Bug 1198422 - CSP: Allow nonce to load if default-src is not specified in second policy. r=dveditz, a=sledru
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Tue, 25 Aug 2015 16:11:04 -0700
changeset 289025 7f3e8375ff3906657deb1bb4162a20238b716696
parent 289024 88ef22723df67da787a0b1ac5a330f7e81d94916
child 289026 8f5c669a887e5111dbce9884145fe278e3e1afad
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz, sledru
bugs1198422
milestone42.0a2
Bug 1198422 - CSP: Allow nonce to load if default-src is not specified in second policy. r=dveditz, a=sledru
dom/security/nsCSPUtils.cpp
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -604,25 +604,30 @@ nsCSPKeywordSrc::allows(enum CSPKeyword 
     return false;
   }
   return mKeyword == aKeyword;
 }
 
 void
 nsCSPKeywordSrc::toString(nsAString& outStr) const
 {
+  if (mInvalidated) {
+    MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
+               "can only ignore 'unsafe-inline' within toString()");
+    return;
+  }
   outStr.AppendASCII(CSP_EnumToKeyword(mKeyword));
 }
 
 void
 nsCSPKeywordSrc::invalidate()
 {
   mInvalidated = true;
-  NS_ASSERTION(mInvalidated == CSP_UNSAFE_INLINE,
-               "invalidate 'unsafe-inline' only within script-src");
+  MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
+             "invalidate 'unsafe-inline' only within script-src");
 }
 
 /* ===== nsCSPNonceSrc ==================== */
 
 nsCSPNonceSrc::nsCSPNonceSrc(const nsAString& aNonce)
   : mNonce(aNonce)
 {
 }
@@ -1041,18 +1046,23 @@ nsCSPPolicy::allows(nsContentPolicyType 
       }
       return false;
     }
     if (mDirectives[i]->isDefaultDirective()) {
       defaultDir = mDirectives[i];
     }
   }
 
-  // Only match {nonce,hash}-source on specific directives (not default-src)
+  // {nonce,hash}-source should not consult default-src:
+  //   * return false if default-src is specified
+  //   * but allow the load if default-src is *not* specified (Bug 1198422)
   if (aKeyword == CSP_NONCE || aKeyword == CSP_HASH) {
+     if (!defaultDir) {
+       return true;
+     }
     return false;
   }
 
   // If the above loop runs through, we haven't found a matching directive.
   // Avoid relooping, just store the result of default-src while looping.
   if (defaultDir) {
     return defaultDir->allows(aKeyword, aHashOrNonce);
   }