Bug 1331838 - Remove support for app URIs in CSP directives; r=ckerschb
authorEhsan Akhgari <ehsan@mozilla.com>
Tue, 17 Jan 2017 22:00:08 -0500
changeset 377326 fe7a8f94d0ad0f7262b950b353325624406d4133
parent 377325 1f5a359e77c4282522141e99ad1e95f9a579154c
child 377327 4a772ea363ab231f7812753f0b77cf712423e124
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersckerschb
bugs1331838
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1331838 - Remove support for app URIs in CSP directives; r=ckerschb
dom/security/nsCSPParser.cpp
dom/security/nsCSPParser.h
dom/security/test/gtest/TestCSPParser.cpp
--- a/dom/security/nsCSPParser.cpp
+++ b/dom/security/nsCSPParser.cpp
@@ -37,18 +37,16 @@ static const char16_t SEMICOLON    = ';'
 static const char16_t SLASH        = '/';
 static const char16_t PLUS         = '+';
 static const char16_t DASH         = '-';
 static const char16_t DOT          = '.';
 static const char16_t UNDERLINE    = '_';
 static const char16_t TILDE        = '~';
 static const char16_t WILDCARD     = '*';
 static const char16_t SINGLEQUOTE  = '\'';
-static const char16_t OPEN_CURL    = '{';
-static const char16_t CLOSE_CURL   = '}';
 static const char16_t NUMBER_SIGN  = '#';
 static const char16_t QUESTIONMARK = '?';
 static const char16_t PERCENT_SIGN = '%';
 static const char16_t EXCLAMATION  = '!';
 static const char16_t DOLLAR       = '$';
 static const char16_t AMPERSAND    = '&';
 static const char16_t OPENBRACE    = '(';
 static const char16_t CLOSINGBRACE = ')';
@@ -521,36 +519,16 @@ nsCSPParser::host()
     logWarningErrorToConsole(nsIScriptError::warningFlag, "hostNameMightBeKeyword",
                              params, ArrayLength(params));
   }
 
   // Create a new nsCSPHostSrc with the parsed host.
   return new nsCSPHostSrc(mCurValue);
 }
 
-// apps use special hosts; "app://{app-host-is-uid}""
-nsCSPHostSrc*
-nsCSPParser::appHost()
-{
-  CSPPARSERLOG(("nsCSPParser::appHost, mCurToken: %s, mCurValue: %s",
-               NS_ConvertUTF16toUTF8(mCurToken).get(),
-               NS_ConvertUTF16toUTF8(mCurValue).get()));
-
-  while (hostChar()) { /* consume */ }
-
-  // appHosts have to end with "}", otherwise we have to report an error
-  if (!accept(CLOSE_CURL)) {
-    const char16_t* params[] = { mCurToken.get() };
-    logWarningErrorToConsole(nsIScriptError::warningFlag, "couldntParseInvalidSource",
-                             params, ArrayLength(params));
-    return nullptr;
-  }
-  return new nsCSPHostSrc(mCurValue);
-}
-
 // keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
 nsCSPBaseSrc*
 nsCSPParser::keywordSource()
 {
   CSPPARSERLOG(("nsCSPParser::keywordSource, mCurToken: %s, mCurValue: %s",
                NS_ConvertUTF16toUTF8(mCurToken).get(),
                NS_ConvertUTF16toUTF8(mCurValue).get()));
 
@@ -610,23 +588,16 @@ nsCSPParser::keywordSource()
 // host-source = [ scheme "://" ] host [ port ] [ path ]
 nsCSPHostSrc*
 nsCSPParser::hostSource()
 {
   CSPPARSERLOG(("nsCSPParser::hostSource, mCurToken: %s, mCurValue: %s",
                NS_ConvertUTF16toUTF8(mCurToken).get(),
                NS_ConvertUTF16toUTF8(mCurValue).get()));
 
-  // Special case handling for app specific hosts
-  if (accept(OPEN_CURL)) {
-    // If appHost() returns null, the error was handled in appHost().
-    // appHosts can not have a port, or path, we can return.
-    return appHost();
-  }
-
   nsCSPHostSrc* cspHost = host();
   if (!cspHost) {
     // Error was reported in host()
     return nullptr;
   }
 
   // Calling port() to see if there is a port to parse, if an error
   // occurs, port() reports the error, if port() returns true;
--- a/dom/security/nsCSPParser.h
+++ b/dom/security/nsCSPParser.h
@@ -128,17 +128,16 @@ class nsCSPParser {
     void                sandboxFlagList(nsCSPDirective* aDir);
     void                sourceList(nsTArray<nsCSPBaseSrc*>& outSrcs);
     nsCSPBaseSrc*       sourceExpression();
     nsCSPSchemeSrc*     schemeSource();
     nsCSPHostSrc*       hostSource();
     nsCSPBaseSrc*       keywordSource();
     nsCSPNonceSrc*      nonceSource();
     nsCSPHashSrc*       hashSource();
-    nsCSPHostSrc*       appHost(); // helper function to support app specific hosts
     nsCSPHostSrc*       host();
     bool                hostChar();
     bool                schemeChar();
     bool                port();
     bool                path(nsCSPHostSrc* aCspHost);
 
     bool subHost();                                         // helper function to parse subDomains
     bool atValidUnreservedChar();                           // helper function to parse unreserved
--- a/dom/security/test/gtest/TestCSPParser.cpp
+++ b/dom/security/test/gtest/TestCSPParser.cpp
@@ -457,18 +457,16 @@ TEST(CSPParser, SimplePolicies)
     { "object-src media1.example.com media2.example.com *.cdn.example.com;",
       "object-src http://media1.example.com http://media2.example.com http://*.cdn.example.com" },
     { "script-src trustedscripts.example.com",
       "script-src http://trustedscripts.example.com" },
     { "script-src 'self' ; default-src trustedscripts.example.com",
       "script-src http://www.selfuri.com; default-src http://trustedscripts.example.com" },
     { "default-src 'none'; report-uri http://localhost:49938/test",
       "default-src 'none'; report-uri http://localhost:49938/test" },
-    { "default-src app://{app-host-is-uid}",
-      "default-src app://{app-host-is-uid}" },
     { "   ;   default-src abc",
       "default-src http://abc" },
     { " ; ; ; ;     default-src            abc    ; ; ; ;",
       "default-src http://abc" },
     { "script-src 'none' 'none' 'none';",
       "script-src 'none'" },
     { "script-src http://www.example.com/path-1//",
       "script-src http://www.example.com/path-1//" },
@@ -628,18 +626,16 @@ TEST(CSPParser, GoodGeneratedPolicies)
     { "media-src foo.bar",
       "media-src http://foo.bar" },
     { "frame-src *.bar",
       "frame-src http://*.bar" },
     { "font-src com",
       "font-src http://com" },
     { "connect-src f00b4r.com",
       "connect-src http://f00b4r.com" },
-    { "default-src {app-url-is-uid}",
-      "default-src http://{app-url-is-uid}" },
     { "script-src *.a.b.c",
       "script-src http://*.a.b.c" },
     { "object-src *.b.c",
       "object-src http://*.b.c" },
     { "style-src a.b.c",
       "style-src http://a.b.c" },
     { "img-src a.com",
       "img-src http://a.com" },
@@ -654,32 +650,26 @@ TEST(CSPParser, GoodGeneratedPolicies)
     { "default-src a.com:23",
       "default-src http://a.com:23" },
     { "script-src https://a.com:200",
       "script-src https://a.com:200" },
     { "object-src data:",
       "object-src data:" },
     { "style-src javascript:",
       "style-src javascript:" },
-    { "img-src {app-host-is-uid}",
-      "img-src http://{app-host-is-uid}" },
-    { "media-src app://{app-host-is-uid}",
-      "media-src app://{app-host-is-uid}" },
     { "frame-src https://foobar.com:443",
       "frame-src https://foobar.com:443" },
     { "font-src https://a.com:443",
       "font-src https://a.com:443" },
     { "connect-src http://a.com:80",
       "connect-src http://a.com:80" },
     { "default-src http://foobar.com",
       "default-src http://foobar.com" },
     { "script-src https://foobar.com",
       "script-src https://foobar.com" },
-    { "object-src https://{app-host-is-uid}",
-      "object-src https://{app-host-is-uid}" },
     { "style-src 'none'",
       "style-src 'none'" },
     { "img-src foo.bar:21 https://ras.bar",
       "img-src http://foo.bar:21 https://ras.bar" },
     { "media-src http://foo.bar:21 https://ras.bar:443",
       "media-src http://foo.bar:21 https://ras.bar:443" },
     { "frame-src http://self.com:80",
       "frame-src http://self.com:80" },