Bug 1273364 - Trying to set a CSP on a SystemPrincipal should return NS_ERROR (r=njn)
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Sat, 21 May 2016 19:36:24 +0200
changeset 298337 4ac6078ac2b44ad603a02fca4d0d3375f9f4e71c
parent 298336 25805491cfe83f5750156a4447ae71456c2983d0
child 298338 0e4369105765ec3026a66e5d8bfb01f5ac996a16
push id77126
push usermozilla@christophkerschbaumer.com
push dateSat, 21 May 2016 18:06:25 +0000
treeherdermozilla-inbound@4ac6078ac2b4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnjn
bugs1273364
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1273364 - Trying to set a CSP on a SystemPrincipal should return NS_ERROR (r=njn)
caps/nsSystemPrincipal.cpp
dom/base/nsDocument.cpp
dom/html/HTMLMetaElement.cpp
--- a/caps/nsSystemPrincipal.cpp
+++ b/caps/nsSystemPrincipal.cpp
@@ -69,17 +69,17 @@ nsSystemPrincipal::GetCsp(nsIContentSecu
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSystemPrincipal::EnsureCSP(nsIDOMDocument* aDocument,
                              nsIContentSecurityPolicy** aCSP)
 {
   // CSP on a system principal makes no sense
-  return NS_OK;
+  return NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP
 nsSystemPrincipal::GetPreloadCsp(nsIContentSecurityPolicy** aPreloadCSP)
 {
   *aPreloadCSP = nullptr;
   return NS_OK;
 }
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -2747,17 +2747,16 @@ nsDocument::ApplySettingsFromCSP(bool aS
       NS_ENSURE_SUCCESS_VOID(rv);
     }
   }
 }
 
 nsresult
 nsDocument::InitCSP(nsIChannel* aChannel)
 {
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
   if (!CSPService::sCSPEnabled) {
     MOZ_LOG(gCspPRLog, LogLevel::Debug,
            ("CSP is disabled, skipping CSP init for document %p", this));
     return NS_OK;
   }
 
   nsAutoCString tCspHeaderValue, tCspROHeaderValue;
 
@@ -2867,16 +2866,17 @@ nsDocument::InitCSP(nsIChannel* aChannel
       MOZ_LOG(gCspPRLog, LogLevel::Debug, ("%s %s %s",
            "This document is sharing principal with another document.",
            "Since the document is an app, CSP was already set.",
            "Skipping attempt to set CSP."));
       return NS_OK;
     }
   }
 
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
   rv = principal->EnsureCSP(this, getter_AddRefs(csp));
   NS_ENSURE_SUCCESS(rv, rv);
 
   // ----- if the doc is an app and we want a default CSP, apply it.
   if (applyAppDefaultCSP) {
     csp->AppendPolicy(appDefaultCSP, false, false);
   }
 
--- a/dom/html/HTMLMetaElement.cpp
+++ b/dom/html/HTMLMetaElement.cpp
@@ -113,28 +113,27 @@ HTMLMetaElement::BindToTree(nsIDocument*
       nsAutoString content;
       rv = GetContent(content);
       NS_ENSURE_SUCCESS(rv, rv);
       content = nsContentUtils::TrimWhitespace<nsContentUtils::IsHTMLWhitespace>(content);
 
       nsIPrincipal* principal = aDocument->NodePrincipal();
       nsCOMPtr<nsIContentSecurityPolicy> csp;
       nsCOMPtr<nsIDOMDocument> domDoc = do_QueryInterface(aDocument);
-      rv = principal->EnsureCSP(domDoc, getter_AddRefs(csp));
-      NS_ENSURE_SUCCESS(rv, rv);
-
-      // Multiple CSPs (delivered through either header of meta tag) need to be
-      // joined together, see:
-      // https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element
-      rv = csp->AppendPolicy(content,
-                             false, // csp via meta tag can not be report only
-                             true); // delivered through the meta tag
-      NS_ENSURE_SUCCESS(rv, rv);
-
-      aDocument->ApplySettingsFromCSP(false);
+      principal->EnsureCSP(domDoc, getter_AddRefs(csp));
+      if (csp) {
+        // Multiple CSPs (delivered through either header of meta tag) need to be
+        // joined together, see:
+        // https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element
+        rv = csp->AppendPolicy(content,
+                               false, // csp via meta tag can not be report only
+                               true); // delivered through the meta tag
+        NS_ENSURE_SUCCESS(rv, rv);
+        aDocument->ApplySettingsFromCSP(false);
+      }
     }
   }
 
   // Referrer Policy spec requires a <meta name="referrer" tag to be in the
   // <head> element.
   rv = SetMetaReferrer(aDocument);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;