Backed out changeset 2b4796470c0b (bug 1638826) for wpt failure on form-action-src-javascript-blocked.sub.html . CLOSED TREE
authorNarcis Beleuzu <nbeleuzu@mozilla.com>
Mon, 25 May 2020 13:52:24 +0300
changeset 531873 90b6e0e32402202184bd54e196262d4d99c6f1e8
parent 531872 9b5d151a83b7d94170f1d094f4a1959bad9d8c91
child 531874 5e78c6238e348639fdbd0bd47eb2151aadd66bee
push id37447
push usernbeleuzu@mozilla.com
push dateMon, 25 May 2020 15:42:48 +0000
treeherdermozilla-central@e7641c1071ea [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1638826
milestone78.0a1
backs out2b4796470c0b1a73a943c4d882a492bea5383882
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 2b4796470c0b (bug 1638826) for wpt failure on form-action-src-javascript-blocked.sub.html . CLOSED TREE
dom/security/nsCSPContext.cpp
dom/security/nsCSPService.cpp
dom/security/nsCSPUtils.cpp
dom/security/nsCSPUtils.h
dom/security/test/csp/file_pdfjs_not_subject_to_csp.html
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -1622,24 +1622,16 @@ NS_IMETHODIMP
 nsCSPContext::Permits(Element* aTriggeringElement,
                       nsICSPEventListener* aCSPEventListener, nsIURI* aURI,
                       CSPDirective aDir, bool aSpecific, bool* outPermits) {
   // Can't perform check without aURI
   if (aURI == nullptr) {
     return NS_ERROR_FAILURE;
   }
 
-  // CSP_SubjectToCSP allow lists some internal schemes but also some
-  // specific content types. Using TYPE_OTHER as a default which will
-  // still allow list all allow listed schemes.
-  if (!CSP_SubjectToCSP(aURI, nsIContentPolicy::TYPE_OTHER)) {
-    *outPermits = true;
-    return NS_OK;
-  }
-
   *outPermits =
       permitsInternal(aDir, aTriggeringElement, aCSPEventListener, aURI,
                       nullptr,        // no original (pre-redirect) URI
                       EmptyString(),  // no nonce
                       false,          // not a preload.
                       aSpecific,
                       true,    // send violation reports
                       true,    // send blocked URI in violation reports
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -26,16 +26,86 @@ using namespace mozilla;
 static LazyLogModule gCspPRLog("CSP");
 
 CSPService::CSPService() = default;
 
 CSPService::~CSPService() = default;
 
 NS_IMPL_ISUPPORTS(CSPService, nsIContentPolicy, nsIChannelEventSink)
 
+// Helper function to identify protocols and content types not subject to CSP.
+bool subjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
+  nsContentPolicyType contentType =
+      nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
+
+  // These content types are not subject to CSP content policy checks:
+  // TYPE_CSP_REPORT -- csp can't block csp reports
+  // TYPE_REFRESH    -- never passed to ShouldLoad (see nsIContentPolicy.idl)
+  // TYPE_DOCUMENT   -- used for frame-ancestors
+  if (contentType == nsIContentPolicy::TYPE_CSP_REPORT ||
+      contentType == nsIContentPolicy::TYPE_REFRESH ||
+      contentType == nsIContentPolicy::TYPE_DOCUMENT) {
+    return false;
+  }
+
+  // The three protocols: data:, blob: and filesystem: share the same
+  // protocol flag (URI_IS_LOCAL_RESOURCE) with other protocols,
+  // but those three protocols get special attention in CSP and
+  // are subject to CSP, hence we have to make sure those
+  // protocols are subject to CSP, see:
+  // http://www.w3.org/TR/CSP2/#source-list-guid-matching
+  if (aURI->SchemeIs("data") || aURI->SchemeIs("blob") ||
+      aURI->SchemeIs("filesystem")) {
+    return true;
+  }
+
+  // Finally we have to whitelist "about:" which does not fall into
+  // the category underneath and also "javascript:" which is not
+  // subject to CSP content loading rules.
+  if (aURI->SchemeIs("about") || aURI->SchemeIs("javascript")) {
+    return false;
+  }
+
+  // Please note that it should be possible for websites to
+  // whitelist their own protocol handlers with respect to CSP,
+  // hence we use protocol flags to accomplish that, but we also
+  // want resource:, chrome: and moz-icon to be subject to CSP
+  // (which also use URI_IS_LOCAL_RESOURCE).
+  // Exception to the rule are images, styles, and localization
+  // DTDs using a scheme of resource: or chrome:
+  bool isImgOrStyleOrDTD = contentType == nsIContentPolicy::TYPE_IMAGE ||
+                           contentType == nsIContentPolicy::TYPE_STYLESHEET ||
+                           contentType == nsIContentPolicy::TYPE_DTD;
+  if (aURI->SchemeIs("resource")) {
+    nsAutoCString uriSpec;
+    aURI->GetSpec(uriSpec);
+    // Exempt pdf.js from being subject to a page's CSP.
+    if (StringBeginsWith(uriSpec, NS_LITERAL_CSTRING("resource://pdf.js/"))) {
+      return false;
+    }
+    if (!isImgOrStyleOrDTD) {
+      return true;
+    }
+  }
+  if (aURI->SchemeIs("chrome") && !isImgOrStyleOrDTD) {
+    return true;
+  }
+  if (aURI->SchemeIs("moz-icon")) {
+    return true;
+  }
+  bool match;
+  nsresult rv = NS_URIChainHasFlags(
+      aURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return false;
+  }
+  // all other protocols are subject To CSP.
+  return true;
+}
+
 /* static */ nsresult CSPService::ConsultCSP(nsIURI* aContentLocation,
                                              nsILoadInfo* aLoadInfo,
                                              const nsACString& aMimeTypeGuess,
                                              int16_t* aDecision) {
   if (!aContentLocation) {
     return NS_ERROR_FAILURE;
   }
 
@@ -55,19 +125,19 @@ NS_IMPL_ISUPPORTS(CSPService, nsIContent
 
   // default decision, CSP can revise it if there's a policy to enforce
   *aDecision = nsIContentPolicy::ACCEPT;
 
   // No need to continue processing if CSP is disabled or if the protocol
   // or type is *not* subject to CSP.
   // Please note, the correct way to opt-out of CSP using a custom
   // protocolHandler is to set one of the nsIProtocolHandler flags
-  // that are whitelistet in CSP_SubjectToCSP()
+  // that are whitelistet in subjectToCSP()
   if (!StaticPrefs::security_csp_enable() ||
-      !CSP_SubjectToCSP(aContentLocation, contentType)) {
+      !subjectToCSP(aContentLocation, contentType)) {
     return NS_OK;
   }
 
   nsAutoString cspNonce;
   rv = aLoadInfo->GetCspNonce(cspNonce);
   NS_ENSURE_SUCCESS(rv, rv);
 
   // 1) Apply speculate CSP for preloads
@@ -236,20 +306,20 @@ nsresult CSPService::ConsultCSPForRedire
       return NS_OK;
     }
   }
 
   // No need to continue processing if CSP is disabled or if the protocol
   // is *not* subject to CSP.
   // Please note, the correct way to opt-out of CSP using a custom
   // protocolHandler is to set one of the nsIProtocolHandler flags
-  // that are whitelistet in CSP_SubjectToCSP()
+  // that are whitelistet in subjectToCSP()
   nsContentPolicyType policyType = aLoadInfo->InternalContentPolicyType();
   if (!StaticPrefs::security_csp_enable() ||
-      !CSP_SubjectToCSP(aNewURI, policyType)) {
+      !subjectToCSP(aNewURI, policyType)) {
     return NS_OK;
   }
 
   nsCOMPtr<nsICSPEventListener> cspEventListener;
   nsresult rv =
       aLoadInfo->GetCspEventListener(getter_AddRefs(cspEventListener));
   MOZ_ALWAYS_SUCCEEDS(rv);
 
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -455,85 +455,16 @@ bool permitsScheme(const nsAString& aEnf
   // the error back to the page.
   return (
       (aUpgradeInsecure && !aReportOnly) &&
       ((scheme.EqualsASCII("http") &&
         aEnforcementScheme.EqualsASCII("https")) ||
        (scheme.EqualsASCII("ws") && aEnforcementScheme.EqualsASCII("wss"))));
 }
 
-bool CSP_SubjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType) {
-  nsContentPolicyType contentType =
-      nsContentUtils::InternalContentPolicyTypeToExternal(aContentType);
-
-  // These content types are not subject to CSP content policy checks:
-  // TYPE_CSP_REPORT -- csp can't block csp reports
-  // TYPE_REFRESH    -- never passed to ShouldLoad (see nsIContentPolicy.idl)
-  // TYPE_DOCUMENT   -- used for frame-ancestors
-  if (contentType == nsIContentPolicy::TYPE_CSP_REPORT ||
-      contentType == nsIContentPolicy::TYPE_REFRESH ||
-      contentType == nsIContentPolicy::TYPE_DOCUMENT) {
-    return false;
-  }
-
-  // The three protocols: data:, blob: and filesystem: share the same
-  // protocol flag (URI_IS_LOCAL_RESOURCE) with other protocols,
-  // but those three protocols get special attention in CSP and
-  // are subject to CSP, hence we have to make sure those
-  // protocols are subject to CSP, see:
-  // http://www.w3.org/TR/CSP2/#source-list-guid-matching
-  if (aURI->SchemeIs("data") || aURI->SchemeIs("blob") ||
-      aURI->SchemeIs("filesystem")) {
-    return true;
-  }
-
-  // Finally we have to whitelist "about:" which does not fall into
-  // the category underneath and also "javascript:" which is not
-  // subject to CSP content loading rules.
-  if (aURI->SchemeIs("about") || aURI->SchemeIs("javascript")) {
-    return false;
-  }
-
-  // Please note that it should be possible for websites to
-  // whitelist their own protocol handlers with respect to CSP,
-  // hence we use protocol flags to accomplish that, but we also
-  // want resource:, chrome: and moz-icon to be subject to CSP
-  // (which also use URI_IS_LOCAL_RESOURCE).
-  // Exception to the rule are images, styles, and localization
-  // DTDs using a scheme of resource: or chrome:
-  bool isImgOrStyleOrDTD = contentType == nsIContentPolicy::TYPE_IMAGE ||
-                           contentType == nsIContentPolicy::TYPE_STYLESHEET ||
-                           contentType == nsIContentPolicy::TYPE_DTD;
-  if (aURI->SchemeIs("resource")) {
-    nsAutoCString uriSpec;
-    aURI->GetSpec(uriSpec);
-    // Exempt pdf.js from being subject to a page's CSP.
-    if (StringBeginsWith(uriSpec, NS_LITERAL_CSTRING("resource://pdf.js/"))) {
-      return false;
-    }
-    if (!isImgOrStyleOrDTD) {
-      return true;
-    }
-  }
-  if (aURI->SchemeIs("chrome") && !isImgOrStyleOrDTD) {
-    return true;
-  }
-  if (aURI->SchemeIs("moz-icon")) {
-    return true;
-  }
-  bool match;
-  nsresult rv = NS_URIChainHasFlags(
-      aURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &match);
-  if (NS_SUCCEEDED(rv) && match) {
-    return false;
-  }
-  // all other protocols are subject To CSP.
-  return true;
-}
-
 /*
  * A helper function for appending a CSP header to an existing CSP
  * policy.
  *
  * @param aCsp           the CSP policy
  * @param aHeaderValue   the header
  * @param aReportOnly    is this a report-only header?
  */
--- a/dom/security/nsCSPUtils.h
+++ b/dom/security/nsCSPUtils.h
@@ -183,19 +183,16 @@ inline CSPKeyword CSP_UTF16KeywordToEnum
     if (lowerKey.Equals(gCSPUTF16Keywords[i])) {
       return static_cast<CSPKeyword>(i);
     }
   }
   NS_ASSERTION(false, "Can not convert unknown Keyword to Enum");
   return CSP_LAST_KEYWORD_VALUE;
 }
 
-// Helper function to identify protocols and content types not subject to CSP.
-bool CSP_SubjectToCSP(nsIURI* aURI, nsContentPolicyType aContentType);
-
 nsresult CSP_AppendCSPFromHeader(nsIContentSecurityPolicy* aCsp,
                                  const nsAString& aHeaderValue,
                                  bool aReportOnly);
 
 /* =============== Helpers ================== */
 
 class nsCSPHostSrc;
 
--- a/dom/security/test/csp/file_pdfjs_not_subject_to_csp.html
+++ b/dom/security/test/csp/file_pdfjs_not_subject_to_csp.html
@@ -1,11 +1,11 @@
 <html>
 <head>
-  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-allowPDF'; base-uri 'self'">
+  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-allowPDF'">
 </head>
 <body>
 <iframe id="pdfFrame"></iframe>
 <br/>
 <button id="pdfButton">click to load pdf</button>
 <script nonce="allowPDF">
   async function loadPDFIntoIframe() {
     let response = await fetch("dummy.pdf");