Bug 555068 - make CSP frame-ancestors be explictly opt-in, r=dveditz
authorSid Stamm <sstamm@mozilla.com>
Wed, 09 Jun 2010 09:48:42 -0700
changeset 43402 5eca1ddd02d62d345b78141213e8b2c905720e04
parent 43401 ffceae16b1a76867453dd233b80b08f2b65c163d
child 43403 b3ed3405f1dc327054d801bd6de93a674ad579b2
push idunknown
push userunknown
push dateunknown
reviewersdveditz
bugs555068
milestone1.9.3a5pre
Bug 555068 - make CSP frame-ancestors be explictly opt-in, r=dveditz
content/base/src/CSPUtils.jsm
content/base/test/unit/test_csputils.js
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@@ -411,18 +411,22 @@ CSPRep.prototype = {
     if (!allowDir) {
       return false;
     }
 
     for (var dir in SD) {
       var dirv = SD[dir];
       if (dirv === SD.ALLOW) continue;
       if (!this._directives[dirv]) {
-        // implicit directive, make explicit
-        this._directives[dirv] = allowDir.clone();
+        // implicit directive, make explicit.
+        // All but frame-ancestors directive inherit from 'allow' (bug 555068)
+        if (dirv === SD.FRAME_ANCESTORS)
+          this._directives[dirv] = CSPSourceList.fromString("*");
+        else
+          this._directives[dirv] = allowDir.clone();
         this._directives[dirv]._isImplicit = true;
       }
     }
     this._isInitialized = true;
     return true;
   },
 
   /**
--- a/content/base/test/unit/test_csputils.js
+++ b/content/base/test/unit/test_csputils.js
@@ -345,18 +345,17 @@ test(
     });
 
 
 test(
     function test_CSPRep_fromString_oneDir() {
 
       var cspr;
       var SD = CSPRep.SRC_DIRECTIVES;
-      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.IMG_SRC,
-                      SD.FRAME_ANCESTORS, SD.FRAME_SRC];
+      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.IMG_SRC, SD.FRAME_SRC];
 
       // check one-directive policies
       cspr = CSPRep.fromString("allow bar.com; script-src https://foo.com", 
                                "http://self.com");
 
       for(var x in DEFAULTS) {
         //DEFAULTS[x] + " does not use default rule."
         do_check_false(cspr.permits("http://bar.com:22", DEFAULTS[x]));
@@ -372,17 +371,17 @@ test(
       //"script-src false negative in policy.
       do_check_true(cspr.permits("https://foo.com:443", SD.SCRIPT_SRC));
     });
 
 test(
     function test_CSPRep_fromString_twodir() {
       var cspr;
       var SD = CSPRep.SRC_DIRECTIVES;
-      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.FRAME_ANCESTORS, SD.FRAME_SRC];
+      var DEFAULTS = [SD.STYLE_SRC, SD.MEDIA_SRC, SD.FRAME_SRC];
 
       // check two-directive policies
       var polstr = "allow allow.com; "
                   + "script-src https://foo.com; "
                   + "img-src bar.com:*";
       cspr = CSPRep.fromString(polstr, "http://self.com");
 
       for(var x in DEFAULTS) {
@@ -443,16 +442,42 @@ test(function test_CSPRep_fromPolicyURI(
 
         // other directives inherit self
         for(var i in SD) {
           //SD[i] + " parsed wrong from policy uri"
           do_check_equivalent(cspr._directives[SD[i]],
                               cspr_static._directives[SD[i]]);
         }
     });
+
+//////////////// TEST FRAME ANCESTOR DEFAULTS /////////////////
+// (see bug 555068)
+test(function test_FrameAncestor_defaults() {
+      var cspr;
+      var SD = CSPRep.SRC_DIRECTIVES;
+      var self = "http://self.com:34";
+
+      cspr = CSPRep.fromString("allow 'none'", self);
+
+      //"frame-ancestors should default to * not 'allow' value"
+      do_check_true(cspr.permits("https://foo.com:400", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("https://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://self.com", SD.FRAME_ANCESTORS));
+      do_check_true(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
+
+      cspr = CSPRep.fromString("allow 'none'; frame-ancestors 'self'", self);
+
+      //"frame-ancestors should only allow self"
+      do_check_true(cspr.permits("http://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("https://foo.com:400", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("https://self.com:34", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("http://self.com", SD.FRAME_ANCESTORS));
+      do_check_false(cspr.permits("http://subd.self.com:34", SD.FRAME_ANCESTORS));
+     });
 /*
 
 test(function test_CSPRep_fromPolicyURI_failswhenmixed() {
         var cspr;
         var self = "http://localhost:" + POLICY_PORT;
         var closed_policy = CSPRep.fromString("allow 'none'");
         var my_uri_policy = "policy-uri " + POLICY_URI;