author | Francois Marier <francois@mozilla.com> |
Thu, 07 Jul 2016 14:44:51 -0700 | |
changeset 304137 | 0a64cf8e2fb51ab0fe81bf0bb154caf2e5848d93 |
parent 304136 | 7975518290c621749e1e2111f2dd39f093681dea |
child 304138 | 98eca6a35e1a96107aba99410afb256bdb2dd6cd |
push id | 30414 |
push user | cbook@mozilla.com |
push date | Fri, 08 Jul 2016 09:59:01 +0000 |
treeherder | mozilla-central@45682df2d2d4 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | ckerschb, jkt |
bugs | 1269241 |
milestone | 50.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/dom/security/SRICheck.cpp +++ b/dom/security/SRICheck.cpp @@ -319,16 +319,25 @@ SRICheckDataVerifier::VerifyHash(const S nsContentUtils::ReportToConsole(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "InvalidIntegrityLength"); return NS_ERROR_SRI_CORRUPT; } + if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) { + nsAutoCString encodedHash; + nsresult rv = Base64Encode(mComputedHash, encodedHash); + if (NS_SUCCEEDED(rv)) { + SRILOG(("SRICheckDataVerifier::VerifyHash, mComputedHash=%s", + encodedHash.get())); + } + } + if (!binaryHash.Equals(mComputedHash)) { SRILOG(("SRICheckDataVerifier::VerifyHash, hash[%u] did not match", aHashIndex)); return NS_ERROR_SRI_CORRUPT; } SRILOG(("SRICheckDataVerifier::VerifyHash, hash[%u] verified successfully", aHashIndex)); return NS_OK; }
--- a/dom/security/test/sri/iframe_style_sameorigin.html +++ b/dom/security/test/sri/iframe_style_sameorigin.html @@ -56,16 +56,35 @@ ok(false, "We should load stylesheets using blob: URLs with the right hash!"); } function good_invalidBlobBlocked() { ok(true, "A stylesheet was blocked successfully from a blob: URL with an invalid hash."); } function bad_invalidBlobLoaded() { ok(false, "We should not load stylesheets using blob: URLs when they have the wrong hash!"); } + + function good_correctUTF8HashLoaded() { + ok(true, "A UTF8 stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8HashBlocked() { + ok(false, "We should load UTF8 stylesheets with hashes that match!"); + } + function good_correctUTF8BOMHashLoaded() { + ok(true, "A UTF8 stylesheet (with BOM) was correctly loaded when integrity matched"); + } + function bad_correctUTF8BOMHashBlocked() { + todo(false, "We should load UTF8 (with BOM) stylesheets with hashes that match!"); + } + function good_correctUTF8ishHashLoaded() { + ok(true, "A UTF8ish stylesheet was correctly loaded when integrity matched"); + } + function bad_correctUTF8ishHashBlocked() { + todo(false, "We should load UTF8ish stylesheets with hashes that match!"); + } </script> <!-- valid sha256 hash. should trigger onload --> <link rel="stylesheet" href="style1.css" integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8=" onerror="bad_correctHashBlocked()" onload="good_correctHashLoaded()"> @@ -75,16 +94,34 @@ onerror="bad_emptyIntegrityBlocked()" onload="good_emptyIntegrityLoaded()"> <!-- invalid sha256 hash. should trigger onerror --> <link rel="stylesheet" href="style3.css" integrity="sha256-bogus" onerror="good_incorrectHashBlocked()" onload="bad_incorrectHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file. should trigger onload --> + <link rel="stylesheet" href="style4.css" + integrity="sha384-13rt+j7xMDLhohLukb7AZx8lDGS3hkahp0IoeuyvxSNVPyc1QQmTDcwXGhQZjoMH" + onerror="bad_correctUTF8HashBlocked()" + onload="good_correctUTF8HashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with a BOM. should trigger onload --> + <link rel="stylesheet" href="style5.css" + integrity="sha384-udAqVKPIHf/OD1isAYKrgzsog/3Q6lSEL2nKhtLSTmHryiae0+y6x1akeTzEF446" + onerror="bad_correctUTF8BOMHashBlocked()" + onload="good_correctUTF8BOMHashLoaded()"> + + <!-- valid sha384 hash of a utf8 file with the wrong charset. should trigger onload --> + <link rel="stylesheet" href="style6.css" + integrity="sha384-Xli4ROFoVGCiRgXyl7y8jv5Vm2yuqj+8tkNL3cUI7AHaCocna75JLs5xID437W6C" + onerror="bad_correctUTF8ishHashBlocked()" + onload="good_correctUTF8ishHashLoaded()"> </head> <body> <!-- valid sha256 for a blob: URL --> <script> var blob = new Blob(['.blue-text{color:blue}'], {type: 'text/css'}); var link = document.createElement('link'); @@ -104,17 +141,20 @@ link.rel = 'stylesheet'; link.href = window.URL.createObjectURL(blob); link.setAttribute('integrity', 'sha256-/F+EMVnTWYJOAzN5n7/21idiydu6nRi33LZOISZtwOM='); link.onerror = good_invalidBlobBlocked; link.onload = bad_invalidBlobLoaded; document.body.appendChild(link); </script> -<p><span id="red-text">This should be red </span> and +<p><span id="red-text">This should be red </span>, + <span id="purple-text">this should be purple</span>, + <span id="brown-text">this should be brown</span>, + <span id="orange-text">this should be orange</span>, and <span class="blue-text" id="blue-text-element">this should be blue.</span> However, <span id="black-text">this should stay black</span> and <span class="black-text" id="black-text-2">this should also stay black.</span> </p> <p id="display"></p> <div id="content" style="display: none"> </div>
--- a/dom/security/test/sri/mochitest.ini +++ b/dom/security/test/sri/mochitest.ini @@ -23,16 +23,21 @@ support-files = script_302.js script_302.js^headers^ script_401.js script_401.js^headers^ style1.css style1.css^headers^ style2.css style3.css + style4.css + style4.css^headers^ + style5.css + style6.css + style6.css^headers^ style_301.css style_301.css^headers^ [test_script_sameorigin.html] [test_script_crossdomain.html] [test_sri_disabled.html] [test_style_crossdomain.html] [test_style_sameorigin.html]
new file mode 100644 --- /dev/null +++ b/dom/security/test/sri/style4.css @@ -0,0 +1,4 @@ +/* François was here. */ +#purple-text { + color: purple; +}
new file mode 100644 --- /dev/null +++ b/dom/security/test/sri/style4.css^headers^ @@ -0,0 +1,1 @@ +Content-Type: text/css; charset=utf-8
new file mode 100644 --- /dev/null +++ b/dom/security/test/sri/style5.css @@ -0,0 +1,4 @@ +/* François was here. */ +#orange-text { + color: orange; +}