Bug 1049289 - CSP: Strip uri fragments before sending csp-reports. r=sstamm, a=sledru
authorChristoph Kerschbaumer <mozilla@christophkerschbaumer.com>
Tue, 05 Aug 2014 16:12:16 -0700
changeset 217653 7321b41a03415ef630a6e6931f058327696c0806
parent 217652 d8e146e60d2401c8038041740e99477aabc3b4f0
child 217654 237034de34d90c941dea67c6fdf8414cf2e24e72
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssstamm, sledru
bugs1049289
milestone33.0a2
Bug 1049289 - CSP: Strip uri fragments before sending csp-reports. r=sstamm, a=sledru
content/base/src/nsCSPContext.cpp
--- a/content/base/src/nsCSPContext.cpp
+++ b/content/base/src/nsCSPContext.cpp
@@ -609,17 +609,17 @@ nsCSPContext::SendReports(nsISupports* a
   nsresult rv;
 
   // blocked-uri
   if (aBlockedContentSource) {
     nsAutoCString reportBlockedURI;
     nsCOMPtr<nsIURI> uri = do_QueryInterface(aBlockedContentSource);
     // could be a string or URI
     if (uri) {
-      uri->GetSpec(reportBlockedURI);
+      uri->GetSpecIgnoringRef(reportBlockedURI);
     } else {
       nsCOMPtr<nsISupportsCString> cstr = do_QueryInterface(aBlockedContentSource);
       if (cstr) {
         cstr->GetData(reportBlockedURI);
       }
     }
     if (reportBlockedURI.IsEmpty()) {
       // this can happen for frame-ancestors violation where the violating
@@ -627,17 +627,17 @@ nsCSPContext::SendReports(nsISupports* a
       NS_WARNING("No blocked URI (null aBlockedContentSource) for CSP violation report.");
     }
     report.mCsp_report.mBlocked_uri = NS_ConvertUTF8toUTF16(reportBlockedURI);
   }
 
   // document-uri
   if (aOriginalURI) {
     nsAutoCString reportDocumentURI;
-    aOriginalURI->GetSpec(reportDocumentURI);
+    aOriginalURI->GetSpecIgnoringRef(reportDocumentURI);
     report.mCsp_report.mDocument_uri = NS_ConvertUTF8toUTF16(reportDocumentURI);
   }
 
   // original-policy
   nsAutoString originalPolicy;
   rv = this->GetPolicy(aViolatedPolicyIndex, originalPolicy);
   NS_ENSURE_SUCCESS(rv, rv);
   report.mCsp_report.mOriginal_policy = originalPolicy;
@@ -649,16 +649,24 @@ nsCSPContext::SendReports(nsISupports* a
     report.mCsp_report.mReferrer = NS_ConvertUTF8toUTF16(referrerURI);
   }
 
   // violated-directive
   report.mCsp_report.mViolated_directive = aViolatedDirective;
 
   // source-file
   if (!aSourceFile.IsEmpty()) {
+    // if aSourceFile is a URI, we have to make sure to strip fragments
+    nsCOMPtr<nsIURI> sourceURI;
+    NS_NewURI(getter_AddRefs(sourceURI), aSourceFile);
+    if (sourceURI) {
+      nsAutoCString spec;
+      sourceURI->GetSpecIgnoringRef(spec);
+      aSourceFile = NS_ConvertUTF8toUTF16(spec);
+    }
     report.mCsp_report.mSource_file.Construct();
     report.mCsp_report.mSource_file.Value() = aSourceFile;
   }
 
   // script-sample
   if (!aScriptSample.IsEmpty()) {
     report.mCsp_report.mScript_sample.Construct();
     report.mCsp_report.mScript_sample.Value() = aScriptSample;