Backed out 2 changesets (bug 1439330) for wpt3 failures in /content-security-policy/script-src/script-src-strict_dynamic_eval.html on a CLOSED TREE
authorshindli <shindli@mozilla.com>
Sat, 28 Apr 2018 19:33:32 +0300
changeset 472268 eb408f77a028cd93809fadb30f101fbf4aaa4d70
parent 472265 9263d25afcd041bf301cbd96c4cb8199975c85bf
child 472269 4f03582a853b24483df1b8927d4200fe54b7cab9
push id1728
push userjlund@mozilla.com
push dateMon, 18 Jun 2018 21:12:27 +0000
treeherdermozilla-release@c296fde26f5f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1439330
milestone61.0a1
backs out254e0c58f80fd65ad00bcd3b4dfd324a05d93e67
f9abb3479fdd7127f6e9be4c1638f88ef47240d0
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 2 changesets (bug 1439330) for wpt3 failures in /content-security-policy/script-src/script-src-strict_dynamic_eval.html on a CLOSED TREE Backed out changeset 254e0c58f80f (bug 1439330) Backed out changeset f9abb3479fdd (bug 1439330)
dom/security/nsCSPUtils.cpp
dom/security/test/csp/mochitest.ini
dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
--- a/dom/security/nsCSPUtils.cpp
+++ b/dom/security/nsCSPUtils.cpp
@@ -842,22 +842,19 @@ nsCSPKeywordSrc::allows(enum CSPKeyword 
   if (mInvalidated) {
     // only 'self' and 'unsafe-inline' are keywords that can be ignored. Please note that
     // the parser already translates 'self' into a uri (see assertion in constructor).
     MOZ_ASSERT(mKeyword == CSP_UNSAFE_INLINE,
                "should only invalidate unsafe-inline");
     return false;
   }
   // either the keyword allows the load or the policy contains 'strict-dynamic', in which
-  // case we have to make sure the script is not parser created before allowing the load
-  // and also eval should be blocked even if 'strict-dynamic' is present. Should be
-  // allowed only if 'unsafe-eval' is present.
+  // case we have to make sure the script is not parser created before allowing the load.
   return ((mKeyword == aKeyword) ||
-          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated &&
-            aKeyword != CSP_UNSAFE_EVAL));
+          ((mKeyword == CSP_STRICT_DYNAMIC) && !aParserCreated));
 }
 
 bool
 nsCSPKeywordSrc::visit(nsCSPSrcVisitor* aVisitor) const
 {
   return aVisitor->visitKeywordSrc(*this);
 }
 
--- a/dom/security/test/csp/mochitest.ini
+++ b/dom/security/test/csp/mochitest.ini
@@ -244,18 +244,16 @@ prefs =
 [test_connect-src.html]
 [test_CSP.html]
 [test_allow_https_schemes.html]
 [test_bug663567.html]
 [test_bug802872.html]
 [test_bug885433.html]
 [test_bug888172.html]
 [test_evalscript.html]
-[test_evalscript_blocked_by_strict_dynamic.html]
-[test_evalscript_allowed_by_strict_dynamic.html]
 [test_frameancestors.html]
 [test_frameancestors_userpass.html]
 skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)
 [test_inlinescript.html]
 [test_inlinestyle.html]
 [test_invalid_source_expression.html]
 [test_bug836922_npolicies.html]
 [test_bug886164.html]
deleted file mode 100644
--- a/dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html
+++ /dev/null
@@ -1,36 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <meta http-equiv="Content-Security-Policy" 
-        content="script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval'">
-  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
-  </title>
-  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
-  </script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<script nonce="foobar">
-
-/* Description of the test:
- * We apply the script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval' CSP and
- * check if the eval function is allowed correctly by the CSP.
- */
-
-SimpleTest.waitForExplicitFinish();
-
-// start the test
-try {
-  eval("1");
-  ok(true, "eval allowed by CSP");
-}
-catch (ex) {
-  ok(false, "eval should be allowed by CSP");
-}
-
-SimpleTest.finish();
-
-</script>
-</body>
-</html>
\ No newline at end of file
deleted file mode 100644
--- a/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
+++ /dev/null
@@ -1,36 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <meta http-equiv="Content-Security-Policy" 
-        content="script-src 'nonce-foobar' 'strict-dynamic'">
-  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
-  </title>
-  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
-  </script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-</head>
-<body>
-<script nonce="foobar">
-
-/* Description of the test:
- * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
- * check if the eval function is blocked correctly by the CSP.
- */
-
-SimpleTest.waitForExplicitFinish();
-
-// start the test
-try {
-  eval("1");
-  ok(false, "eval should be blocked by CSP");
-}
-catch (ex) {
-  ok(true, "eval blocked by CSP");
-}
-
-SimpleTest.finish();
-
-</script>
-</body>
-</html>
\ No newline at end of file