| author | Garrett Robinson <grobinson@mozilla.com> |
| Tue, 23 Apr 2013 17:39:10 -0500 | |
| changeset 129695 | 2f839f4b2f3218e29bb39989dcb4912249af23ae |
| parent 129694 | 659fa167a6bba070697efdd0fa81bbe3d8d66074 |
| child 129696 | e64522db8661d713d1af37abff87997d0128317c |
| push id | 24586 |
| push user | ryanvm@gmail.com |
| push date | Wed, 24 Apr 2013 12:15:57 +0000 |
| treeherder | mozilla-central@1c5977e8d52f [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | bzbarsky, ddahl |
| bugs | 863878, 821877 |
| milestone | 23.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/browser/devtools/webconsole/test/browser_webconsole_bug_821877_csp_errors.js +++ b/browser/devtools/webconsole/test/browser_webconsole_bug_821877_csp_errors.js @@ -7,19 +7,22 @@ const TEST_URI = "https://example.com/br const CSP_DEPRECATED_HEADER_MSG = "The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead."; function test() { addTab(TEST_URI); browser.addEventListener("load", function onLoad(aEvent) { browser.removeEventListener(aEvent.type, onLoad, true); openConsole(null, function testCSPErrorLogged (hud) { - waitForSuccess({ - name: "CSP error displayed successfully", - validatorFn: function () { - return hud.outputNode.textContent.indexOf(CSP_DEPRECATED_HEADER_MSG) > -1; - }, - successFn: finishTest, - failureFn: finishTest, - }); + waitForMessages({ + webconsole: hud, + messages: [ + { + name: "Deprecated CSP header error displayed successfully", + text: CSP_DEPRECATED_HEADER_MSG, + category: CATEGORY_SECURITY, + severity: SEVERITY_WARNING + }, + ], + }).then(finishTest); }); }, true); }
--- a/browser/devtools/webconsole/webconsole.js +++ b/browser/devtools/webconsole/webconsole.js @@ -4273,16 +4273,17 @@ var Utils = { categoryForScriptError: function Utils_categoryForScriptError(aScriptError) { switch (aScriptError.category) { case "CSS Parser": case "CSS Loader": return CATEGORY_CSS; case "Mixed Content Blocker": + case "CSP": return CATEGORY_SECURITY; default: return CATEGORY_JS; } }, /**
--- a/content/base/src/nsDocument.cpp +++ b/content/base/src/nsDocument.cpp @@ -2368,17 +2368,17 @@ CSPErrorQueue::Add(const char* aMessageN } void CSPErrorQueue::Flush(nsIDocument* aDocument) { for (uint32_t i = 0; i < mErrors.Length(); i++) { nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, "CSP", aDocument, - nsContentUtils::eDOM_PROPERTIES, + nsContentUtils::eSECURITY_PROPERTIES, mErrors[i]); } mErrors.Clear(); } nsresult nsDocument::InitCSP(nsIChannel* aChannel) { @@ -2525,32 +2525,21 @@ nsDocument::InitCSP(nsIChannel* aChannel // While we are supporting both CSP 1.0 and the x- headers, the 1.0 headers // take priority. If any spec-compliant headers are present, the x- headers // are ignored, and the spec compliant parser is used. bool cspSpecCompliant = (!cspHeaderValue.IsEmpty() || !cspROHeaderValue.IsEmpty()); // If the old header is present, warn that it will be deprecated. if (!cspOldHeaderValue.IsEmpty() || !cspOldROHeaderValue.IsEmpty()) { - nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, - "CSP", this, - nsContentUtils::eDOM_PROPERTIES, - "OldCSPHeaderDeprecated"); - - // Additionally log deprecated warning to Web Console. mCSPWebConsoleErrorQueue.Add("OldCSPHeaderDeprecated"); // Also, if the new headers AND the old headers were present, warn // that the old headers will be ignored. if (cspSpecCompliant) { - nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, - "CSP", this, - nsContentUtils::eDOM_PROPERTIES, - "BothCSPHeadersPresent"); - // Additionally log to Web Console. mCSPWebConsoleErrorQueue.Add("BothCSPHeadersPresent"); } } // ----- if there's a full-strength CSP header, apply it. bool applyCSPFromHeader = (( cspSpecCompliant && !cspHeaderValue.IsEmpty()) || (!cspSpecCompliant && !cspOldHeaderValue.IsEmpty())); @@ -2577,21 +2566,16 @@ nsDocument::InitCSP(nsIChannel* aChannel // ----- if there's a report-only CSP header, apply it if (( cspSpecCompliant && !cspROHeaderValue.IsEmpty()) || (!cspSpecCompliant && !cspOldROHeaderValue.IsEmpty())) { // post a warning and skip report-only CSP when both read only and regular // CSP policies are present since CSP only allows one policy and it can't // be partially report-only. if (applyAppDefaultCSP || applyCSPFromHeader) { - nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, - "CSP", this, - nsContentUtils::eDOM_PROPERTIES, - "ReportOnlyCSPIgnored"); - // Additionally log to Web Console. mCSPWebConsoleErrorQueue.Add("ReportOnlyCSPIgnored"); #ifdef PR_LOGGING PR_LOG(gCspPRLog, PR_LOG_DEBUG, ("Skipped report-only CSP init for document %p because another, enforced policy is set", this)); #endif } else { // we can apply the report-only policy because there's no other CSP // applied.
--- a/dom/locales/en-US/chrome/dom/dom.properties +++ b/dom/locales/en-US/chrome/dom/dom.properties @@ -78,17 +78,16 @@ FullScreenDeniedLostWindow=Request for f FullScreenDeniedSubDocFullScreen=Request for full-screen was denied because a subdocument of the document requesting full-screen is already full-screen. FullScreenDeniedNotDescendant=Request for full-screen was denied because requesting element is not a descendant of the current full-screen element. FullScreenDeniedNotFocusedTab=Request for full-screen was denied because requesting element is not in the currently focused tab. FullScreenDeniedContentOnly=Request for full-screen was denied because requesting element is in the chrome document and the fullscreen API is configured for content only. RemovedFullScreenElement=Exited full-screen because full-screen element was removed from document. FocusedWindowedPluginWhileFullScreen=Exited full-screen because windowed plugin was focused. HTMLSyncXHRWarning=HTML parsing in XMLHttpRequest is not supported in the synchronous mode. InvalidRedirectChannelWarning=Unable to redirect to %S because the channel doesn't implement nsIWritablePropertyBag2. -ReportOnlyCSPIgnored=Report-only CSP policy will be ignored because there are other non-report-only CSP policies applied. ResponseTypeSyncXHRWarning=Use of XMLHttpRequest's responseType attribute is no longer supported in the synchronous mode in window context. WithCredentialsSyncXHRWarning=Use of XMLHttpRequest's withCredentials attribute is no longer supported in the synchronous mode in window context. TimeoutSyncXHRWarning=Use of XMLHttpRequest's timeout attribute is not supported in the synchronous mode in window context. JSONCharsetWarning=An attempt was made to declare a non-UTF-8 encoding for JSON retrieved using XMLHttpRequest. Only UTF-8 is supported for decoding JSON. # LOCALIZATION NOTE: Do not translate AudioBufferSourceNode MediaBufferSourceNodeResampleOutOfMemory=Insufficient memory to resample the AudioBufferSourceNode for playback. # LOCALIZATION NOTE: Do not translate decodeAudioData. MediaDecodeAudioDataUnknownContentType=The buffer passed to decodeAudioData contains an unknown content type. @@ -123,18 +122,14 @@ MozSliceWarning=Use of mozSlice on the B # LOCALIZATION NOTE: Do not translate "Components" ComponentsWarning=The Components object is deprecated. It will soon be removed. PluginHangUITitle=Warning: Unresponsive plugin PluginHangUIMessage=%S may be busy, or it may have stopped responding. You can stop the plugin now, or you can continue to see if the plugin will complete. PluginHangUIWaitButton=Continue PluginHangUIStopButton=Stop plugin # LOCALIZATION NOTE: Do not translate "mozHidden", "mozVisibilityState", "hidden", or "visibilityState" PrefixedVisibilityApiWarning='mozHidden' and 'mozVisibilityState' are deprecated. Please use the unprefixed 'hidden' and 'visibilityState' instead. -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy", "X-Content-Security-Policy-Report-Only", "Content-Security-Policy" or "Content-Security-Policy-Report-Only" -OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. -# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy/Report-Only" or "Content-Security-Policy/Report-Only" -BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored. # LOCALIZATION NOTE: Do not translate "NodeIterator" or "detach()". NodeIteratorDetachWarning=Calling detach() on a NodeIterator no longer has an effect. # LOCALIZATION NOTE: Do not translate "Mozilla Audio Data API" and "Web Audio API". MozAudioDataWarning=The Mozilla Audio Data API is deprecated. Please use the Web Audio API instead. # LOCALIZATION NOTE: Do not translate "LenientThis" and "this" LenientThisWarning=Ignoring get or set of property that has [LenientThis] because the "this" object is incorrect.
--- a/dom/locales/en-US/chrome/security/security.properties +++ b/dom/locales/en-US/chrome/security/security.properties @@ -1,2 +1,10 @@ +# Mixed Content Blocker BlockMixedDisplayContent = Blocked loading mixed display content "%1$S" BlockMixedActiveContent = Blocked loading mixed active content "%1$S" + +# CSP +ReportOnlyCSPIgnored=Report-only CSP policy will be ignored because there are other non-report-only CSP policies applied. +# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy", "X-Content-Security-Policy-Report-Only", "Content-Security-Policy" or "Content-Security-Policy-Report-Only" +OldCSPHeaderDeprecated=The X-Content-Security-Policy and X-Content-Security-Report-Only headers will be deprecated in the future. Please use the Content-Security-Policy and Content-Security-Report-Only headers with CSP spec compliant syntax instead. +# LOCALIZATION NOTE: Do not translate "X-Content-Security-Policy/Report-Only" or "Content-Security-Policy/Report-Only" +BothCSPHeadersPresent=This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored.