Bug 1498885 - Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal r=ckerschb
authorvinoth <cegvinoth@gmail.com>
Mon, 15 Oct 2018 08:02:04 +0000
changeset 499704 237852763567335e4134d7510dd1c0c0107e47bc
parent 499703 1c7a643768d1fe54149d93ff17d25b532a794adc
child 499705 05d8e65ff651affb56489cce5910f57939926561
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1498885
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1498885 - Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D8683
browser/components/extensions/test/browser/browser_ext_menus_replace_menu.js
browser/components/extensions/test/browser/browser_ext_menus_targetElement_shadow.js
browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget.js
browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget_contextmenu.js
browser/components/privatebrowsing/test/browser/browser_privatebrowsing_ui.js
caps/nsScriptSecurityManager.cpp
devtools/shared/webconsole/test/test_object_actor.html
dom/base/test/browser_bug1058164.js
dom/base/test/chrome/bug418986-1.js
dom/security/test/cors/file_CrossSiteXHR_cache_server.sjs
dom/security/test/cors/file_CrossSiteXHR_server.sjs
dom/security/test/cors/test_CrossSiteXHR.html
dom/security/test/cors/test_CrossSiteXHR_cache.html
js/xpconnect/tests/chrome/test_bug1124898.html
js/xpconnect/tests/chrome/test_scriptSettings.xul
layout/base/tests/browser_onbeforeunload_only_after_interaction_in_frame.js
modules/libpref/init/all.js
toolkit/components/osfile/tests/mochi/test_osfile_comms.xul
toolkit/mozapps/extensions/test/browser/browser_bug562797.js
--- a/browser/components/extensions/test/browser/browser_ext_menus_replace_menu.js
+++ b/browser/components/extensions/test/browser/browser_ext_menus_replace_menu.js
@@ -21,18 +21,18 @@ function checkIsDefaultMenuItemVisible(v
 // - The usual extension filtering behavior (e.g. documentUrlPatterns and
 //   targetUrlPatterns) is still applied; some menu items are therefore hidden.
 // - Calling overrideContext({showDefaults:true}) causes the default menu items
 //   to be shown, but only after the extension's.
 // - overrideContext expires after the menu is opened once.
 // - overrideContext can be called from shadow DOM.
 add_task(async function overrideContext_in_extension_tab() {
   await SpecialPowers.pushPrefEnv({
-    set: [["dom.webcomponents.shadowdom.enabled", true]],
-  });
+    set: [["dom.webcomponents.shadowdom.enabled", true],
+          ["security.allow_eval_with_system_principal", true]]});
 
   function extensionTabScript() {
     document.addEventListener("contextmenu", () => {
       browser.menus.overrideContext({});
       browser.test.sendMessage("oncontextmenu_in_dom_part_1");
     }, {once: true});
 
     let shadowRoot = document.getElementById("shadowHost").attachShadow({mode: "open"});
--- a/browser/components/extensions/test/browser/browser_ext_menus_targetElement_shadow.js
+++ b/browser/components/extensions/test/browser/browser_ext_menus_targetElement_shadow.js
@@ -2,17 +2,21 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 "use strict";
 
 const PAGE = "http://mochi.test:8888/browser/browser/components/extensions/test/browser/context.html";
 
 add_task(async function menuInShadowDOM() {
   Services.prefs.setBoolPref("dom.webcomponents.shadowdom.enabled", true);
-  registerCleanupFunction(() => Services.prefs.clearUserPref("dom.webcomponents.shadowdom.enabled"));
+  Services.prefs.setBoolPref("security.allow_eval_with_system_principal", true);
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("dom.webcomponents.shadowdom.enabled");
+    Services.prefs.clearUserPref("security.allow_eval_with_system_principal");
+  });
 
   let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, PAGE);
   gBrowser.selectedTab = tab;
 
   async function background() {
     browser.menus.onShown.addListener(async (info, tab) => {
       browser.test.assertTrue(Number.isInteger(info.targetElementId), `${info.targetElementId} should be an integer`);
       browser.test.assertEq("all,link", info.contexts.sort().join(","), "Expected context");
--- a/browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget.js
+++ b/browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget.js
@@ -1,15 +1,18 @@
 /* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* vim: set sts=2 sw=2 et tw=80: */
 "use strict";
 
 Services.scriptloader.loadSubScript(new URL("head_webNavigation.js", gTestPath).href,
                                     this);
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+                                    true]]});
+
 async function background() {
   const tabs = await browser.tabs.query({active: true, currentWindow: true});
   const sourceTabId = tabs[0].id;
 
   const sourceTabFrames = await browser.webNavigation.getAllFrames({tabId: sourceTabId});
 
   browser.webNavigation.onCreatedNavigationTarget.addListener((msg) => {
     browser.test.sendMessage("webNavOnCreated", msg);
--- a/browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget_contextmenu.js
+++ b/browser/components/extensions/test/browser/browser_ext_webNavigation_onCreatedNavigationTarget_contextmenu.js
@@ -1,15 +1,18 @@
 /* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */
 /* vim: set sts=2 sw=2 et tw=80: */
 "use strict";
 
 Services.scriptloader.loadSubScript(new URL("head_webNavigation.js", gTestPath).href,
                                     this);
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+                                    true]]});
+
 async function clickContextMenuItem({pageElementSelector, contextMenuItemLabel}) {
   const contentAreaContextMenu = await openContextMenu(pageElementSelector);
   const item = contentAreaContextMenu.getElementsByAttribute("label", contextMenuItemLabel);
   is(item.length, 1, `found contextMenu item for "${contextMenuItemLabel}"`);
   item[0].click();
   await closeContextMenu();
 }
 
--- a/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_ui.js
+++ b/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_ui.js
@@ -3,16 +3,18 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 // This test makes sure that the gPrivateBrowsingUI object, the Private Browsing
 // menu item and its XUL <command> element work correctly.
 
 function test() {
   // initialization
   waitForExplicitFinish();
+  SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+                                      true]]});
   let windowsToClose = [];
   let testURI = "about:blank";
   let pbMenuItem;
   let cmd;
 
   function doTest(aIsPrivateMode, aWindow, aCallback) {
     BrowserTestUtils.browserLoaded(aWindow.gBrowser.selectedBrowser).then(function() {
       ok(aWindow.gPrivateBrowsingUI, "The gPrivateBrowsingUI object exists");
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@@ -471,16 +471,24 @@ NS_IMPL_ISUPPORTS(nsScriptSecurityManage
 ///////////////// Security Checks /////////////////
 
 bool
 nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx,
                                                               JS::HandleValue aValue)
 {
     MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
     nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
+
+#if defined(DEBUG) && !defined(ANDROID)
+    if (!(Preferences::GetBool("security.allow_eval_with_system_principal"))) {
+      MOZ_ASSERT(!nsContentUtils::IsSystemPrincipal(subjectPrincipal),
+               "do not use eval with system privileges");
+    }
+#endif
+
     nsCOMPtr<nsIContentSecurityPolicy> csp;
     nsresult rv = subjectPrincipal->GetCsp(getter_AddRefs(csp));
     NS_ASSERTION(NS_SUCCEEDED(rv), "CSP: Failed to get CSP from principal.");
 
     // don't do anything unless there's a CSP
     if (!csp)
         return true;
 
--- a/devtools/shared/webconsole/test/test_object_actor.html
+++ b/devtools/shared/webconsole/test/test_object_actor.html
@@ -9,16 +9,19 @@
      - http://creativecommons.org/publicdomain/zero/1.0/ -->
 </head>
 <body>
 <p>Test for the object actor</p>
 
 <script class="testbody" type="text/javascript">
 SimpleTest.waitForExplicitFinish();
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																		true]]});
+
 let expectedProps = [];
 
 function startTest() {
   removeEventListener("load", startTest);
 
   attachConsoleToTab(["ConsoleAPI"], onAttach);
 }
 
--- a/dom/base/test/browser_bug1058164.js
+++ b/dom/base/test/browser_bug1058164.js
@@ -1,14 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 "use strict";
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																		true]]});
+
 const PAGE = "data:text/html,<html><body>A%20regular,%20everyday,%20normal%20page.";
 
 /**
  * Returns a Promise that resolves when it sees a pageshow and
  * pagehide events in a particular order, where each event must
  * have the persisted property set to true. Will cause a test
  * failure to be logged if it sees an event out of order.
  *
--- a/dom/base/test/chrome/bug418986-1.js
+++ b/dom/base/test/chrome/bug418986-1.js
@@ -1,12 +1,15 @@
 // The main test function.
 var test = function (isContent) {
   SimpleTest.waitForExplicitFinish();
 
+	SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																		  true]]});
+
   let { ww } = SpecialPowers.Services;
   window.chromeWindow = ww.activeWindow;
 
   // The pairs of values expected to be the same when
   // fingerprinting resistance is enabled.
   let pairs = [
     ["screenX", 0],
     ["screenY", 0],
--- a/dom/security/test/cors/file_CrossSiteXHR_cache_server.sjs
+++ b/dom/security/test/cors/file_CrossSiteXHR_cache_server.sjs
@@ -1,8 +1,11 @@
+Cu.import("resource://gre/modules/Services.jsm");
+Services.prefs.setBoolPref("security.allow_eval_with_system_principal", true);
+
 function handleRequest(request, response)
 {
   var query = {};
   request.queryString.split('&').forEach(function (val) {
     var [name, value] = val.split('=');
     query[name] = unescape(value);
   });
 
--- a/dom/security/test/cors/file_CrossSiteXHR_server.sjs
+++ b/dom/security/test/cors/file_CrossSiteXHR_server.sjs
@@ -1,12 +1,14 @@
 const CC = Components.Constructor;
 const BinaryInputStream = CC("@mozilla.org/binaryinputstream;1",
                              "nsIBinaryInputStream",
                              "setInputStream");
+Cu.import("resource://gre/modules/Services.jsm");
+Services.prefs.setBoolPref("security.allow_eval_with_system_principal", true);
 
 function handleRequest(request, response)
 {
   var query = {};
   request.queryString.split('&').forEach(function (val) {
     var [name, value] = val.split('=');
     query[name] = unescape(value);
   });
--- a/dom/security/test/cors/test_CrossSiteXHR.html
+++ b/dom/security/test/cors/test_CrossSiteXHR.html
@@ -20,17 +20,19 @@ const runPreflightTests = 1;
 const runCookieTests = 1;
 const runRedirectTests = 1;
 
 var gen;
 
 function initTest() {
   SimpleTest.waitForExplicitFinish();
   // Allow all cookies, then do the actual test initialization
-  SpecialPowers.pushPrefEnv({"set": [["network.cookie.cookieBehavior", 0]]}, initTestCallback);
+  SpecialPowers.pushPrefEnv({"set": [["network.cookie.cookieBehavior", 0],
+  																	 ["security.allow_eval_with_system_principal", true]]},
+  																	  initTestCallback);
 }
 
 function initTestCallback() {
   window.addEventListener("message", function(e) {
     gen.next(e.data);
   });
 
   gen = runTest();
--- a/dom/security/test/cors/test_CrossSiteXHR_cache.html
+++ b/dom/security/test/cors/test_CrossSiteXHR_cache.html
@@ -11,19 +11,23 @@
 <iframe id=loader></iframe>
 </p>
 <div id="content" style="display: none">
   
 </div>
 <pre id="test">
 <script class="testbody" type="application/javascript">
 
+let gen;
 SimpleTest.waitForExplicitFinish();
 SimpleTest.requestFlakyTimeout("This test needs to generate artificial pauses, hence it uses timeouts.  There is no way around it, unfortunately. :(");
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+                                     true]]});
+
 window.addEventListener("message", function(e) {
   gen.next(e.data);
 });
 
 gen = runTest();
 
 function* runTest() {
   var loader = document.getElementById('loader');
--- a/js/xpconnect/tests/chrome/test_bug1124898.html
+++ b/js/xpconnect/tests/chrome/test_bug1124898.html
@@ -8,16 +8,18 @@ https://bugzilla.mozilla.org/show_bug.cg
   <title>Test for Bug 1124898</title>
   <script type="application/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="chrome://global/skin"/>
   <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
   <script type="application/javascript">
 
   /** Test for Bug 1124898 **/
   SimpleTest.waitForExplicitFinish();
+  SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																			true]]});
   SimpleTest.expectAssertions(0, 1); // Dumb unrelated widget assertion - see bug 1126023.
   var w = window.open("about:blank", "w", "chrome");
   is(w.eval('typeof getAttention'), 'function', 'getAttention exists on regular chrome window');
   is(w.eval('typeof messageManager'), 'object', 'messageManager exists on regular chrome window');
   var contentURL = "http://example.org/tests/js/xpconnect/tests/mochitest/file_empty.html";
   w.location = contentURL;
   tryWindow();
 
--- a/js/xpconnect/tests/chrome/test_scriptSettings.xul
+++ b/js/xpconnect/tests/chrome/test_scriptSettings.xul
@@ -16,16 +16,18 @@ https://bugzilla.mozilla.org/show_bug.cg
 
   <!-- test code goes here -->
   <iframe src="./file_empty.html"></iframe>
   <script type="application/javascript">
   <![CDATA[
 
   /** Test for the script settings stack. **/
   SimpleTest.waitForExplicitFinish();
+  SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																			true]]});
   addLoadEvent(function() {
     ChromeUtils.import("resource://gre/modules/Promise.jsm");
     iwin = window[0];
 
     // Smoketest.
     is(Cu.getIncumbentGlobal(), window, "smoketest");
 
     // Calling a cross-compartment non-scripted function changes the
--- a/layout/base/tests/browser_onbeforeunload_only_after_interaction_in_frame.js
+++ b/layout/base/tests/browser_onbeforeunload_only_after_interaction_in_frame.js
@@ -1,17 +1,18 @@
 function pageScript() {
   window.addEventListener("beforeunload", function (event) {
     var str = "Some text that causes the beforeunload dialog to be shown";
     event.returnValue = str;
     return str;
   }, true);
 }
 
-SpecialPowers.pushPrefEnv({"set": [["dom.require_user_interaction_for_beforeunload", true]]});
+SpecialPowers.pushPrefEnv({"set": [["dom.require_user_interaction_for_beforeunload", true],
+																	 ["security.allow_eval_with_system_principal", true]]});
 
 const FRAME_URL =
   "data:text/html," + encodeURIComponent("<body>Just a frame</body>");
 
 const PAGE_URL =
   "data:text/html," + encodeURIComponent("<iframe src='" + FRAME_URL + "'></iframe><script>(" + pageScript.toSource() + ")();</script>");
 
 add_task(async function doClick() {
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2609,16 +2609,18 @@ pref("security.directory",              
 pref("security.dialog_enable_delay", 1000);
 pref("security.notification_enable_delay", 500);
 
 #if defined(DEBUG) && !defined(ANDROID)
 pref("csp.about_uris_without_csp", "blank,printpreview,srcdoc,about,addons,cache-entry,config,crashes,debugging,devtools,downloads,home,memory,networking,newtab,performance,plugins,policies,profiles,restartrequired,searchreset,serviceworkers,sessionrestore,support,sync-log,telemetry,url-classifier,webrtc,welcomeback");
 // the following prefs are for testing purposes only.
 pref("csp.overrule_about_uris_without_csp_whitelist", false);
 pref("csp.skip_about_page_has_csp_assert", false);
+// assertion flag will be set to false after fixing Bug 1473549
+pref("security.allow_eval_with_system_principal", true);
 #endif
 
 // Default Content Security Policy to apply to signed contents.
 pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'");
 
 // Mixed content blocking
 pref("security.mixed_content.block_active_content", false);
 pref("security.mixed_content.block_display_content", false);
--- a/toolkit/components/osfile/tests/mochi/test_osfile_comms.xul
+++ b/toolkit/components/osfile/tests/mochi/test_osfile_comms.xul
@@ -13,16 +13,18 @@
           src="chrome://mochikit/content/tests/SimpleTest/EventUtils.js"/>
   <script type="application/javascript">
   <![CDATA[
 
 "use strict";
 
 let worker;
 
+SpecialPowers.pushPrefEnv({"set": [["security.allow_eval_with_system_principal",
+																		true]]});
 let test = function test() {
   SimpleTest.info("test_osfile_comms.xul: Starting test");
   ChromeUtils.import("resource://gre/modules/ctypes.jsm");
   ChromeUtils.import("resource://gre/modules/osfile.jsm");
   worker = new ChromeWorker("worker_test_osfile_comms.js");
   SimpleTest.waitForExplicitFinish();
   try {
     worker.onerror = function onerror(error) {
--- a/toolkit/mozapps/extensions/test/browser/browser_bug562797.js
+++ b/toolkit/mozapps/extensions/test/browser/browser_bug562797.js
@@ -69,16 +69,17 @@ function test() {
   requestLongerTimeout(2);
 
   waitForExplicitFinish();
 
   Services.prefs.setCharPref(PREF_DISCOVERURL, MAIN_URL);
 
   SpecialPowers.pushPrefEnv({"set": [
       ["dom.ipc.processCount", 1],
+      ["security.allow_eval_with_system_principal", true],
     ]}, () => {
     var gProvider = new MockProvider();
     gProvider.createAddons([{
       id: "test1@tests.mozilla.org",
       name: "Test add-on 1",
       description: "foo",
     },
     {