This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser.
commit 61fc2cfa6d994d4f41a360b9d7c1c9667626e880 Author: Tom Schuster tschuster@mozilla.com AuthorDate: Mon Aug 15 14:41:10 2022 +0000
Bug 1770094 r=freddyb,emilio a=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D154518 --- dom/html/HTMLFormSubmission.cpp | 3 +- dom/html/HTMLSharedElement.cpp | 8 ++--- .../security/nsIContentSecurityPolicy.idl | 11 +++--- dom/security/nsCSPContext.cpp | 11 +++--- parser/html/nsHtml5TreeOpExecutor.cpp | 40 +++++++++++++++++++--- 5 files changed, 54 insertions(+), 19 deletions(-)
diff --git a/dom/html/HTMLFormSubmission.cpp b/dom/html/HTMLFormSubmission.cpp index 4ea6b0b01176..82943df1ff5f 100644 --- a/dom/html/HTMLFormSubmission.cpp +++ b/dom/html/HTMLFormSubmission.cpp @@ -793,7 +793,8 @@ nsresult HTMLFormSubmission::GetFromForm(HTMLFormElement* aForm, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src rv = csp->Permits(aForm, nullptr /* nsICSPEventListener */, actionURL, - nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, true, + nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, + true /* aSpecific */, true /* aSendViolationReports */, &permitsFormAction); NS_ENSURE_SUCCESS(rv, rv); if (!permitsFormAction) { diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp index 4e3e1453846b..b168f327823e 100644 --- a/dom/html/HTMLSharedElement.cpp +++ b/dom/html/HTMLSharedElement.cpp @@ -155,10 +155,10 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src bool cspPermitsBaseURI = true; - rv = csp->Permits(child->AsElement(), nullptr /* nsICSPEventListener */, - newBaseURI, - nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true, - &cspPermitsBaseURI); + rv = csp->Permits( + child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + true /* aSendViolationReports */, &cspPermitsBaseURI); if (NS_FAILED(rv) || !cspPermitsBaseURI) { newBaseURI = nullptr; } diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl index ca4703fcd108..3f15a072441a 100644 --- a/dom/interfaces/security/nsIContentSecurityPolicy.idl +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -288,11 +288,8 @@ interface nsIContentSecurityPolicy : nsISerializable /** * Checks if a specific directive permits loading of a URI. * - * NOTE: Calls to this may trigger violation reports when queried, so the - * return value should not be cached. - * * @param aTriggeringElement - * The element that triggers this CSP check. It can be null. + * The element that triggers this CSP check. It can be null. * @param aURI * The URI about to be loaded or used. * @param aDir @@ -304,6 +301,9 @@ interface nsIContentSecurityPolicy : nsISerializable * "false" allows CSP to fall back to default-src. This function * behaves the same for both values of canUseDefault when querying * directives that don't fall-back. + * @param aSendViolationReports + * If `true` and the uri is not allowed then trigger violation reports. + * This should be `false` for caching or preloads. * @return * Whether or not the provided URI is allowed by CSP under the given * directive. (block the pending operation if false). @@ -312,7 +312,8 @@ interface nsIContentSecurityPolicy : nsISerializable in nsICSPEventListener aCSPEventListener, in nsIURI aURI, in nsIContentSecurityPolicy_CSPDirective aDir, - in boolean aSpecific); + in boolean aSpecific, + in boolean aSendViolationReports);
/** * Delegate method called by the service when sub-elements of the protected diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index 113ee2cf95a1..9b7a99f272c3 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -1632,7 +1632,8 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo, NS_IMETHODIMP nsCSPContext::Permits(Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aURI, - CSPDirective aDir, bool aSpecific, bool* outPermits) { + CSPDirective aDir, bool aSpecific, + bool aSendViolationReports, bool* outPermits) { // Can't perform check without aURI if (aURI == nullptr) { return NS_ERROR_FAILURE; @@ -1654,14 +1655,14 @@ nsCSPContext::Permits(Element* aTriggeringElement, permitsInternal(aDir, aTriggeringElement, aCSPEventListener, aURI, nullptr, // no original (pre-redirect) URI u""_ns, // no nonce - aSpecific, - true, // send violation reports + aSpecific, aSendViolationReports, true, // send blocked URI in violation reports false); // not parser created
if (CSPCONTEXTLOGENABLED()) { - CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %d, isAllowed: %s", - aURI->GetSpecOrDefault().get(), aDir, + CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %s, isAllowed: %s", + aURI->GetSpecOrDefault().get(), + CSP_CSPDirectiveToString(aDir), *outPermits ? "allow" : "deny")); }
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index dd865ee6eb22..484aeb68635c 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -1262,11 +1262,44 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) { // the first one wins return; } + auto encoding = mDocument->GetDocumentCharacterSet(); - DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL, - encoding, mDocument->GetDocumentURI()); + nsCOMPtr<nsIURI> newBaseURI; + DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(newBaseURI), aURL, encoding, + mDocument->GetDocumentURI()); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Failed to create a URI"); + if (!newBaseURI) { + return; + } + + // Check the document's CSP usually delivered via the CSP header. + if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) { + // base-uri should not fallback to the default-src and preloads should not + // trigger violation reports. + bool cspPermitsBaseURI = true; + nsresult rv = csp->Permits( + nullptr, nullptr, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + false /* aSendViolationReports */, &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + } + + // Also check the CSP discovered from the <meta> tag during speculative + // parsing. + if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetPreloadCsp()) { + bool cspPermitsBaseURI = true; + nsresult rv = csp->Permits( + nullptr, nullptr, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + false /* aSendViolationReports */, &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + }
+ mSpeculationBaseURI = newBaseURI; mDocument->Preloads().SetSpeculationBase(mSpeculationBaseURI); }
@@ -1290,8 +1323,7 @@ void nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP) { NS_ENSURE_SUCCESS_VOID(rv); }
- // please note that meta CSPs and CSPs delivered through a header need - // to be joined together. + // Please note that multiple meta CSPs need to be joined together. rv = preloadCsp->AppendPolicy( aCSP, false, // csp via meta tag can not be report only