Bug 576200. CSP breaks spec, defaults to allow *. r=bsterne@mozilla.com, dveditz@mozilla.com
authorSid Stamm <sstamm@mozilla.com>
Mon, 16 Aug 2010 10:12:28 -0700
changeset 50672 903b6e5087a0f7a4080a0eddaeeaf67094870e08
parent 50671 e9089b5e4a37df50d2bfd408bcf58123ea6f803e
child 50673 a6249c83906165a63049860ebb0ccf38121b18c7
push idunknown
push userunknown
push dateunknown
reviewersbsterne
bugs576200
milestone2.0b4pre
Bug 576200. CSP breaks spec, defaults to allow *. r=bsterne@mozilla.com, dveditz@mozilla.com
content/base/src/CSPUtils.jsm
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@@ -267,18 +267,21 @@ CSPRep.fromString = function(aStr, self)
       return CSPRep.fromString("allow 'none'");
     }
 
     // UNIDENTIFIED DIRECTIVE /////////////////////////////////////////////
     CSPWarning("Couldn't process unknown directive '" + dirname + "'");
 
   } // end directive: loop
 
-  aCSPR.makeExplicit();
-  return aCSPR;
+  // if makeExplicit fails for any reason, default to allow 'none'.  This
+  // includes the case where "allow" is not present.
+  if (aCSPR.makeExplicit())
+    return aCSPR;
+  return CSPRep.fromString("allow 'none'", self);
 };
 
 CSPRep.prototype = {
   /**
    * Returns a space-separated list of all report uris defined, or 'none' if there are none.
    */
   getReportURIs:
   function() {
@@ -404,16 +407,17 @@ CSPRep.prototype = {
    *      true  if the makeExplicit succeeds
    *      false if it fails (for some weird reason)
    */
   makeExplicit:
   function cspsd_makeExplicit() {
     var SD = CSPRep.SRC_DIRECTIVES;
     var allowDir = this._directives[SD.ALLOW];
     if (!allowDir) {
+      CSPWarning("'allow' directive required but not present.  Reverting to \"allow 'none'\"");
       return false;
     }
 
     for (var dir in SD) {
       var dirv = SD[dir];
       if (dirv === SD.ALLOW) continue;
       if (!this._directives[dirv]) {
         // implicit directive, make explicit.