Bug 612391 - Convert CSP violation reporting from XHR to nsIUploadChannel. r=jonas
authorSid Stamm <sstamm@mozilla.com>
Wed, 23 May 2012 16:00:42 -0700
changeset 99251 0bb7b61ca464516a880fd515a81c1f766c9921d8
parent 99250 528dc06375ac4eec55dc6a3a36b258238d3e2cfb
child 99252 fb10831a58a5398c980c6ff4fb72faab8fd22311
push id173
push userlsblakk@mozilla.com
push dateFri, 24 Aug 2012 15:39:16 +0000
treeherdermozilla-release@bcc45eb1fb41 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonas
bugs612391
milestone15.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 612391 - Convert CSP violation reporting from XHR to nsIUploadChannel. r=jonas
content/base/src/CSPUtils.jsm
content/base/src/contentSecurityPolicy.js
content/base/test/unit/test_cspreports.js
content/base/test/unit/xpcshell.ini
--- a/content/base/src/CSPUtils.jsm
+++ b/content/base/src/CSPUtils.jsm
@@ -6,18 +6,19 @@
  * Content Security Policy Utilities
  * 
  * Overview
  * This contains a set of classes and utilities for CSP.  It is in this
  * separate file for testing purposes.
  */
 
 // Module stuff
-var EXPORTED_SYMBOLS = ["CSPRep", "CSPSourceList", "CSPSource", 
-                        "CSPHost", "CSPWarning", "CSPError", "CSPdebug"];
+var EXPORTED_SYMBOLS = ["CSPRep", "CSPSourceList", "CSPSource", "CSPHost",
+                        "CSPWarning", "CSPError", "CSPdebug",
+                        "CSPViolationReportListener"];
 
 
 // these are not exported
 var gIoService = Components.classes["@mozilla.org/network/io-service;1"]
                  .getService(Components.interfaces.nsIIOService);
 
 var gETLDService = Components.classes["@mozilla.org/network/effective-tld-service;1"]
                    .getService(Components.interfaces.nsIEffectiveTLDService);
@@ -1437,8 +1438,46 @@ CSPHost.prototype = {
 
     for (var i=0; i<this._segments.length; i++) {
       if (this._segments[i] != that._segments[i])
         return false;
     }
     return true;
   }
 };
+
+
+//////////////////////////////////////////////////////////////////////
+/**
+ * Class that listens to violation report transmission and logs errors.
+ */
+function CSPViolationReportListener(reportURI) {
+  this._reportURI = reportURI;
+}
+
+CSPViolationReportListener.prototype = {
+  _reportURI:   null,
+
+  QueryInterface: function(iid) {
+    if(iid.equals(Ci.nsIStreamListener) ||
+        iid.equals(Ci.nsIRequestObserver) ||
+        iid.equals(Ci.nsISupports))
+      return this;
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },
+
+  onStopRequest:
+  function(request, context, status) {
+    if (!Components.isSuccessCode(status)) {
+      CSPdebug("error " + status.toString(16) +
+                " while sending violation report to " +
+                this._reportURI);
+    }
+  },
+
+  onStartRequest:
+  function(request, context) { },
+
+  onDataAvailable:
+  function(request, context, inputStream, offset, count) { },
+
+};
+
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@@ -248,56 +248,83 @@ ContentSecurityPolicy.prototype = {
       // extra report fields for script errors (if available)
       if (aSourceFile)
         report["csp-report"]["source-file"] = aSourceFile;
       if (aScriptSample)
         report["csp-report"]["script-sample"] = aScriptSample;
       if (aLineNum)
         report["csp-report"]["line-number"] = aLineNum;
 
-      CSPdebug("Constructed violation report:\n" + JSON.stringify(report));
+      var reportString = JSON.stringify(report);
+      CSPdebug("Constructed violation report:\n" + reportString);
 
       CSPWarning("Directive \"" + violatedDirective + "\" violated"
                + (blockedUri['asciiSpec'] ? " by " + blockedUri.asciiSpec : ""),
                  (aSourceFile) ? aSourceFile : null,
                  (aScriptSample) ? decodeURIComponent(aScriptSample) : null,
                  (aLineNum) ? aLineNum : null);
 
       // For each URI in the report list, send out a report.
       // We make the assumption that all of the URIs are absolute URIs; this
       // should be taken care of in CSPRep.fromString (where it converts any
       // relative URIs into absolute ones based on "self").
       for (let i in uris) {
         if (uris[i] === "")
           continue;
 
-        var failure = function(aEvt) {  
-          if (req.readyState == 4 && req.status != 200) {
-            CSPError("Failed to send report to " + uris[i]);
-          }  
-        };  
-        var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]  
-                    .createInstance(Ci.nsIXMLHttpRequest);  
+        try {
+          var chan = Services.io.newChannel(uris[i], null, null);
+          if(!chan) {
+            CSPdebug("Error creating channel for " + uris[i]);
+            continue;
+          }
+
+          var content = Cc["@mozilla.org/io/string-input-stream;1"]
+                          .createInstance(Ci.nsIStringInputStream);
+          content.data = reportString + "\n\n";
+
+          // make sure this is an anonymous request (no cookies) so in case the
+          // policy URI is injected, it can't be abused for CSRF.
+          chan.loadFlags |= Ci.nsIChannel.LOAD_ANONYMOUS;
+
+          // we need to set an nsIChannelEventSink on the channel object
+          // so we can tell it to not follow redirects when posting the reports
+          chan.notificationCallbacks = new CSPReportRedirectSink();
+
+          chan.QueryInterface(Ci.nsIUploadChannel)
+              .setUploadStream(content, "application/json", content.available());
 
-        try {
-          req.open("POST", uris[i], true);
-          req.setRequestHeader('Content-Type', 'application/json');
-          req.upload.addEventListener("error", failure, false);
-          req.upload.addEventListener("abort", failure, false);
+          try {
+            // if this is an HTTP channel, set the request method to post
+            chan.QueryInterface(Ci.nsIHttpChannel);
+            chan.requestMethod = "POST";
+          } catch(e) {} // throws only if chan is not an nsIHttpChannel.
 
-          // we need to set an nsIChannelEventSink on the XHR object
-          // so we can tell it to not follow redirects when posting the reports
-          req.channel.notificationCallbacks = new CSPReportRedirectSink();
+          // check with the content policy service to see if we're allowed to
+          // send this request.
+          try {
+            var contentPolicy = Cc["@mozilla.org/layout/content-policy;1"]
+                                  .getService(Ci.nsIContentPolicy);
+            if (contentPolicy.shouldLoad(Ci.nsIContentPolicy.TYPE_OTHER,
+                                         chan.URI, null, null, null, null)
+                != Ci.nsIContentPolicy.ACCEPT) {
+              continue; // skip unauthorized URIs
+            }
+          } catch(e) {
+            continue; // refuse to load if we can't do a security check.
+          }
 
-          req.send(JSON.stringify(report));
+          //send data (and set up error notifications)
+          chan.asyncOpen(new CSPViolationReportListener(uris[i]), null);
           CSPdebug("Sent violation report to " + uris[i]);
         } catch(e) {
           // it's possible that the URI was invalid, just log a
           // warning and skip over that.
           CSPWarning("Tried to send report to invalid URI: \"" + uris[i] + "\"");
+          CSPWarning("error was: \"" + e + "\"");
         }
       }
     }
   },
 
   /**
    * Exposed Method to analyze docShell for approved frame ancestry.
    * Also sends violation reports if necessary.
new file mode 100644
--- /dev/null
+++ b/content/base/test/unit/test_cspreports.js
@@ -0,0 +1,153 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Content Security Policy Data Structures testing code.
+ *
+ * The Initial Developer of the Original Code is
+ *   Mozilla Corporation
+ *
+ * Contributor(s):
+ *   Sid Stamm <sid@mozilla.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+Components.utils.import('resource://gre/modules/CSPUtils.jsm');
+Components.utils.import('resource://gre/modules/NetUtil.jsm');
+
+// load the HTTP server
+do_load_httpd_js();
+
+const REPORT_SERVER_PORT = 9000;
+const REPORT_SERVER_URI = "http://localhost";
+const REPORT_SERVER_PATH = "/report";
+
+var httpServer = null;
+var testsToFinish = 0;
+
+/**
+ * Construct a callback that listens to a report submission and either passes
+ * or fails a test based on what it gets.
+ */
+function makeReportHandler(testpath, message, expectedJSON) {
+  return function(request, response) {
+    // we only like "POST" submissions for reports!
+    if (request.method !== "POST") {
+      do_throw("violation report should be a POST request");
+      return;
+    }
+
+    // obtain violation report
+    var reportObj = JSON.parse(
+          NetUtil.readInputStreamToString(
+            request.bodyInputStream,
+            request.bodyInputStream.available()));
+
+    dump("GOT REPORT:\n" + JSON.stringify(reportObj) + "\n");
+    dump("TESTPATH:    " + testpath + "\n");
+    dump("EXPECTED:  \n" + JSON.stringify(expectedJSON) + "\n\n");
+
+    for (var i in expectedJSON)
+      do_check_eq(expectedJSON[i], reportObj['csp-report'][i]);
+
+    // self-destroy
+    testsToFinish--;
+    httpServer.registerPathHandler(testpath, null);
+    if (testsToFinish < 1)
+      httpServer.stop(do_test_finished);
+    else
+      do_test_finished();
+  };
+}
+
+function makeTest(id, expectedJSON, callback) {
+  testsToFinish++;
+  do_test_pending();
+
+  // set up a new CSP instance for each test.
+  var csp = Cc["@mozilla.org/contentsecuritypolicy;1"]
+              .createInstance(Ci.nsIContentSecurityPolicy);
+  var policy = "allow 'none'; " +
+               "report-uri " + REPORT_SERVER_URI +
+                               ":" + REPORT_SERVER_PORT +
+                               "/test" + id;
+  var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
+                               ":" + REPORT_SERVER_PORT +
+                               "/foo/self");
+  var selfchan = NetUtil.newChannel(selfuri);
+
+  dump("Created test " + id + " : " + policy + "\n\n");
+
+  // make the reports seem authentic by "binding" them to a channel.
+  csp.scanRequestData(selfchan);
+
+  // Load up the policy
+  csp.refinePolicy(policy, selfuri);
+
+  // prime the report server
+  var handler = makeReportHandler("/test" + id, "Test " + id, expectedJSON);
+  httpServer.registerPathHandler("/test" + id, handler);
+
+  //trigger the violation
+  callback(csp);
+}
+
+function run_test() {
+  var selfuri = NetUtil.newURI(REPORT_SERVER_URI +
+                               ":" + REPORT_SERVER_PORT +
+                               "/foo/self");
+
+  httpServer = new nsHttpServer();
+  httpServer.start(REPORT_SERVER_PORT);
+
+  // test that inline script violations cause a report.
+  makeTest(0, {"blocked-uri": "self"},
+      function(csp) {
+        if(!csp.allowsInlineScript) {
+          // force the logging, since the getter doesn't.
+          csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
+                                  selfuri.asciiSpec,
+                                  "script sample",
+                                  0);
+        }
+      });
+
+  makeTest(1, {"blocked-uri": "self"},
+      function(csp) {
+        if(!csp.allowsEval) {
+          // force the logging, since the getter doesn't.
+          csp.logViolationDetails(Ci.nsIContentSecurityPolicy.VIOLATION_TYPE_INLINE_SCRIPT,
+                                  selfuri.asciiSpec,
+                                  "script sample",
+                                  1);
+        }
+      });
+
+  makeTest(2, {"blocked-uri": "http://blocked.test/foo.js"},
+      function(csp) {
+        csp.shouldLoad(Ci.nsIContentPolicy.TYPE_SCRIPT,
+                      NetUtil.newURI("http://blocked.test/foo.js"),
+                      null, null, null, null);
+      });
+}
--- a/content/base/test/unit/xpcshell.ini
+++ b/content/base/test/unit/xpcshell.ini
@@ -1,12 +1,13 @@
 [DEFAULT]
 head = head_utilities.js
 tail = 
 
 [test_bug553888.js]
 [test_bug558431.js]
 [test_bug737966.js]
 [test_csputils.js]
+[test_cspreports.js]
 [test_error_codes.js]
 [test_thirdpartyutil.js]
 [test_xhr_standalone.js]
 [test_xmlserializer.js]