112,18 @@ static void BlockedContentSourceToString } } /* ===== nsIContentSecurityPolicy impl ====== */ NS_IMETHODIMP nsCSPContext::ShouldLoad(nsContentPolicyType aContentType, nsICSPEventListener* aCSPEventListener, - nsIURI* aContentLocation, nsISupports* aRequestContext, + nsIURI* aContentLocation, nsIURI* aRequestOrigin, + nsISupports* aRequestContext, const nsACString& aMimeTypeGuess, nsIURI* aOriginalURIIfRedirect, bool aSendViolationReports, const nsAString& aNonce, int16_t* outDecision) { if (CSPCONTEXTLOGENABLED()) { CSPCONTEXTLOG(("nsCSPContext::ShouldLoad, aContentLocation: %s", aContentLocation->GetSpecOrDefault().get())); CSPCONTEXTLOG((">>>> aContentType: %d", aContentType));
--- a/dom/security/nsCSPService.cpp +++ b/dom/security/nsCSPService.cpp @@ -102,16 +102,21 @@ bool subjectToCSP(nsIURI* aURI, nsConten const nsACString& aMimeTypeGuess, int16_t* aDecision) { if (!aContentLocation) { return NS_ERROR_FAILURE; } uint32_t contentType = aLoadInfo->InternalContentPolicyType(); nsCOMPtr<nsISupports> requestContext = aLoadInfo->GetLoadingContext(); + nsCOMPtr<nsIURI> requestOrigin; + nsCOMPtr<nsIPrincipal> loadingPrincipal = aLoadInfo->LoadingPrincipal(); + if (loadingPrincipal) { + loadingPrincipal->GetURI(getter_AddRefs(requestOrigin)); + } nsCOMPtr<nsICSPEventListener> cspEventListener; nsresult rv = aLoadInfo->GetCspEventListener(getter_AddRefs(cspEventListener)); NS_ENSURE_SUCCESS(rv, rv); if (MOZ_LOG_TEST(gCspPRLog, LogLevel::Debug)) { MOZ_LOG(gCspPRLog, LogLevel::Debug, @@ -139,18 +144,18 @@ bool subjectToCSP(nsIURI* aURI, nsConten // 1) Apply speculate CSP for preloads bool isPreload = nsContentUtils::IsPreloadType(contentType); if (isPreload) { nsCOMPtr<nsIContentSecurityPolicy> preloadCsp = aLoadInfo->GetPreloadCsp(); if (preloadCsp) { // obtain the enforcement decision rv = preloadCsp->ShouldLoad( - contentType, cspEventListener, aContentLocation, requestContext, - aMimeTypeGuess, + contentType, cspEventListener, aContentLocation, requestOrigin, + requestContext, aMimeTypeGuess, nullptr, // no redirect, aOriginal URL is null. aLoadInfo->GetSendCSPViolationEvents(), cspNonce, aDecision); NS_ENSURE_SUCCESS(rv, rv); // if the preload policy already denied the load, then there // is no point in checking the real policy if (NS_CP_REJECTED(*aDecision)) { NS_SetRequestBlockingReason( @@ -165,17 +170,17 @@ bool subjectToCSP(nsIURI* aURI, nsConten // the csp should be overruled (e.g. by an ExpandedPrincipal) // then loadinfo->GetCSP() returns that CSP instead of the // document's CSP. nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadInfo->GetCsp(); if (csp) { // obtain the enforcement decision rv = csp->ShouldLoad(contentType, cspEventListener, aContentLocation, - requestContext, aMimeTypeGuess, + requestOrigin, requestContext, aMimeTypeGuess, nullptr, // no redirect, aOriginal URL is null. aLoadInfo->GetSendCSPViolationEvents(), cspNonce, aDecision); if (NS_CP_REJECTED(*aDecision)) { NS_SetRequestBlockingReason( aLoadInfo, nsILoadInfo::BLOCKING_REASON_CONTENT_POLICY_GENERAL); } @@ -332,16 +337,17 @@ nsresult CSPService::ConsultCSPForRedire if (isPreload) { nsCOMPtr<nsIContentSecurityPolicy> preloadCsp = aLoadInfo->GetPreloadCsp(); if (preloadCsp) { // Pass originalURI to indicate the redirect preloadCsp->ShouldLoad( policyType, // load type per nsIContentPolicy (uint32_t) cspEventListener, aNewURI, // nsIURI + nullptr, // nsIURI requestContext, // nsISupports EmptyCString(), // ACString - MIME guess aOriginalURI, // Original nsIURI true, // aSendViolationReports cspNonce, // nonce &decision); // if the preload policy already denied the load, then there @@ -355,16 +361,17 @@ nsresult CSPService::ConsultCSPForRedire // 2) Apply actual CSP to all loads nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadInfo->GetCsp(); if (csp) { // Pass originalURI to indicate the redirect csp->ShouldLoad(policyType, // load type per nsIContentPolicy (uint32_t) cspEventListener, aNewURI, // nsIURI + nullptr, // nsIURI requestContext, // nsISupports EmptyCString(), // ACString - MIME guess aOriginalURI, // Original nsIURI true, // aSendViolationReports cspNonce, // nonce &decision); if (NS_CP_REJECTED(decision)) { aCancelCode = Some(NS_ERROR_DOM_BAD_URI);