[tbb-commits] [tor-browser] 47/73: Bug 1770094 r=freddyb, emilio a=RyanVM

gitolite role git at cupani.torproject.org
Wed Sep 21 20:17:40 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch geckoview-102.3.0esr-12.0-1
in repository tor-browser.

commit 4f9825634cdccde98191fede657e8be53e7451b0
Author: Tom Schuster <tschuster at mozilla.com>
AuthorDate: Mon Aug 15 14:41:10 2022 +0000

    Bug 1770094 r=freddyb,emilio a=RyanVM
    
    Differential Revision: https://phabricator.services.mozilla.com/D154518
---
 dom/html/HTMLFormSubmission.cpp                    |  3 +-
 dom/html/HTMLSharedElement.cpp                     |  8 ++---
 .../security/nsIContentSecurityPolicy.idl          | 11 +++---
 dom/security/nsCSPContext.cpp                      | 11 +++---
 parser/html/nsHtml5TreeOpExecutor.cpp              | 40 +++++++++++++++++++---
 5 files changed, 54 insertions(+), 19 deletions(-)

diff --git a/dom/html/HTMLFormSubmission.cpp b/dom/html/HTMLFormSubmission.cpp
index a7141c3cd9a47..4f42f19716e1c 100644
--- a/dom/html/HTMLFormSubmission.cpp
+++ b/dom/html/HTMLFormSubmission.cpp
@@ -792,7 +792,8 @@ nsresult HTMLFormSubmission::GetFromForm(HTMLFormElement* aForm,
     // policy - do *not* consult default-src, see:
     // http://www.w3.org/TR/CSP2/#directive-default-src
     rv = csp->Permits(aForm, nullptr /* nsICSPEventListener */, actionURL,
-                      nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE, true,
+                      nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE,
+                      true /* aSpecific */, true /* aSendViolationReports */,
                       &permitsFormAction);
     NS_ENSURE_SUCCESS(rv, rv);
     if (!permitsFormAction) {
diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp
index 4e3e1453846b6..b168f327823ed 100644
--- a/dom/html/HTMLSharedElement.cpp
+++ b/dom/html/HTMLSharedElement.cpp
@@ -155,10 +155,10 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
         // policy - do *not* consult default-src, see:
         // http://www.w3.org/TR/CSP2/#directive-default-src
         bool cspPermitsBaseURI = true;
-        rv = csp->Permits(child->AsElement(), nullptr /* nsICSPEventListener */,
-                          newBaseURI,
-                          nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true,
-                          &cspPermitsBaseURI);
+        rv = csp->Permits(
+            child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI,
+            nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
+            true /* aSendViolationReports */, &cspPermitsBaseURI);
         if (NS_FAILED(rv) || !cspPermitsBaseURI) {
           newBaseURI = nullptr;
         }
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl
index e4e5815c59f65..215e84ad32be6 100644
--- a/dom/interfaces/security/nsIContentSecurityPolicy.idl
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -303,11 +303,8 @@ interface nsIContentSecurityPolicy : nsISerializable
   /**
    * Checks if a specific directive permits loading of a URI.
    *
-   * NOTE: Calls to this may trigger violation reports when queried, so the
-   * return value should not be cached.
-   *
    * @param aTriggeringElement
-   *        The element that triggers this CSP check. It can be null.
+   *    The element that triggers this CSP check. It can be null.
    * @param aURI
    *    The URI about to be loaded or used.
    * @param aDir
@@ -319,6 +316,9 @@ interface nsIContentSecurityPolicy : nsISerializable
    *    "false" allows CSP to fall back to default-src.  This function
    *    behaves the same for both values of canUseDefault when querying
    *    directives that don't fall-back.
+   * @param aSendViolationReports
+   *    If `true` and the uri is not allowed then trigger violation reports.
+   *    This should be `false` for caching or preloads.
    * @return
    *    Whether or not the provided URI is allowed by CSP under the given
    *    directive. (block the pending operation if false).
@@ -327,7 +327,8 @@ interface nsIContentSecurityPolicy : nsISerializable
                   in nsICSPEventListener aCSPEventListener,
                   in nsIURI aURI,
                   in nsIContentSecurityPolicy_CSPDirective aDir,
-                  in boolean aSpecific);
+                  in boolean aSpecific,
+                  in boolean aSendViolationReports);
 
   /**
    * Delegate method called by the service when sub-elements of the protected
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index f9f6073e1eaeb..3c655e5267398 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -1675,7 +1675,8 @@ nsCSPContext::PermitsAncestry(nsILoadInfo* aLoadInfo,
 NS_IMETHODIMP
 nsCSPContext::Permits(Element* aTriggeringElement,
                       nsICSPEventListener* aCSPEventListener, nsIURI* aURI,
-                      CSPDirective aDir, bool aSpecific, bool* outPermits) {
+                      CSPDirective aDir, bool aSpecific,
+                      bool aSendViolationReports, bool* outPermits) {
   // Can't perform check without aURI
   if (aURI == nullptr) {
     return NS_ERROR_FAILURE;
@@ -1697,14 +1698,14 @@ nsCSPContext::Permits(Element* aTriggeringElement,
       permitsInternal(aDir, aTriggeringElement, aCSPEventListener, aURI,
                       nullptr,  // no original (pre-redirect) URI
                       u""_ns,   // no nonce
-                      aSpecific,
-                      true,    // send violation reports
+                      aSpecific, aSendViolationReports,
                       true,    // send blocked URI in violation reports
                       false);  // not parser created
 
   if (CSPCONTEXTLOGENABLED()) {
-    CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %d, isAllowed: %s",
-                   aURI->GetSpecOrDefault().get(), aDir,
+    CSPCONTEXTLOG(("nsCSPContext::Permits, aUri: %s, aDir: %s, isAllowed: %s",
+                   aURI->GetSpecOrDefault().get(),
+                   CSP_CSPDirectiveToString(aDir),
                    *outPermits ? "allow" : "deny"));
   }
 
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index d956b3b5c6ecf..55c7dbe1ae90d 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -1314,11 +1314,44 @@ void nsHtml5TreeOpExecutor::SetSpeculationBase(const nsAString& aURL) {
     // the first one wins
     return;
   }
+
   auto encoding = mDocument->GetDocumentCharacterSet();
-  DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(mSpeculationBaseURI), aURL,
-                                     encoding, mDocument->GetDocumentURI());
+  nsCOMPtr<nsIURI> newBaseURI;
+  DebugOnly<nsresult> rv = NS_NewURI(getter_AddRefs(newBaseURI), aURL, encoding,
+                                     mDocument->GetDocumentURI());
   NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Failed to create a URI");
+  if (!newBaseURI) {
+    return;
+  }
+
+  // Check the document's CSP usually delivered via the CSP header.
+  if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetCsp()) {
+    // base-uri should not fallback to the default-src and preloads should not
+    // trigger violation reports.
+    bool cspPermitsBaseURI = true;
+    nsresult rv = csp->Permits(
+        nullptr, nullptr, newBaseURI,
+        nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
+        false /* aSendViolationReports */, &cspPermitsBaseURI);
+    if (NS_FAILED(rv) || !cspPermitsBaseURI) {
+      return;
+    }
+  }
+
+  // Also check the CSP discovered from the <meta> tag during speculative
+  // parsing.
+  if (nsCOMPtr<nsIContentSecurityPolicy> csp = mDocument->GetPreloadCsp()) {
+    bool cspPermitsBaseURI = true;
+    nsresult rv = csp->Permits(
+        nullptr, nullptr, newBaseURI,
+        nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
+        false /* aSendViolationReports */, &cspPermitsBaseURI);
+    if (NS_FAILED(rv) || !cspPermitsBaseURI) {
+      return;
+    }
+  }
 
+  mSpeculationBaseURI = newBaseURI;
   mDocument->Preloads().SetSpeculationBase(mSpeculationBaseURI);
 }
 
@@ -1338,8 +1371,7 @@ void nsHtml5TreeOpExecutor::AddSpeculationCSP(const nsAString& aCSP) {
     NS_ENSURE_SUCCESS_VOID(rv);
   }
 
-  // please note that meta CSPs and CSPs delivered through a header need
-  // to be joined together.
+  // Please note that multiple meta CSPs need to be joined together.
   rv = preloadCsp->AppendPolicy(
       aCSP,
       false,  // csp via meta tag can not be report only

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tbb-commits mailing list