Bug 1247459 - Meta and header CSP are merged without a semicolon. r=ckerschb
authorStephanie Ouillon <stephouillon@mozilla.com>
Tue, 17 May 2016 15:34:53 +0200
changeset 341567 a22e275b759faeda830d2efa9985c3c9609bbde0
parent 341566 0a2fe25f4c67593dd90b2b7940e2587a43a00144
child 341568 b01ae5885b0b81fa638f368739e1a7ce12ad4025
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1247459
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1247459 - Meta and header CSP are merged without a semicolon. r=ckerschb
devtools/client/webconsole/test/browser.ini
devtools/client/webconsole/test/browser_webconsole_bug_1247459_violation.js
devtools/client/webconsole/test/browser_webconsole_bug_770099_violation.js
devtools/client/webconsole/test/test_bug_1247459_violation.html
dom/security/nsCSPUtils.cpp
--- a/devtools/client/webconsole/test/browser.ini
+++ b/devtools/client/webconsole/test/browser.ini
@@ -136,16 +136,17 @@ support-files =
   test-exception-stackframe.html
   test_bug_1010953_cspro.html^headers^
   test_bug_1010953_cspro.html
   test_bug1045902_console_csp_ignore_reflected_xss_message.html^headers^
   test_bug1045902_console_csp_ignore_reflected_xss_message.html
   test_bug1092055_shouldwarn.js^headers^
   test_bug1092055_shouldwarn.js
   test_bug1092055_shouldwarn.html
+  test_bug_1247459_violation.html
   !/devtools/client/framework/test/shared-head.js
   !/devtools/client/netmonitor/test/sjs_cors-test-server.sjs
   !/image/test/mochitest/blue.png
 
 [browser_bug1045902_console_csp_ignore_reflected_xss_message.js]
 skip-if = (e10s && debug) || (e10s && os == 'win') # Bug 1221499 enabled these on windows
 [browser_bug664688_sandbox_update_after_navigation.js]
 [browser_bug_638949_copy_link_location.js]
@@ -290,16 +291,18 @@ skip-if = e10s && (os == 'win' || os == 
 skip-if = os != "mac"
 [browser_webconsole_bug_817834_add_edited_input_to_history.js]
 [browser_webconsole_bug_837351_securityerrors.js]
 [browser_webconsole_filter_buttons_contextmenu.js]
 [browser_webconsole_bug_1006027_message_timestamps_incorrect.js]
 skip-if = e10s # Bug 1042253 - webconsole e10s tests (Linux debug intermittent)
 [browser_webconsole_bug_1010953_cspro.js]
 skip-if = e10s && (os == 'win' || os == 'mac') # Bug 1243967
+[browser_webconsole_bug_1247459_violation.js]
+skip-if = e10s && (os == 'win') # Bug 1264955
 [browser_webconsole_certificate_messages.js]
 skip-if = e10s # Bug 1042253 - webconsole tests disabled with e10s
 [browser_webconsole_show_subresource_security_errors.js]
 skip-if = e10s && (os == 'win' || os == 'mac') # Bug 1243987
 [browser_webconsole_cached_autocomplete.js]
 [browser_webconsole_chrome.js]
 [browser_webconsole_clickable_urls.js]
 [browser_webconsole_closure_inspection.js]
new file mode 100644
--- /dev/null
+++ b/devtools/client/webconsole/test/browser_webconsole_bug_1247459_violation.js
@@ -0,0 +1,40 @@
+/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
+/* vim: set ft=javascript ts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+// Tests that the Web Console CSP messages for two META policies
+// are correctly displayed.
+
+"use strict";
+
+const TEST_URI = "data:text/html;charset=utf8,Web Console CSP violation test";
+const TEST_VIOLATION = "https://example.com/browser/devtools/client/" +
+                       "webconsole/test/test_bug_1247459_violation.html";
+const CSP_VIOLATION_MSG = "Content Security Policy: The page\u2019s settings " +
+                          "blocked the loading of a resource at " +
+                          "http://some.example.com/test.png (\u201cimg-src " +
+                          "https://example.com\u201d).";
+
+add_task(function* () {
+  let { browser } = yield loadTab(TEST_URI);
+
+  let hud = yield openConsole();
+
+  hud.jsterm.clearOutput();
+
+  let loaded = loadBrowser(browser);
+  BrowserTestUtils.loadURI(browser, TEST_VIOLATION);
+  yield loaded;
+
+  yield waitForMessages({
+    webconsole: hud,
+    messages: [
+      {
+        name: "CSP policy URI warning displayed successfully",
+        text: CSP_VIOLATION_MSG,
+        repeats: 2
+      }
+    ]
+  });
+});
--- a/devtools/client/webconsole/test/browser_webconsole_bug_770099_violation.js
+++ b/devtools/client/webconsole/test/browser_webconsole_bug_770099_violation.js
@@ -8,17 +8,17 @@
 "use strict";
 
 const TEST_URI = "data:text/html;charset=utf8,Web Console CSP violation test";
 const TEST_VIOLATION = "https://example.com/browser/devtools/client/" +
                        "webconsole/test/test_bug_770099_violation.html";
 const CSP_VIOLATION_MSG = "Content Security Policy: The page\u2019s settings " +
                           "blocked the loading of a resource at " +
                           "http://some.example.com/test.png (\u201cdefault-src " +
-                            "https://example.com\u201d).";
+                          "https://example.com\u201d).";
 
 add_task(function* () {
   let { browser } = yield loadTab(TEST_URI);
 
   let hud = yield openConsole();
 
   hud.jsterm.clearOutput();
 
new file mode 100644
--- /dev/null
+++ b/devtools/client/webconsole/test/test_bug_1247459_violation.html
@@ -0,0 +1,15 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="img-src https://example.com"></meta>
+  <meta http-equiv="Content-Security-Policy" content="img-src https://example.com"></meta>
+  <meta charset="UTF-8">
+  <title>Test for Bug 1247459 - policy violations for header and META are displayed separately</title>
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1247459">Mozilla Bug 1247459</a>
+<img src="http://some.example.com/test.png">
+</body>
+</html>
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -1163,16 +1163,17 @@ nsCSPPolicy::permits(CSPDirective aDir,
   if (CSPUTILSLOGENABLED()) {
     nsAutoCString spec;
     aUri->GetSpec(spec);
     CSPUTILSLOG(("nsCSPPolicy::permits, aUri: %s, aDir: %d, aSpecific: %s",
                  spec.get(), aDir, aSpecific ? "true" : "false"));
   }
 
   NS_ASSERTION(aUri, "permits needs an uri to perform the check!");
+  outViolatedDirective.Truncate();
 
   nsCSPDirective* defaultDir = nullptr;
 
   // Try to find a relevant directive
   // These directive arrays are short (1-5 elements), not worth using a hashtable.
   for (uint32_t i = 0; i < mDirectives.Length(); i++) {
     if (mDirectives[i]->equals(aDir)) {
       if (!mDirectives[i]->permits(aUri, aNonce, aWasRedirected, mReportOnly, mUpgradeInsecDir)) {