This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch geckoview-102.3.0esr-12.0-1 in repository tor-browser.
commit 4f9825634cdccde98191fede657e8be53e7451b0 Author: Tom Schuster tschuster@mozilla.com AuthorDate: Mon Aug 15 14:41:10 2022 +0000
Bug 1770094 r=freddyb,emilio a=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D154518 --- dom/html/HTMLFormSubmission.cpp | 3 +- dom/html/HTMLSharedElement.cpp | 8 ++--- .../security/nsIContentSecurityPolicy.idl | 11 +++--- dom/security/nsCSPContext.cpp | 11 +++--- parser/html/nsHtml5TreeOpExecutor.cpp | 40 +++++++++++++++++++--- 5 files changed, 54 insertions(+), 19 deletions(-)
diff --git a/dom/html/HTMLFormSubmission.cpp b/dom/html/HTMLFormSubmission.cpp index a7141c3cd9a47..4f42f19716e1c 100644 --- a/dom/html/HTMLFormSubmission.cpp +++ b/dom/html/HTMLFormSubmission.cpp @@ -792,7 +792,8 @@ nsresult HTMLFormSubmission::GetFromForm(HTMLFormElement* aForm, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src rv = csp->Permits(aForm, nullptr /* nsICSPEventListener */, actionURL, - nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, true, + nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, + true /* aSpecific */, true /* aSendViolationReports */, &permitsFormAction); NS_ENSURE_SUCCESS(rv, rv); if (!permitsFormAction) { diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp index 4e3e1453846b6..b168f327823ed 100644 --- a/dom/html/HTMLSharedElement.cpp +++ b/dom/html/HTMLSharedElement.cpp @@ -155,10 +155,10 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument, // policy - do *not* consult default-src, see: // http://www.w3.org/TR/CSP2/#directive-default-src bool cspPermitsBaseURI = true; - rv = csp->Permits(child->AsElement(), nullptr /* nsICSPEventListener */, - newBaseURI, - nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true, - &cspPermitsBaseURI); + rv = csp->Permits( + child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + true /* aSendViolationReports */, &cspPermitsBaseURI); if (NS_FAILED(rv) || !cspPermitsBaseURI) { newBaseURI = nullptr; } diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl index e4e5815c59f65..215e84ad32be6 100644 --- a/dom/interfaces/security/nsIContentSecurityPolicy.idl +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -303,11 +303,8 @@ interface nsIContentSecurityPolicy : nsISerializable /** * Checks if a specific directive permits loading of a URI. * - * NOTE: Calls to this may trigger violation reports when queried, so the - * return value should not be cached. - * * @param aTriggeringElement - * The element that triggers this CSP check. It can be null. + * The element that triggers this CSP check. It can be null. * @param aURI * The URI about to be loaded or used. * @param aDir @@ -319,6 +316,9 @@ interface nsIContentSecurityPolicy : nsISerializable * "false" allows CSP to fall back to default-src. This function * behaves the same for both values of canUseDefault when querying * directives that don't fall-back. + * @param aSendViolationReports + * If `true` and the uri is not allowed then trigger violation reports. + * This should be `false` for caching or preloads. * @return * Whether or not the provided URI is allowed by CSP under the given * directive. (block the pending operation if false). @@ -327,7 +327,8 @@ interface nsIContentSecurityPolicy : nsISerializable in nsICSPEventListener aCSPEventListener, in nsIURI aURI, in nsIContentSecurityPolicy_CSPDirective aDir, - in boolean aSpecific); + in boolean aSpecific, + in boolean aSendViolationReports);
/** * Delegate method called by the service when sub-elements of the protected diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp index f9f6073e1eaeb..3c655e5267398 100644 --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -1675,7 +1675,8 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo, NS_IMETHODIMP nsCSPContext::Permits(Element* aTriggeringElement, nsICSPEventListener* aCSPEventListener, nsIURI* aURI, - CSPDirective aDir, bool aSpecific, bool* outPermits) { + CSPDirective aDir, bool aSpecific, + bool aSendViolationReports, bool* outPermits) { // Can't perform check without aURI if (aURI == nullptr) { return NS_ERROR_FAILURE; @@ -1697,14 +1698,14 @@ nsCSPContext::Permits(Element* aTriggeringElement, permitsInternal(aDir, aTriggeringElement, aCSPEventListener, aURI, nullptr, // no original (pre-redirect) URI u""_ns, // no nonce - aSpecific, - true, // send violation reports + aSpecific, aSendViolationReports, true, // send blocked URI in violation reports false); // not parser created
if (CSPCONTEXTLOGENABLED()) { - CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %d, isAllowed: %s", - aURI->GetSpecOrDefault().get(), aDir, + CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %s, isAllowed: %s", + aURI->GetSpecOrDefault().get(), + CSP_CSPDirectiveToString(aDir), *outPermits ? "allow" : "deny")); }
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index d956b3b5c6ecf..55c7dbe1ae90d 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -1314,11 +1314,44 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) { // the first one wins return; } + auto encoding = mDocument->GetDocumentCharacterSet(); - DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL, - encoding, mDocument->GetDocumentURI()); + nsCOMPtr<nsIURI> newBaseURI; + DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(newBaseURI), aURL, encoding, + mDocument->GetDocumentURI()); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Failed to create a URI"); + if (!newBaseURI) { + return; + } + + // Check the document's CSP usually delivered via the CSP header. + if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) { + // base-uri should not fallback to the default-src and preloads should not + // trigger violation reports. + bool cspPermitsBaseURI = true; + nsresult rv = csp->Permits( + nullptr, nullptr, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + false /* aSendViolationReports */, &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + } + + // Also check the CSP discovered from the <meta> tag during speculative + // parsing. + if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetPreloadCsp()) { + bool cspPermitsBaseURI = true; + nsresult rv = csp->Permits( + nullptr, nullptr, newBaseURI, + nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */, + false /* aSendViolationReports */, &cspPermitsBaseURI); + if (NS_FAILED(rv) || !cspPermitsBaseURI) { + return; + } + }
+ mSpeculationBaseURI = newBaseURI; mDocument->Preloads().SetSpeculationBase(mSpeculationBaseURI); }
@@ -1338,8 +1371,7 @@ void nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP) { NS_ENSURE_SUCCESS_VOID(rv); }
- // please note that meta CSPs and CSPs delivered through a header need - // to be joined together. + // Please note that multiple meta CSPs need to be joined together. rv = preloadCsp->AppendPolicy( aCSP, false, // csp via meta tag can not be report only