Bug 1277557 - CSP require-sri-for does not block when CSP is in meta tag r=francois
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Fri, 08 Jul 2016 07:26:12 +0200
changeset 304156 2373b4f2f321e24560ae06f39bdd5cd71f5c34a5
parent 304155 b8274835178599b7dfd55860f84406afb40bd673
child 304157 fe2cd5c40e738a41a3899b9b70e33810c8ea0a57
push id79256
push usermozilla@christophkerschbaumer.com
push dateFri, 08 Jul 2016 05:58:12 +0000
treeherdermozilla-inbound@fe2cd5c40e73 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfrancois
bugs1277557
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1277557 - CSP require-sri-for does not block when CSP is in meta tag r=francois
netwerk/base/LoadInfo.cpp
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -145,24 +145,34 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadin
   }
 
     // If CSP requires SRI (require-sri-for), then store that information
     // in the loadInfo so we can enforce SRI before loading the subresource.
     if (!mEnforceSRI) {
       // do not look into the CSP if already true:
       // a CSP saying that SRI isn't needed should not
       // overrule GetVerifySignedContent
-      nsCOMPtr<nsIContentSecurityPolicy> csp;
       if (aLoadingPrincipal) {
+        nsCOMPtr<nsIContentSecurityPolicy> csp;
         aLoadingPrincipal->GetCsp(getter_AddRefs(csp));
+        uint32_t externalType =
+          nsContentUtils::InternalContentPolicyTypeToExternal(aContentPolicyType);
         // csp could be null if loading principal is system principal
         if (csp) {
-          uint32_t loadType =
-            nsContentUtils::InternalContentPolicyTypeToExternal(aContentPolicyType);
-          csp->RequireSRIForType(loadType, &mEnforceSRI);
+          csp->RequireSRIForType(externalType, &mEnforceSRI);
+        }
+        // if CSP is delivered via a meta tag, it's speculatively available
+        // as 'preloadCSP'. If we are preloading a script or style, we have
+        // to apply that speculative 'preloadCSP' for such loads.
+        if (!mEnforceSRI && nsContentUtils::IsPreloadType(aContentPolicyType)) {
+          nsCOMPtr<nsIContentSecurityPolicy> preloadCSP;
+          aLoadingPrincipal->GetPreloadCsp(getter_AddRefs(preloadCSP));
+          if (preloadCSP) {
+            preloadCSP->RequireSRIForType(externalType, &mEnforceSRI);
+          }
         }
       }
     }
 
   if (!(mSecurityFlags & nsILoadInfo::SEC_FORCE_PRIVATE_BROWSING)) {
     if (aLoadingContext) {
       nsCOMPtr<nsILoadContext> loadContext =
         aLoadingContext->OwnerDoc()->GetLoadContext();