Bug 1490977: Assert content privileged about page has CSP. r=smaug
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Wed, 19 Sep 2018 06:50:23 +0200
changeset 492931 8da145a5caafc33fd9e9e2a60267c330741bdd9c
parent 492930 e372a942c1de2ce1bae1dd36768226ee5601174c
child 492932 bd4a9806ea474b2b024a31de35d638983cfde64e
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1490977
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1490977: Assert content privileged about page has CSP. r=smaug
dom/base/nsDocument.cpp
dom/security/test/general/mochitest.ini
dom/security/test/general/test_assert_about_page_no_csp.html
modules/libpref/init/all.js
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -5290,17 +5290,18 @@ AssertContentPrivilegedAboutPageHasCSP(n
   NS_ENSURE_SUCCESS_VOID(rv);
 
   if (!(aboutModuleFlags & nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT)) {
     return;
   }
 
   // Potentially init the legacy whitelist of about URIs without a CSP.
   static StaticAutoPtr<nsTArray<nsCString>> sLegacyAboutPagesWithNoCSP;
-  if (!sLegacyAboutPagesWithNoCSP) {
+  if (!sLegacyAboutPagesWithNoCSP ||
+      Preferences::GetBool("csp.overrule_content_privileged_about_uris_without_csp_whitelist")) {
     sLegacyAboutPagesWithNoCSP = new nsTArray<nsCString>();
     nsAutoCString legacyAboutPages;
     Preferences::GetCString("csp.content_privileged_about_uris_without_csp",
       legacyAboutPages);
     for (const nsACString& hostString : legacyAboutPages.Split(',')) {
       // please note that for the actual whitelist we only store the path of
       // about: URI. Let's reassemble the full about URI here so we don't
       // have to remove query arguments later.
@@ -5329,16 +5330,20 @@ AssertContentPrivilegedAboutPageHasCSP(n
   nsAutoString parsedPolicyStr;
   if (csp) {
     uint32_t policyCount = 0;
      csp->GetPolicyCount(&policyCount);
      if (policyCount > 0) {
        csp->GetPolicyString(0, parsedPolicyStr);
      }
   }
+  if (Preferences::GetBool("csp.overrule_content_privileged_about_uris_without_csp_whitelist")) {
+    NS_ASSERTION(parsedPolicyStr.Find("default-src") >= 0, "about: page must have a CSP");
+    return;
+  }
   MOZ_ASSERT(parsedPolicyStr.Find("default-src") >= 0,
     "about: page must contain a CSP including default-src");
 }
 #endif
 
 void
 nsDocument::EndLoad()
 {
--- a/dom/security/test/general/mochitest.ini
+++ b/dom/security/test/general/mochitest.ini
@@ -37,8 +37,10 @@ skip-if = toolkit == 'android'
 [test_same_site_cookies_subrequest.html]
 [test_same_site_cookies_toplevel_nav.html]
 [test_same_site_cookies_cross_origin_context.html]
 [test_same_site_cookies_from_script.html]
 [test_same_site_cookies_redirect.html]
 [test_same_site_cookies_toplevel_set_cookie.html]
 [test_same_site_cookies_iframe.html]
 [test_same_site_cookies_about.html]
+[test_assert_about_page_no_csp.html]
+skip-if = !debug || toolkit == 'android'
new file mode 100644
--- /dev/null
+++ b/dom/security/test/general/test_assert_about_page_no_csp.html
@@ -0,0 +1,41 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Bug 1490977: Test Assertion if content privileged about: page has no CSP</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<iframe id="testframe"></iframe>
+<script class="testbody" type="text/javascript">
+
+  SimpleTest.waitForExplicitFinish();
+  SimpleTest.expectAssertions(0, 1);
+
+  // Test Setup:
+  // The test overrules the whitelist of about: pages that are allowed to load without a CSP
+  // and makes sure to hit the assertion within AssertContentPrivilegedAboutPageHasCSP().
+  // However, due to the caching mechanism within AssertContentPrivilegedAboutPageHasCSP this
+  // test loads a second dummy data: URI to reset the old cache and finally resets the pref
+  // used for testing purposes.
+
+  let origWhiteList = SpecialPowers.getCharPref("csp.content_privileged_about_uris_without_csp");
+
+  SpecialPowers.setCharPref("csp.content_privileged_about_uris_without_csp", "");
+  SpecialPowers.setBoolPref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", true);
+
+  ok(true, "sanity: prefs flipped and test runs");
+  let myFrame = document.getElementById("testframe");
+  myFrame.src = "about:blank";
+  // booom :-)
+
+  SpecialPowers.setCharPref("csp.content_privileged_about_uris_without_csp", origWhiteList);
+  myFrame.src = "data:text/html,<body>just a dumy data: URI</body>";
+
+  SpecialPowers.setBoolPref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
+
+  SimpleTest.finish();
+</script>
+</pre>
+</body>
+</html>
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2578,16 +2578,18 @@ pref("font.blacklist.underline_offset", 
 pref("security.directory",              "");
 
 // security-sensitive dialogs should delay button enabling. In milliseconds.
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 #if defined(DEBUG) && !defined(ANDROID)
 pref("csp.content_privileged_about_uris_without_csp", "blank,printpreview,srcdoc");
+// the following pref is for testing purposes only.
+pref("csp.overrule_content_privileged_about_uris_without_csp_whitelist", false);
 #endif
 
 // Default Content Security Policy to apply to signed contents.
 pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");
 
 // Mixed content blocking
 pref("security.mixed_content.block_active_content", false);
 pref("security.mixed_content.block_display_content", false);