Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r=ckerschb
authorFrancois Marier <francois@mozilla.com>
Wed, 09 Sep 2015 00:11:38 -0700
changeset 294126 e7bb8fc8b53b35a2b7070eb0c98f1b15535b6c63
parent 294125 6c7d5b56e472f8c1ddd8f6e965510072e98d8df1
child 294127 125b9eda72c9adbe3ab87ea5388e6b25c270a038
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1202027
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1202027 - Make SRI require CORS loads for cross-origin resources. r=ckerschb
dom/security/SRICheck.cpp
dom/security/test/sri/iframe_script_crossdomain.html
dom/security/test/sri/iframe_style_crossdomain.html
--- a/dom/security/SRICheck.cpp
+++ b/dom/security/SRICheck.cpp
@@ -270,17 +270,17 @@ SRICheck::VerifyIntegrity(const SRIMetad
 
   MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller
 
   // IntegrityMetadata() checks this and returns "no metadata" if
   // it's disabled so we should never make it this far
   MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false));
 
   if (NS_FAILED(IsEligible(aChannel, aCORSMode, aDocument))) {
-    return NS_OK; // ignore non-CORS resources for forward-compatibility
+    return NS_ERROR_SRI_NOT_ELIGIBLE;
   }
   if (!aMetadata.IsValid()) {
     nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
                                     NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                     aDocument,
                                     nsContentUtils::eSECURITY_PROPERTIES,
                                     "NoValidMetadata");
     return NS_OK; // ignore invalid metadata for forward-compatibility
--- a/dom/security/test/sri/iframe_script_crossdomain.html
+++ b/dom/security/test/sri/iframe_script_crossdomain.html
@@ -21,46 +21,46 @@
 
   function good_nonsriLoaded() {
     ok(true, "Non-eligible non-SRI resource was loaded correctly.");
   }
   function bad_nonsriBlocked() {
     ok(false, "Non-eligible non-SRI resources should be loaded!");
   }
 
-  function good_nonCORSInvalidLoaded() {
-    ok(true, "A non-CORS resource with invalid metadata was correctly loaded.");
+  function good_nonCORSInvalidBlocked() {
+    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
   }
-  function bad_nonCORSInvalidBlocked() {
-    ok(false, "Non-CORS resources with invalid metadata should be loaded!");
+  function bad_nonCORSInvalidLoaded() {
+    ok(false, "Non-CORS resources with invalid metadata should be blocked!");
   }
 
   window.onerrorCalled = false;
   window.onloadCalled = false;
 
   function bad_onloadCalled() {
     window.onloadCalled = true;
   }
 
   function good_onerrorCalled() {
     window.onerrorCalled = true;
   }
 
-  function good_incorrect301Loaded() {
-    ok(true, "A non-CORS load redirected to a different origin was loaded correctly despite an incorrect hash value.");
+  function good_incorrect301Blocked() {
+    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
   }
-  function bad_incorrect301Blocked() {
-    ok(false, "Non-CORS loads redirecting to a different origin should be loaded despite an incorrect hash value!");
+  function bad_incorrect301Loaded() {
+    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
   }
 
-  function good_correct301Loaded() {
-    ok(true, "A non-CORS load redirected to a different origin was loaded correctly.");
+  function good_correct301Blocked() {
+    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
   }
-  function bad_correct301Blocked() {
-    ok(false, "Non-CORS loads redirecting to a different origin should be loaded!");
+  function bad_correct301Loaded() {
+    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
   }
 
   window.onload = function() {
     SimpleTest.finish()
   }
 </script>
 
 <!-- cors-enabled. should be loaded -->
@@ -76,33 +76,33 @@
         onerror="good_onerrorCalled()"></script>
 
 <!-- non-cors but not actually using SRI. should trigger onload -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
         integrity="    "
         onload="good_nonsriLoaded()"
         onerror="bad_nonsriBlocked()"></script>
 
-<!-- non-cors with invalid metadata. should trigger onload -->
+<!-- non-cors with invalid metadata -->
 <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
         integrity="sha256-bogus"
-        onload="good_nonCORSInvalidLoaded()"
-        onerror="bad_nonCORSInvalidBlocked()"></script>
+        onload="bad_nonCORSInvalidLoaded()"
+        onerror="good_nonCORSInvalidBlocked()"></script>
 
 <!-- non-cors that's same-origin initially but redirected to another origin -->
 <script src="script_301.js"
         integrity="sha384-invalid"
-        onerror="bad_incorrect301Blocked()"
-        onload="good_incorrect301Loaded()"></script>
+        onerror="good_incorrect301Blocked()"
+        onload="bad_incorrect301Loaded()"></script>
 
 <!-- non-cors that's same-origin initially but redirected to another origin -->
 <script src="script_301.js"
         integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
-        onerror="bad_correct301Blocked()"
-        onload="good_correct301Loaded()"></script>
+        onerror="good_correct301Blocked()"
+        onload="bad_correct301Loaded()"></script>
 
 <script>
   ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
   ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
   ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
   ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
 </script>
 </body>
--- a/dom/security/test/sri/iframe_style_crossdomain.html
+++ b/dom/security/test/sri/iframe_style_crossdomain.html
@@ -7,43 +7,43 @@
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
   <script type="application/javascript">
     SimpleTest.waitForExplicitFinish();
     window.onload = function() {
       SimpleTest.finish();
     }
   </script>
   <script>
-    function good_correctHashLoaded() {
-      ok(true, "A non-CORS cross-domain stylesheet was correctly loaded when integrity matched.");
+    function good_correctHashBlocked() {
+      ok(true, "A non-CORS cross-domain stylesheet with correct hash was correctly blocked.");
     }
-    function bad_correctHashBlocked() {
-      ok(false, "We should load non-CORS cross-domain stylesheets with hashes that match!");
+    function bad_correctHashLoaded() {
+      ok(false, "We should block non-CORS cross-domain stylesheets with hashes that match!");
     }
 
-    function good_incorrectHashLoaded() {
-      ok(true, "A non-CORS cross-domain stylesheet was correctly loaded even when integrity didn't match.");
+    function good_incorrectHashBlocked() {
+      ok(true, "A non-CORS cross-domain stylesheet with incorrect hash was correctly blocked.");
     }
-    function bad_incorrectHashBlocked() {
-      ok(false, "We should load non-CORS cross-domain stylesheets even when hashes don't match!");
+    function bad_incorrectHashLoaded() {
+      ok(false, "We should load non-CORS cross-domain stylesheets with incorrect hashes!");
     }
 
   </script>
 
   <!-- valid non-CORS sha256 hash. should trigger onload -->
   <link rel="stylesheet" href="style_301.css"
         integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
-        onerror="bad_correctHashBlocked()"
-        onload="good_correctHashLoaded()">
+        onerror="good_correctHashBlocked()"
+        onload="bad_correctHashLoaded()">
 
   <!-- invalid non-CORS sha256 hash. should trigger onload -->
   <link rel="stylesheet" href="style_301.css?again"
         integrity="sha256-bogus"
-        onerror="bad_incorrectHashBlocked()"
-        onload="good_incorrectHashLoaded()">
+        onerror="good_incorrectHashBlocked()"
+        onload="bad_incorrectHashLoaded()">
 </head>
 <body>
 <p><span id="red-text">This should be red.</span></p>
 <p id="display"></p>
 <div id="content" style="display: none">
 </div>
 <pre id="test">
 </pre>