forked from mirrors/gecko-dev
		
	Bug 1793560 - Remove navigate-to CSP directive r=tschuster
It has never shipped after being implemented years ago, and was removed from spec in September 2022: https://github.com/w3c/webappsec-csp/pull/564 Now skipping navigate-to WPT tests. Filed issue upstream for their future removal: https://github.com/w3c/webappsec-csp/issues/608 Consensus seems to agree to remove, will do in follow up bug once landed. Also removed our own tests. Added a hack in StartDocumentLoad as just removing the navigate-to check call breaks some inhertiance, see comment for more info. Differential Revision: https://phabricator.services.mozilla.com/D181630
This commit is contained in:
		
							parent
							
								
									a1ed3bd737
								
							
						
					
					
						commit
						465206f92c
					
				
					 57 changed files with 39 additions and 721 deletions
				
			
		|  | @ -1371,8 +1371,6 @@ module.exports = { | ||||||
|         "dom/security/test/csp/file_bug941404.html", |         "dom/security/test/csp/file_bug941404.html", | ||||||
|         "dom/security/test/csp/file_frameancestors_main.js", |         "dom/security/test/csp/file_frameancestors_main.js", | ||||||
|         "dom/security/test/csp/file_main.js", |         "dom/security/test/csp/file_main.js", | ||||||
|         "dom/security/test/csp/file_navigate_to.html", |  | ||||||
|         "dom/security/test/csp/file_navigate_to_request.html", |  | ||||||
|         "dom/security/test/csp/file_null_baseuri.html", |         "dom/security/test/csp/file_null_baseuri.html", | ||||||
|         "dom/security/test/csp/file_path_matching_redirect_server.sjs", |         "dom/security/test/csp/file_path_matching_redirect_server.sjs", | ||||||
|         "dom/security/test/csp/file_punycode_host_src.sjs", |         "dom/security/test/csp/file_punycode_host_src.sjs", | ||||||
|  | @ -1395,7 +1393,6 @@ module.exports = { | ||||||
|         "dom/security/test/csp/test_blocked_uri_in_reports.html", |         "dom/security/test/csp/test_blocked_uri_in_reports.html", | ||||||
|         "dom/security/test/csp/test_blocked_uri_in_violation_event_after_redirects.html", |         "dom/security/test/csp/test_blocked_uri_in_violation_event_after_redirects.html", | ||||||
|         "dom/security/test/csp/test_blocked_uri_redirect_frame_src.html", |         "dom/security/test/csp/test_blocked_uri_redirect_frame_src.html", | ||||||
|         "dom/security/test/csp/test_navigate_to.html", |  | ||||||
|         "dom/security/test/csp/test_null_baseuri.html", |         "dom/security/test/csp/test_null_baseuri.html", | ||||||
|         "dom/security/test/csp/test_path_matching.html", |         "dom/security/test/csp/test_path_matching.html", | ||||||
|         "dom/security/test/csp/test_report_for_import.html", |         "dom/security/test/csp/test_report_for_import.html", | ||||||
|  |  | ||||||
|  | @ -212,7 +212,6 @@ devtools/client/styleeditor/test/test_private.html | ||||||
| devtools/client/webconsole/test/browser/test-csp-violation.html | devtools/client/webconsole/test/browser/test-csp-violation.html | ||||||
| devtools/client/webconsole/test/browser/test-external-script-errors.html | devtools/client/webconsole/test/browser/test-external-script-errors.html | ||||||
| devtools/client/webconsole/test/browser/test-mixedcontent-securityerrors.html | devtools/client/webconsole/test/browser/test-mixedcontent-securityerrors.html | ||||||
| devtools/client/webconsole/test/browser/test-navigate-to-parse-error.html |  | ||||||
| devtools/client/webconsole/test/browser/test-network.html | devtools/client/webconsole/test/browser/test-network.html | ||||||
| devtools/client/webconsole/test/browser/test_jsterm_screenshot_command.html | devtools/client/webconsole/test/browser/test_jsterm_screenshot_command.html | ||||||
| devtools/server/tests/browser/animation-data.html | devtools/server/tests/browser/animation-data.html | ||||||
|  |  | ||||||
|  | @ -137,7 +137,6 @@ support-files = [ | ||||||
|   "test-message-categories-workers.html", |   "test-message-categories-workers.html", | ||||||
|   "test-message-categories-workers.js", |   "test-message-categories-workers.js", | ||||||
|   "test-mixedcontent-securityerrors.html", |   "test-mixedcontent-securityerrors.html", | ||||||
|   "test-navigate-to-parse-error.html", |  | ||||||
|   "test-network-exceptions.html", |   "test-network-exceptions.html", | ||||||
|   "test-network-request.html", |   "test-network-request.html", | ||||||
|   "test-network.html", |   "test-network.html", | ||||||
|  | @ -518,8 +517,6 @@ skip-if = ["a11y_checks"] # Bugs 1849028 and 1858041 clicked BUTTON.arrow is inc | ||||||
| ["browser_webconsole_multiple_windows_and_tabs.js"] | ["browser_webconsole_multiple_windows_and_tabs.js"] | ||||||
| skip-if = ["win11_2009"] # Bug 1798331 | skip-if = ["win11_2009"] # Bug 1798331 | ||||||
| 
 | 
 | ||||||
| ["browser_webconsole_navigate_to_parse_error.js"] |  | ||||||
| 
 |  | ||||||
| ["browser_webconsole_network_attach.js"] | ["browser_webconsole_network_attach.js"] | ||||||
| 
 | 
 | ||||||
| ["browser_webconsole_network_exceptions.js"] | ["browser_webconsole_network_exceptions.js"] | ||||||
|  |  | ||||||
|  | @ -1,30 +0,0 @@ | ||||||
| /* Any copyright is dedicated to the Public Domain. |  | ||||||
|  * http://creativecommons.org/publicdomain/zero/1.0/ */
 |  | ||||||
| 
 |  | ||||||
| // Tests that ensure CSP 'navigate-to' does not parse.
 |  | ||||||
| // Bug 1566149
 |  | ||||||
| 
 |  | ||||||
| "use strict"; |  | ||||||
| 
 |  | ||||||
| const TEST_URI = |  | ||||||
|   "data:text/html;charset=utf8,<!DOCTYPE html>Web Console navigate-to parse error test"; |  | ||||||
| const TEST_VIOLATION = |  | ||||||
|   "https://example.com/browser/devtools/client/webconsole/" + |  | ||||||
|   "test/browser/test-navigate-to-parse-error.html"; |  | ||||||
| 
 |  | ||||||
| const CSP_VIOLATION_MSG = |  | ||||||
|   "Content-Security-Policy: Couldn\u2019t process unknown directive \u2018navigate-to\u2019"; |  | ||||||
| 
 |  | ||||||
| add_task(async function () { |  | ||||||
|   const hud = await openNewTabAndConsole(TEST_URI); |  | ||||||
|   await clearOutput(hud); |  | ||||||
| 
 |  | ||||||
|   const onCSPViolationMessage = waitForMessageByType( |  | ||||||
|     hud, |  | ||||||
|     CSP_VIOLATION_MSG, |  | ||||||
|     ".warn" |  | ||||||
|   ); |  | ||||||
|   await navigateTo(TEST_VIOLATION); |  | ||||||
|   await onCSPViolationMessage; |  | ||||||
|   ok(true, "Received expected violation message"); |  | ||||||
| }); |  | ||||||
|  | @ -1,13 +0,0 @@ | ||||||
| <!DOCTYPE HTML> |  | ||||||
| <html> |  | ||||||
| <head> |  | ||||||
|   <meta http-equiv="Content-Security-Policy" content="navigate-to https://example.com"></meta> |  | ||||||
|   <meta charset="UTF-8"> |  | ||||||
|   <title>Test for Bug 1566149 - Write test to ensure CSP 'navigate-to' does not parse</title> |  | ||||||
| <!-- Any copyright is dedicated to the Public Domain. |  | ||||||
|      http://creativecommons.org/publicdomain/zero/1.0/ --> |  | ||||||
| </head> |  | ||||||
| <body> |  | ||||||
| <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1566149">Mozilla Bug 1566149</a> |  | ||||||
| </body> |  | ||||||
| </html> |  | ||||||
|  | @ -3475,8 +3475,7 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI* aURI, | ||||||
|     CopyUTF8toUTF16(host, *formatStrs.AppendElement()); |     CopyUTF8toUTF16(host, *formatStrs.AppendElement()); | ||||||
|     error = "netTimeout"; |     error = "netTimeout"; | ||||||
|   } else if (NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION == aError || |   } else if (NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION == aError || | ||||||
|              NS_ERROR_CSP_FORM_ACTION_VIOLATION == aError || |              NS_ERROR_CSP_FORM_ACTION_VIOLATION == aError) { | ||||||
|              NS_ERROR_CSP_NAVIGATE_TO_VIOLATION == aError) { |  | ||||||
|     // CSP error
 |     // CSP error
 | ||||||
|     cssClass.AssignLiteral("neterror"); |     cssClass.AssignLiteral("neterror"); | ||||||
|     error = "cspBlocked"; |     error = "cspBlocked"; | ||||||
|  | @ -10560,22 +10559,6 @@ nsresult nsDocShell::DoURILoad(nsDocShellLoadState* aLoadState, | ||||||
|     NS_ADDREF(*aRequest = channel); |     NS_ADDREF(*aRequest = channel); | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadState->Csp(); |  | ||||||
|   if (csp) { |  | ||||||
|     // Check CSP navigate-to
 |  | ||||||
|     bool allowsNavigateTo = false; |  | ||||||
|     rv = csp->GetAllowsNavigateTo(aLoadState->URI(), |  | ||||||
|                                   aLoadState->IsFormSubmission(), |  | ||||||
|                                   false, /* aWasRedirected */ |  | ||||||
|                                   false, /* aEnforceWhitelist */ |  | ||||||
|                                   &allowsNavigateTo); |  | ||||||
|     NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
| 
 |  | ||||||
|     if (!allowsNavigateTo) { |  | ||||||
|       return NS_ERROR_CSP_NAVIGATE_TO_VIOLATION; |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   const nsACString& typeHint = aLoadState->TypeHint(); |   const nsACString& typeHint = aLoadState->TypeHint(); | ||||||
|   if (!typeHint.IsVoid()) { |   if (!typeHint.IsVoid()) { | ||||||
|     mContentTypeHint = typeHint; |     mContentTypeHint = typeHint; | ||||||
|  |  | ||||||
|  | @ -491,8 +491,7 @@ class nsDocShellLoadState final { | ||||||
|   bool mOriginalFrameSrc; |   bool mOriginalFrameSrc; | ||||||
| 
 | 
 | ||||||
|   // If this attribute is true, then the load was initiated by a
 |   // If this attribute is true, then the load was initiated by a
 | ||||||
|   // form submission. This is important to know for the CSP directive
 |   // form submission.
 | ||||||
|   // navigate-to.
 |  | ||||||
|   bool mIsFormSubmission; |   bool mIsFormSubmission; | ||||||
| 
 | 
 | ||||||
|   // Contains a load type as specified by the nsDocShellLoadTypes::load*
 |   // Contains a load type as specified by the nsDocShellLoadTypes::load*
 | ||||||
|  |  | ||||||
|  | @ -58,10 +58,6 @@ static const LoadErrorTelemetryResult sResult[] = { | ||||||
|         NS_ERROR_CSP_FORM_ACTION_VIOLATION, |         NS_ERROR_CSP_FORM_ACTION_VIOLATION, | ||||||
|         ErrorLabel::CSP_FORM_ACTION, |         ErrorLabel::CSP_FORM_ACTION, | ||||||
|     }, |     }, | ||||||
|     { |  | ||||||
|         NS_ERROR_CSP_NAVIGATE_TO_VIOLATION, |  | ||||||
|         ErrorLabel::CSP_NAVIGATE_TO, |  | ||||||
|     }, |  | ||||||
|     { |     { | ||||||
|         NS_ERROR_XFO_VIOLATION, |         NS_ERROR_XFO_VIOLATION, | ||||||
|         ErrorLabel::XFO_VIOLATION, |         ErrorLabel::XFO_VIOLATION, | ||||||
|  |  | ||||||
|  | @ -3593,23 +3593,15 @@ nsresult Document::StartDocumentLoad(const char* aCommand, nsIChannel* aChannel, | ||||||
|   rv = InitCOEP(aChannel); |   rv = InitCOEP(aChannel); | ||||||
|   NS_ENSURE_SUCCESS(rv, rv); |   NS_ENSURE_SUCCESS(rv, rv); | ||||||
| 
 | 
 | ||||||
|   // Check CSP navigate-to
 |   // HACK: Calling EnsureIPCPoliciesRead() here will parse the CSP using the
 | ||||||
|   // We need to enforce the CSP of the document that initiated the load,
 |   // context's current mSelfURI (which is still the previous mSelfURI),
 | ||||||
|   // which is the CSP to inherit.
 |   // bypassing some internal bugs with 'self' and iframe inheritance.
 | ||||||
|  |   // Not calling it here results in the mSelfURI being the current mSelfURI and
 | ||||||
|  |   // not the previous which breaks said inheritance.
 | ||||||
|  |   // https://bugzilla.mozilla.org/show_bug.cgi?id=1793560#ch-8
 | ||||||
|   nsCOMPtr<nsIContentSecurityPolicy> cspToInherit = loadInfo->GetCspToInherit(); |   nsCOMPtr<nsIContentSecurityPolicy> cspToInherit = loadInfo->GetCspToInherit(); | ||||||
|   if (cspToInherit) { |   if (cspToInherit) { | ||||||
|     bool allowsNavigateTo = false; |     cspToInherit->EnsureIPCPoliciesRead(); | ||||||
|     rv = cspToInherit->GetAllowsNavigateTo( |  | ||||||
|         mDocumentURI, loadInfo->GetIsFormSubmission(), |  | ||||||
|         !loadInfo->RedirectChain().IsEmpty(), /* aWasRedirected */ |  | ||||||
|         true,                                 /* aEnforceWhitelist */ |  | ||||||
|         &allowsNavigateTo); |  | ||||||
|     NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
| 
 |  | ||||||
|     if (!allowsNavigateTo) { |  | ||||||
|       aChannel->Cancel(NS_ERROR_CSP_NAVIGATE_TO_VIOLATION); |  | ||||||
|       return NS_OK; |  | ||||||
|     } |  | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   rv = InitCSP(aChannel); |   rv = InitCSP(aChannel); | ||||||
|  |  | ||||||
|  | @ -61,11 +61,10 @@ interface nsIContentSecurityPolicy : nsISerializable | ||||||
|     BLOCK_ALL_MIXED_CONTENT        = 18, |     BLOCK_ALL_MIXED_CONTENT        = 18, | ||||||
|     SANDBOX_DIRECTIVE              = 19, |     SANDBOX_DIRECTIVE              = 19, | ||||||
|     WORKER_SRC_DIRECTIVE           = 20, |     WORKER_SRC_DIRECTIVE           = 20, | ||||||
|     NAVIGATE_TO_DIRECTIVE          = 21, |     SCRIPT_SRC_ELEM_DIRECTIVE      = 21, | ||||||
|     SCRIPT_SRC_ELEM_DIRECTIVE      = 22, |     SCRIPT_SRC_ATTR_DIRECTIVE      = 22, | ||||||
|     SCRIPT_SRC_ATTR_DIRECTIVE      = 23, |     STYLE_SRC_ELEM_DIRECTIVE       = 23, | ||||||
|     STYLE_SRC_ELEM_DIRECTIVE       = 24, |     STYLE_SRC_ATTR_DIRECTIVE       = 24, | ||||||
|     STYLE_SRC_ATTR_DIRECTIVE       = 25, |  | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   /** |   /** | ||||||
|  | @ -154,24 +153,6 @@ interface nsIContentSecurityPolicy : nsISerializable | ||||||
|                           in unsigned long aLineNumber, |                           in unsigned long aLineNumber, | ||||||
|                           in unsigned long aColumnNumber); |                           in unsigned long aColumnNumber); | ||||||
| 
 | 
 | ||||||
|   /* |  | ||||||
|    * Whether this policy allows a navigation subject to the navigate-to |  | ||||||
|    * policy. |  | ||||||
|    * @param aURI The target URI |  | ||||||
|    * @param aIsFormSubmission True if the navigation was initiated by a form submission. This |  | ||||||
|    *        is important since the form-action directive overrides navigate-to in that case. |  | ||||||
|    * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity. |  | ||||||
|    * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If |  | ||||||
|    *        this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is |  | ||||||
|    *        used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced |  | ||||||
|    * @return |  | ||||||
|    *     Whether or not the effects of the navigation is allowed |  | ||||||
|    */ |  | ||||||
|   boolean getAllowsNavigateTo(in nsIURI aURI, |  | ||||||
|                               in boolean aIsFormSubmission, |  | ||||||
|                               in boolean aWasRedirected, |  | ||||||
|                               in boolean aEnforceAllowlist); |  | ||||||
| 
 |  | ||||||
|   /** |   /** | ||||||
|    * Whether this policy allows eval and eval-like functions |    * Whether this policy allows eval and eval-like functions | ||||||
|    * such as setTimeout("code string", time). |    * such as setTimeout("code string", time). | ||||||
|  | @ -359,6 +340,11 @@ interface nsIContentSecurityPolicy : nsISerializable | ||||||
|    */ |    */ | ||||||
|   AString toJSON(); |   AString toJSON(); | ||||||
| 
 | 
 | ||||||
|  |   /** | ||||||
|  |    * Ensure policies from IPC are read/parsed. | ||||||
|  |    */ | ||||||
|  |   [noscript] void EnsureIPCPoliciesRead(); | ||||||
|  | 
 | ||||||
| }; | }; | ||||||
| 
 | 
 | ||||||
| typedef nsIContentSecurityPolicy_CSPDirective CSPDirective; | typedef nsIContentSecurityPolicy_CSPDirective CSPDirective; | ||||||
|  |  | ||||||
|  | @ -326,7 +326,8 @@ nsresult nsCSPContext::InitFromOther(nsCSPContext* aOtherContext) { | ||||||
|   return NS_OK; |   return NS_OK; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| void nsCSPContext::EnsureIPCPoliciesRead() { | NS_IMETHODIMP | ||||||
|  | nsCSPContext::EnsureIPCPoliciesRead() { | ||||||
|   // Most likely the parser errors already happened before serializing
 |   // Most likely the parser errors already happened before serializing
 | ||||||
|   // the policy for IPC.
 |   // the policy for IPC.
 | ||||||
|   bool previous = mSuppressParserLogMessages; |   bool previous = mSuppressParserLogMessages; | ||||||
|  | @ -343,6 +344,7 @@ void nsCSPContext::EnsureIPCPoliciesRead() { | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   mSuppressParserLogMessages = previous; |   mSuppressParserLogMessages = previous; | ||||||
|  |   return NS_OK; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| NS_IMETHODIMP | NS_IMETHODIMP | ||||||
|  | @ -673,93 +675,6 @@ nsCSPContext::GetAllowsInline(CSPDirective aDirective, bool aHasUnsafeHash, | ||||||
|   return NS_OK; |   return NS_OK; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| NS_IMETHODIMP |  | ||||||
| nsCSPContext::GetAllowsNavigateTo(nsIURI* aURI, bool aIsFormSubmission, |  | ||||||
|                                   bool aWasRedirected, bool aEnforceAllowlist, |  | ||||||
|                                   bool* outAllowsNavigateTo) { |  | ||||||
|   /*
 |  | ||||||
|    * The matrix below shows the different values of (aWasRedirect, |  | ||||||
|    * aEnforceAllowlist) for the three different checks we do. |  | ||||||
|    * |  | ||||||
|    *  Navigation    | Start Loading  | Initiate Redirect | Document |  | ||||||
|    *                | (nsDocShell)   | (nsCSPService)    | |  | ||||||
|    *  ----------------------------------------------------------------- |  | ||||||
|    *  A -> B          (false,false)    -                   (false,true) |  | ||||||
|    *  A -> ... -> B   (false,false)    (true,false)        (true,true) |  | ||||||
|    */ |  | ||||||
|   *outAllowsNavigateTo = false; |  | ||||||
| 
 |  | ||||||
|   EnsureIPCPoliciesRead(); |  | ||||||
|   // The 'form-action' directive overrules 'navigate-to' for form submissions.
 |  | ||||||
|   // So in case this is a form submission and the directive 'form-action' is
 |  | ||||||
|   // present then there is nothing for us to do here, see: 6.3.3.1.2
 |  | ||||||
|   // https://www.w3.org/TR/CSP3/#navigate-to-pre-navigate
 |  | ||||||
|   if (aIsFormSubmission) { |  | ||||||
|     for (unsigned long i = 0; i < mPolicies.Length(); i++) { |  | ||||||
|       if (mPolicies[i]->hasDirective( |  | ||||||
|               nsIContentSecurityPolicy::FORM_ACTION_DIRECTIVE)) { |  | ||||||
|         *outAllowsNavigateTo = true; |  | ||||||
|         return NS_OK; |  | ||||||
|       } |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   bool atLeastOneBlock = false; |  | ||||||
|   for (unsigned long i = 0; i < mPolicies.Length(); i++) { |  | ||||||
|     if (!mPolicies[i]->allowsNavigateTo(aURI, aWasRedirected, |  | ||||||
|                                         aEnforceAllowlist)) { |  | ||||||
|       if (!mPolicies[i]->getReportOnlyFlag()) { |  | ||||||
|         atLeastOneBlock = true; |  | ||||||
|       } |  | ||||||
| 
 |  | ||||||
|       // If the load encountered a server side redirect, the spec suggests to
 |  | ||||||
|       // remove the path component from the URI, see:
 |  | ||||||
|       // https://www.w3.org/TR/CSP3/#source-list-paths-and-redirects
 |  | ||||||
|       nsCOMPtr<nsIURI> blockedURIForReporting = aURI; |  | ||||||
|       if (aWasRedirected) { |  | ||||||
|         nsAutoCString prePathStr; |  | ||||||
|         nsCOMPtr<nsIURI> prePathURI; |  | ||||||
|         nsresult rv = aURI->GetPrePath(prePathStr); |  | ||||||
|         NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
|         rv = NS_NewURI(getter_AddRefs(blockedURIForReporting), prePathStr); |  | ||||||
|         NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
|       } |  | ||||||
| 
 |  | ||||||
|       // Lines numbers and source file for the violation report
 |  | ||||||
|       uint32_t lineNumber = 0; |  | ||||||
|       uint32_t columnNumber = 1; |  | ||||||
|       nsAutoCString spec; |  | ||||||
|       JSContext* cx = nsContentUtils::GetCurrentJSContext(); |  | ||||||
|       if (cx) { |  | ||||||
|         nsJSUtils::GetCallingLocation(cx, spec, &lineNumber, &columnNumber); |  | ||||||
|         // If GetCallingLocation fails linenumber & columnNumber are set to
 |  | ||||||
|         // (0, 1) anyway so we can skip checking if that is the case.
 |  | ||||||
|       } |  | ||||||
| 
 |  | ||||||
|       // Report the violation
 |  | ||||||
|       nsresult rv = AsyncReportViolation( |  | ||||||
|           nullptr,                                    // aTriggeringElement
 |  | ||||||
|           nullptr,                                    // aCSPEventListener
 |  | ||||||
|           blockedURIForReporting,                     // aBlockedURI
 |  | ||||||
|           nsCSPContext::BlockedContentSource::eSelf,  // aBlockedSource
 |  | ||||||
|           nullptr,                                    // aOriginalURI
 |  | ||||||
|           u"navigate-to"_ns,                          // aViolatedDirective
 |  | ||||||
|           u"navigate-to"_ns,                          // aEffectiveDirective
 |  | ||||||
|           i,                                          // aViolatedPolicyIndex
 |  | ||||||
|           u""_ns,                                     // aObserverSubject
 |  | ||||||
|           NS_ConvertUTF8toUTF16(spec),                // aSourceFile
 |  | ||||||
|           false,                                      // aReportSample
 |  | ||||||
|           u""_ns,                                     // aScriptSample
 |  | ||||||
|           lineNumber,                                 // aLineNum
 |  | ||||||
|           columnNumber);                              // aColumnNum
 |  | ||||||
|       NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   *outAllowsNavigateTo = !atLeastOneBlock; |  | ||||||
|   return NS_OK; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| /**
 | /**
 | ||||||
|  * For each policy, log any violation on the Error Console and send a report |  * For each policy, log any violation on the Error Console and send a report | ||||||
|  * if a report-uri is present in the policy |  * if a report-uri is present in the policy | ||||||
|  |  | ||||||
|  | @ -149,8 +149,6 @@ class nsCSPContext : public nsIContentSecurityPolicy { | ||||||
|       nsTArray<mozilla::ipc::ContentSecurityPolicy>& aPolicies); |       nsTArray<mozilla::ipc::ContentSecurityPolicy>& aPolicies); | ||||||
| 
 | 
 | ||||||
|  private: |  private: | ||||||
|   void EnsureIPCPoliciesRead(); |  | ||||||
| 
 |  | ||||||
|   bool ShouldThrottleReport( |   bool ShouldThrottleReport( | ||||||
|       const mozilla::dom::SecurityPolicyViolationEventInit& |       const mozilla::dom::SecurityPolicyViolationEventInit& | ||||||
|           aViolationEventInit); |           aViolationEventInit); | ||||||
|  |  | ||||||
|  | @ -456,20 +456,6 @@ nsCSPBaseSrc* nsCSPParser::keywordSource() { | ||||||
|     return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken)); |     return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken)); | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_ALLOW_REDIRECTS)) { |  | ||||||
|     if (!CSP_IsDirective(mCurDir[0], |  | ||||||
|                          nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE)) { |  | ||||||
|       // Only allow 'unsafe-allow-redirects' within navigate-to.
 |  | ||||||
|       AutoTArray<nsString, 2> params = {u"unsafe-allow-redirects"_ns, |  | ||||||
|                                         u"navigate-to"_ns}; |  | ||||||
|       logWarningErrorToConsole(nsIScriptError::warningFlag, |  | ||||||
|                                "IgnoringSourceWithinDirective", params); |  | ||||||
|       return nullptr; |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
|     return new nsCSPKeywordSrc(CSP_UTF16KeywordToEnum(mCurToken)); |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   return nullptr; |   return nullptr; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | @ -861,18 +847,6 @@ nsCSPDirective* nsCSPParser::directiveName() { | ||||||
|     return nullptr; |     return nullptr; | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   // Bug 1529068: Implement navigate-to directive.
 |  | ||||||
|   // Once all corner cases are resolved we can remove that special
 |  | ||||||
|   // if-handling here and let the parser just fall through to
 |  | ||||||
|   // return new nsCSPDirective.
 |  | ||||||
|   if (directive == nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE && |  | ||||||
|       !StaticPrefs::security_csp_enableNavigateTo()) { |  | ||||||
|     AutoTArray<nsString, 1> params = {mCurToken}; |  | ||||||
|     logWarningErrorToConsole(nsIScriptError::warningFlag, |  | ||||||
|                              "couldNotProcessUnknownDirective", params); |  | ||||||
|     return nullptr; |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   // Make sure the directive does not already exist
 |   // Make sure the directive does not already exist
 | ||||||
|   // (see http://www.w3.org/TR/CSP11/#parsing)
 |   // (see http://www.w3.org/TR/CSP11/#parsing)
 | ||||||
|   if (mPolicy->hasDirective(directive)) { |   if (mPolicy->hasDirective(directive)) { | ||||||
|  |  | ||||||
|  | @ -310,25 +310,6 @@ nsresult CSPService::ConsultCSPForRedirect(nsIURI* aOriginalURI, | ||||||
|                                            nsIURI* aNewURI, |                                            nsIURI* aNewURI, | ||||||
|                                            nsILoadInfo* aLoadInfo, |                                            nsILoadInfo* aLoadInfo, | ||||||
|                                            Maybe<nsresult>& aCancelCode) { |                                            Maybe<nsresult>& aCancelCode) { | ||||||
|   // Check CSP navigate-to
 |  | ||||||
|   // We need to enforce the CSP of the document that initiated the load,
 |  | ||||||
|   // which is the CSP to inherit.
 |  | ||||||
|   nsCOMPtr<nsIContentSecurityPolicy> cspToInherit = |  | ||||||
|       aLoadInfo->GetCspToInherit(); |  | ||||||
|   if (cspToInherit) { |  | ||||||
|     bool allowsNavigateTo = false; |  | ||||||
|     nsresult rv = cspToInherit->GetAllowsNavigateTo( |  | ||||||
|         aNewURI, aLoadInfo->GetIsFormSubmission(), true, /* aWasRedirected */ |  | ||||||
|         false,                                           /* aEnforceAllowlist */ |  | ||||||
|         &allowsNavigateTo); |  | ||||||
|     NS_ENSURE_SUCCESS(rv, rv); |  | ||||||
| 
 |  | ||||||
|     if (!allowsNavigateTo) { |  | ||||||
|       aCancelCode = Some(NS_ERROR_CSP_NAVIGATE_TO_VIOLATION); |  | ||||||
|       return NS_OK; |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   // No need to continue processing if CSP is disabled or if the protocol
 |   // No need to continue processing if CSP is disabled or if the protocol
 | ||||||
|   // is *not* subject to CSP.
 |   // is *not* subject to CSP.
 | ||||||
|   // Please note, the correct way to opt-out of CSP using a custom
 |   // Please note, the correct way to opt-out of CSP using a custom
 | ||||||
|  |  | ||||||
|  | @ -358,7 +358,6 @@ CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType) { | ||||||
|       return nsIContentSecurityPolicy::NO_DIRECTIVE; |       return nsIContentSecurityPolicy::NO_DIRECTIVE; | ||||||
| 
 | 
 | ||||||
|     // Fall through to error for all other directives
 |     // Fall through to error for all other directives
 | ||||||
|     // Note that we should never end up here for navigate-to
 |  | ||||||
|     case nsIContentPolicy::TYPE_INVALID: |     case nsIContentPolicy::TYPE_INVALID: | ||||||
|     case nsIContentPolicy::TYPE_END: |     case nsIContentPolicy::TYPE_END: | ||||||
|       MOZ_ASSERT(false, "Can not map nsContentPolicyType to CSPDirective"); |       MOZ_ASSERT(false, "Can not map nsContentPolicyType to CSPDirective"); | ||||||
|  | @ -1676,31 +1675,6 @@ bool nsCSPPolicy::hasDirective(CSPDirective aDir) const { | ||||||
|   return false; |   return false; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| bool nsCSPPolicy::allowsNavigateTo(nsIURI* aURI, bool aWasRedirected, |  | ||||||
|                                    bool aEnforceAllowlist) const { |  | ||||||
|   bool allowsNavigateTo = true; |  | ||||||
| 
 |  | ||||||
|   for (unsigned long i = 0; i < mDirectives.Length(); i++) { |  | ||||||
|     if (mDirectives[i]->equals( |  | ||||||
|             nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE)) { |  | ||||||
|       // Early return if we can skip the allowlist AND 'unsafe-allow-redirects'
 |  | ||||||
|       // is present.
 |  | ||||||
|       if (!aEnforceAllowlist && |  | ||||||
|           mDirectives[i]->allows(CSP_UNSAFE_ALLOW_REDIRECTS, u""_ns)) { |  | ||||||
|         return true; |  | ||||||
|       } |  | ||||||
|       // Otherwise, check against the allowlist.
 |  | ||||||
|       if (!mDirectives[i]->permits( |  | ||||||
|               nsIContentSecurityPolicy::NAVIGATE_TO_DIRECTIVE, nullptr, aURI, |  | ||||||
|               aWasRedirected, false, false)) { |  | ||||||
|         allowsNavigateTo = false; |  | ||||||
|       } |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   return allowsNavigateTo; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| bool nsCSPPolicy::allowsAllInlineBehavior(CSPDirective aDir) const { | bool nsCSPPolicy::allowsAllInlineBehavior(CSPDirective aDir) const { | ||||||
|   nsCSPDirective* directive = matchingOrDefaultDirective(aDir); |   nsCSPDirective* directive = matchingOrDefaultDirective(aDir); | ||||||
|   if (!directive) { |   if (!directive) { | ||||||
|  |  | ||||||
|  | @ -89,7 +89,6 @@ static const char* CSPStrDirectives[] = { | ||||||
|     "block-all-mixed-content",    // BLOCK_ALL_MIXED_CONTENT
 |     "block-all-mixed-content",    // BLOCK_ALL_MIXED_CONTENT
 | ||||||
|     "sandbox",                    // SANDBOX_DIRECTIVE
 |     "sandbox",                    // SANDBOX_DIRECTIVE
 | ||||||
|     "worker-src",                 // WORKER_SRC_DIRECTIVE
 |     "worker-src",                 // WORKER_SRC_DIRECTIVE
 | ||||||
|     "navigate-to",                // NAVIGATE_TO_DIRECTIVE
 |  | ||||||
|     "script-src-elem",            // SCRIPT_SRC_ELEM_DIRECTIVE
 |     "script-src-elem",            // SCRIPT_SRC_ELEM_DIRECTIVE
 | ||||||
|     "script-src-attr",            // SCRIPT_SRC_ATTR_DIRECTIVE
 |     "script-src-attr",            // SCRIPT_SRC_ATTR_DIRECTIVE
 | ||||||
|     "style-src-elem",             // STYLE_SRC_ELEM_DIRECTIVE
 |     "style-src-elem",             // STYLE_SRC_ELEM_DIRECTIVE
 | ||||||
|  | @ -113,16 +112,15 @@ inline CSPDirective CSP_StringToCSPDirective(const nsAString& aDir) { | ||||||
|   return nsIContentSecurityPolicy::NO_DIRECTIVE; |   return nsIContentSecurityPolicy::NO_DIRECTIVE; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| #define FOR_EACH_CSP_KEYWORD(MACRO)                             \ | #define FOR_EACH_CSP_KEYWORD(MACRO)             \ | ||||||
|   MACRO(CSP_SELF, "'self'")                                     \ |   MACRO(CSP_SELF, "'self'")                     \ | ||||||
|   MACRO(CSP_UNSAFE_INLINE, "'unsafe-inline'")                   \ |   MACRO(CSP_UNSAFE_INLINE, "'unsafe-inline'")   \ | ||||||
|   MACRO(CSP_UNSAFE_EVAL, "'unsafe-eval'")                       \ |   MACRO(CSP_UNSAFE_EVAL, "'unsafe-eval'")       \ | ||||||
|   MACRO(CSP_UNSAFE_HASHES, "'unsafe-hashes'")                   \ |   MACRO(CSP_UNSAFE_HASHES, "'unsafe-hashes'")   \ | ||||||
|   MACRO(CSP_NONE, "'none'")                                     \ |   MACRO(CSP_NONE, "'none'")                     \ | ||||||
|   MACRO(CSP_NONCE, "'nonce-")                                   \ |   MACRO(CSP_NONCE, "'nonce-")                   \ | ||||||
|   MACRO(CSP_REPORT_SAMPLE, "'report-sample'")                   \ |   MACRO(CSP_REPORT_SAMPLE, "'report-sample'")   \ | ||||||
|   MACRO(CSP_STRICT_DYNAMIC, "'strict-dynamic'")                 \ |   MACRO(CSP_STRICT_DYNAMIC, "'strict-dynamic'") \ | ||||||
|   MACRO(CSP_UNSAFE_ALLOW_REDIRECTS, "'unsafe-allow-redirects'") \ |  | ||||||
|   MACRO(CSP_WASM_UNSAFE_EVAL, "'wasm-unsafe-eval'") |   MACRO(CSP_WASM_UNSAFE_EVAL, "'wasm-unsafe-eval'") | ||||||
| 
 | 
 | ||||||
| enum CSPKeyword { | enum CSPKeyword { | ||||||
|  | @ -664,9 +662,6 @@ class nsCSPPolicy { | ||||||
| 
 | 
 | ||||||
|   bool visitDirectiveSrcs(CSPDirective aDir, nsCSPSrcVisitor* aVisitor) const; |   bool visitDirectiveSrcs(CSPDirective aDir, nsCSPSrcVisitor* aVisitor) const; | ||||||
| 
 | 
 | ||||||
|   bool allowsNavigateTo(nsIURI* aURI, bool aWasRedirected, |  | ||||||
|                         bool aEnforceAllowlist) const; |  | ||||||
| 
 |  | ||||||
|   bool allowsAllInlineBehavior(CSPDirective aDir) const; |   bool allowsAllInlineBehavior(CSPDirective aDir) const; | ||||||
| 
 | 
 | ||||||
|  private: |  private: | ||||||
|  |  | ||||||
|  | @ -1,11 +0,0 @@ | ||||||
| <!DOCTYPE HTML> |  | ||||||
| <html> |  | ||||||
| <head> |  | ||||||
|   <title>Bug 1529068 Implement CSP 'navigate-to' directive</title> |  | ||||||
| </head> |  | ||||||
| <body> |  | ||||||
|   <script type="text/javascript"> |  | ||||||
|   window.location = "http://www.example.com/"; |  | ||||||
|   </script> |  | ||||||
| </body> |  | ||||||
| </html> |  | ||||||
|  | @ -1,57 +0,0 @@ | ||||||
| // Custom *.sjs file specifically for the needs of |  | ||||||
| // https://bugzilla.mozilla.org/show_bug.cgi?id=1529068 |  | ||||||
| 
 |  | ||||||
| "use strict"; |  | ||||||
| 
 |  | ||||||
| const TEST_NAVIGATION_HEAD = ` |  | ||||||
|   <!DOCTYPE HTML> |  | ||||||
|   <html> |  | ||||||
|   <head> |  | ||||||
|     <title>Bug 1529068 Implement CSP 'navigate-to' directive</title>`; |  | ||||||
| 
 |  | ||||||
| const TEST_NAVIGATION_AFTER_META = ` |  | ||||||
|   </head> |  | ||||||
|   <body> |  | ||||||
|     <script type="text/javascript"> |  | ||||||
|     window.location = "`; |  | ||||||
| 
 |  | ||||||
| const TEST_NAVIGATION_FOOT = `"; |  | ||||||
|     </script> |  | ||||||
|   </body> |  | ||||||
|   </html> |  | ||||||
|   `; |  | ||||||
| 
 |  | ||||||
| function handleRequest(request, response) { |  | ||||||
|   const query = new URLSearchParams(request.queryString); |  | ||||||
| 
 |  | ||||||
|   response.setHeader("Cache-Control", "no-cache", false); |  | ||||||
|   response.setHeader("Content-Type", "text/html", false); |  | ||||||
| 
 |  | ||||||
|   if (query.get("redir")) { |  | ||||||
|     response.setStatusLine(request.httpVersion, "302", "Found"); |  | ||||||
|     response.setHeader("Location", query.get("redir"), false); |  | ||||||
|     return; |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   response.write(TEST_NAVIGATION_HEAD); |  | ||||||
| 
 |  | ||||||
|   // We need meta to set multiple CSP headers. |  | ||||||
|   if (query.get("csp")) { |  | ||||||
|     response.write( |  | ||||||
|       '<meta http-equiv="Content-Security-Policy" content="' + |  | ||||||
|         query.get("csp") + |  | ||||||
|         '">' |  | ||||||
|     ); |  | ||||||
|   } |  | ||||||
|   if (query.get("csp2")) { |  | ||||||
|     response.write( |  | ||||||
|       '<meta http-equiv="Content-Security-Policy" content="' + |  | ||||||
|         query.get("csp2") + |  | ||||||
|         '">' |  | ||||||
|     ); |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   response.write( |  | ||||||
|     TEST_NAVIGATION_AFTER_META + query.get("target") + TEST_NAVIGATION_FOOT |  | ||||||
|   ); |  | ||||||
| } |  | ||||||
|  | @ -1,17 +0,0 @@ | ||||||
| <!DOCTYPE HTML> |  | ||||||
| <html> |  | ||||||
| <head> |  | ||||||
|   <meta charset="utf-8"> |  | ||||||
| </head> |  | ||||||
| <script type="text/javascript"> |  | ||||||
|   // The idea with this file is to convert responses into requests.  |  | ||||||
|   // This is needed because we don't have  |  | ||||||
|   // specialpowers-http-notify-response |  | ||||||
| 
 |  | ||||||
|   // Response from this file => request to www.example.com => Allowed |  | ||||||
|   // CSP error               => Blocked |  | ||||||
|   fetch('http://www.example.com/'); |  | ||||||
| </script> |  | ||||||
| <body> |  | ||||||
| </body> |  | ||||||
| </html> |  | ||||||
|  | @ -576,16 +576,6 @@ skip-if = [ | ||||||
|   "http2", |   "http2", | ||||||
| ] | ] | ||||||
| 
 | 
 | ||||||
| ["test_navigate_to.html"] |  | ||||||
| support-files = [ |  | ||||||
|   "file_navigate_to.sjs", |  | ||||||
|   "file_navigate_to_request.html", |  | ||||||
| ] |  | ||||||
| skip-if = [ |  | ||||||
|   "http3", |  | ||||||
|   "http2", |  | ||||||
| ] |  | ||||||
| 
 |  | ||||||
| ["test_nonce_redirects.html"] | ["test_nonce_redirects.html"] | ||||||
| 
 | 
 | ||||||
| ["test_nonce_snapshot.html"] | ["test_nonce_snapshot.html"] | ||||||
|  |  | ||||||
|  | @ -1,158 +0,0 @@ | ||||||
| <!DOCTYPE HTML> |  | ||||||
| <html> |  | ||||||
| <head> |  | ||||||
|   <title>Bug 1529068 Implement CSP 'navigate-to' directive</title> |  | ||||||
|   <!-- Including SimpleTest.js so we can use waitForExplicitFinish !--> |  | ||||||
|   <script src="/tests/SimpleTest/SimpleTest.js"></script> |  | ||||||
|   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> |  | ||||||
| </head> |  | ||||||
| <body> |  | ||||||
|   <p id="display"></p> |  | ||||||
|   <div id="content"> |  | ||||||
|     <iframe style="width:100%;" id="testframe"></iframe> |  | ||||||
|   </div> |  | ||||||
| 
 |  | ||||||
| <script class="testbody" type="text/javascript"> |  | ||||||
| 
 |  | ||||||
| /* |  | ||||||
|  * Description of the test: |  | ||||||
|  *   We load a page with a given CSP and verify that navigations are correctly |  | ||||||
|  *   evaluated through the "navigate-to" directive. |  | ||||||
|  */ |  | ||||||
| SpecialPowers.pushPrefEnv({"set": [["security.csp.enableNavigateTo", true]]}); |  | ||||||
| SimpleTest.waitForExplicitFinish(); |  | ||||||
| 
 |  | ||||||
| // Note: The final website for the navigation chain must always be: www.example.com |  | ||||||
| var tests = [ |  | ||||||
|   { |  | ||||||
|     result : "blocked", |  | ||||||
|     policy : "navigate-to www.mozilla.com", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|     result : "allowed", |  | ||||||
|     policy : "navigate-to www.example.com", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|     // Test path-sensitivity  |  | ||||||
|     result : "blocked", |  | ||||||
|     policy : "navigate-to http://www.example.com/full/path/to/file", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|     // Test scheme |  | ||||||
|     result : "blocked", |  | ||||||
|     policy : "navigate-to https://www.example.com/", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|     // Redirect from tracking.example.com to www.example.com |  | ||||||
|     result : "blocked", |  | ||||||
|     policy : "navigate-to www.example.com", |  | ||||||
|     target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|   // Redirect from tracking.example.com to www.example.com (Explicitly allowed) |  | ||||||
|     result : "allowed", |  | ||||||
|     policy : "navigate-to tracking.example.com www.example.com", |  | ||||||
|     target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   { |  | ||||||
|   // Redirect from tracking.example.com to www.example.com ('unsafe-allow-redirects') |  | ||||||
|     result : "allowed", |  | ||||||
|     policy : "navigate-to 'unsafe-allow-redirects' www.example.com", |  | ||||||
|     target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   // No path-sensitivity after redirect |  | ||||||
|   { |  | ||||||
|     result : "allowed", |  | ||||||
|     policy : "navigate-to tracking.example.com http://www.example.com/full/path/to/file", |  | ||||||
|     target : "http://tracking.example.com/tests/dom/security/test/csp/file_navigate_to.sjs?redir=http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   // Multiple CSP directives, first block (origin) second allow |  | ||||||
|   { |  | ||||||
|     result : "allowed", |  | ||||||
|     policy : "img-src 'none'; navigate-to www.example.com", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   // Multiple CSP directives, first allow (origin) second block |  | ||||||
|   { |  | ||||||
|     result : "blocked", |  | ||||||
|     policy : "img-src www.example.com mochi.test:8888; navigate-to www.mozilla.com", |  | ||||||
|     target : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   // Multiple CSPs, first allow second block |  | ||||||
|   { |  | ||||||
|     result  : "blocked", |  | ||||||
|     policy  : "navigate-to www.example.com", |  | ||||||
|     policy2 : "navigate-to www.mozilla.com", |  | ||||||
|     target  : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
|   // Multiple CSPs, first block second allow |  | ||||||
|   { |  | ||||||
|     result  : "blocked", |  | ||||||
|     policy  : "navigate-to www.mozilla.com", |  | ||||||
|     policy2 : "navigate-to www.example.com", |  | ||||||
|     target  : "http://www.example.com/" |  | ||||||
|   }, |  | ||||||
| ]; |  | ||||||
| 
 |  | ||||||
| // initializing to -1 so we start at index 0 when we start the test |  | ||||||
| var counter = -1; |  | ||||||
| 
 |  | ||||||
| function checkResult(aResult) { |  | ||||||
|   is(aResult, tests[counter].result, "should be " + tests[counter].result + " in test " + counter +  |  | ||||||
|     "(" + tests[counter].policy + ", " + tests[counter].target + ")!"); |  | ||||||
|   loadNextTest(); |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| // We use the examiner to identify requests that hit the wire and requests |  | ||||||
| // that are blocked by CSP and bubble up the result to the including iframe |  | ||||||
| // document (parent). |  | ||||||
| function examiner() { |  | ||||||
|   SpecialPowers.addObserver(this, "csp-on-violate-policy"); |  | ||||||
| } |  | ||||||
| examiner.prototype  = { |  | ||||||
|   observe(subject, topic, data) { |  | ||||||
|     if (topic === "csp-on-violate-policy" && data === "navigate-to") { |  | ||||||
|       checkResult("blocked"); |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
|   }, |  | ||||||
|   remove() { |  | ||||||
|     SpecialPowers.removeObserver(this, "csp-on-violate-policy"); |  | ||||||
|   } |  | ||||||
| } |  | ||||||
| window.NavigationActionExaminer = new examiner(); |  | ||||||
| // We use iframe onload to check if requests are not blocked by CSP |  | ||||||
| var iframe = document.getElementById("testframe"); |  | ||||||
| iframe.onload = function() { |  | ||||||
|   checkResult("allowed"); |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| function loadNextTest() { |  | ||||||
|   counter++; |  | ||||||
|   if (counter == tests.length) { |  | ||||||
|     window.NavigationActionExaminer.remove(); |  | ||||||
|     SimpleTest.finish(); |  | ||||||
|     return; |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   var src = "file_navigate_to.sjs"; |  | ||||||
|   // append the CSP that should be used to serve the file |  | ||||||
|   src += "?csp=" + escape(tests[counter].policy); |  | ||||||
|   if( tests[counter].policy2 ) { |  | ||||||
|      src += "&csp2=" + escape(tests[counter].policy2); |  | ||||||
|   } |  | ||||||
|   src += "&target=" + escape(tests[counter].target); |  | ||||||
| 
 |  | ||||||
|   iframe.src = src; |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| // start running the tests |  | ||||||
| loadNextTest(); |  | ||||||
| 
 |  | ||||||
| </script> |  | ||||||
| </body> |  | ||||||
| </html> |  | ||||||
|  | @ -150,10 +150,12 @@ nsresult runTestSuite(const PolicyTest* aPolicies, uint32_t aPolicyCount, | ||||||
|                       uint32_t aExpectedPolicyCount) { |                       uint32_t aExpectedPolicyCount) { | ||||||
|   nsresult rv; |   nsresult rv; | ||||||
|   nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); |   nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); | ||||||
|   bool navigateTo = false; | 
 | ||||||
|  |   // Add prefs you need to set to parse CSP here, see comments for example
 | ||||||
|  |   // bool examplePref = false;
 | ||||||
|   if (prefs) { |   if (prefs) { | ||||||
|     prefs->GetBoolPref("security.csp.enableNavigateTo", &navigateTo); |     // prefs->GetBoolPref("security.csp.examplePref", &examplePref);
 | ||||||
|     prefs->SetBoolPref("security.csp.enableNavigateTo", true); |     // prefs->SetBoolPref("security.csp.examplePref", true);
 | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   for (uint32_t i = 0; i < aPolicyCount; i++) { |   for (uint32_t i = 0; i < aPolicyCount; i++) { | ||||||
|  | @ -163,7 +165,7 @@ nsresult runTestSuite(const PolicyTest* aPolicies, uint32_t aPolicyCount, | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   if (prefs) { |   if (prefs) { | ||||||
|     prefs->SetBoolPref("security.csp.enableNavigateTo", navigateTo); |     // prefs->SetBoolPref("security.csp.examplePref", examplePref);
 | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   return NS_OK; |   return NS_OK; | ||||||
|  | @ -217,10 +219,6 @@ TEST(CSPParser, Directives) | ||||||
|       "worker-src https://example.com" }, |       "worker-src https://example.com" }, | ||||||
|     { "worker-src http://worker.com; frame-src http://frame.com; child-src http://child.com", |     { "worker-src http://worker.com; frame-src http://frame.com; child-src http://child.com", | ||||||
|       "worker-src http://worker.com; frame-src http://frame.com; child-src http://child.com" }, |       "worker-src http://worker.com; frame-src http://frame.com; child-src http://child.com" }, | ||||||
|     { "navigate-to http://example.com", |  | ||||||
|       "navigate-to http://example.com"}, |  | ||||||
|     { "navigate-to 'unsafe-allow-redirects' http://example.com", |  | ||||||
|       "navigate-to 'unsafe-allow-redirects' http://example.com"}, |  | ||||||
|     { "script-src 'unsafe-allow-redirects' http://example.com", |     { "script-src 'unsafe-allow-redirects' http://example.com", | ||||||
|       "script-src http://example.com"}, |       "script-src http://example.com"}, | ||||||
|       // clang-format on
 |       // clang-format on
 | ||||||
|  |  | ||||||
|  | @ -13924,12 +13924,6 @@ | ||||||
|   value: true |   value: true | ||||||
|   mirror: always |   mirror: always | ||||||
| 
 | 
 | ||||||
| # Navigate-to CSP 3 directive |  | ||||||
| - name: security.csp.enableNavigateTo |  | ||||||
|   type: bool |  | ||||||
|   value: false |  | ||||||
|   mirror: always |  | ||||||
| 
 |  | ||||||
| # WebAuthn CTAP2 support | # WebAuthn CTAP2 support | ||||||
| - name: security.webauthn.ctap2 | - name: security.webauthn.ctap2 | ||||||
|   type: RelaxedAtomicBool |   type: RelaxedAtomicBool | ||||||
|  |  | ||||||
|  | @ -711,7 +711,6 @@ interface nsILoadInfo : nsISupports | ||||||
| 
 | 
 | ||||||
|   /** |   /** | ||||||
|    * True if the load was initiated by a form request. |    * True if the load was initiated by a form request. | ||||||
|    * This is important to know to handle the CSP directive navigate-to. |  | ||||||
|    */ |    */ | ||||||
|   [infallible] attribute boolean isFormSubmission; |   [infallible] attribute boolean isFormSubmission; | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -1019,19 +1019,6 @@ auto DocumentLoadListener::OpenInParent(nsDocShellLoadState* aLoadState, | ||||||
|     return nullptr; |     return nullptr; | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   if (nsCOMPtr<nsIContentSecurityPolicy> csp = aLoadState->Csp()) { |  | ||||||
|     // Check CSP navigate-to
 |  | ||||||
|     bool allowsNavigateTo = false; |  | ||||||
|     nsresult rv = csp->GetAllowsNavigateTo(aLoadState->URI(), |  | ||||||
|                                            aLoadState->IsFormSubmission(), |  | ||||||
|                                            false, /* aWasRedirected */ |  | ||||||
|                                            false, /* aEnforceWhitelist */ |  | ||||||
|                                            &allowsNavigateTo); |  | ||||||
|     if (NS_FAILED(rv) || !allowsNavigateTo) { |  | ||||||
|       return nullptr; |  | ||||||
|     } |  | ||||||
|   } |  | ||||||
| 
 |  | ||||||
|   // Clone because this mutates the load flags in the load state, which
 |   // Clone because this mutates the load flags in the load state, which
 | ||||||
|   // breaks nsDocShells expectations of being able to do it.
 |   // breaks nsDocShells expectations of being able to do it.
 | ||||||
|   RefPtr<nsDocShellLoadState> loadState = new nsDocShellLoadState(*aLoadState); |   RefPtr<nsDocShellLoadState> loadState = new nsDocShellLoadState(*aLoadState); | ||||||
|  |  | ||||||
|  | @ -1,4 +1 @@ | ||||||
| prefs: [security.csp.enableNavigateTo:true] | disabled: true | ||||||
| disabled: |  | ||||||
|   if os == "win": https://bugzilla.mozilla.org/show_bug.cgi?id=1450635 |  | ||||||
| lsan-allowed: [Alloc, AllocateProtoAndIfaceCache, CallFromStack, CallJSNative, CallResolveOp, DelazifyCanonicalScriptedFunction, EnterJit, InternalCall, JS::Call, JSFunction::delazifyLazilyInterpretedFunction, MakeLinearStringForAtomization, ProtoAndIfaceCache, addDataProperty, alloc::raw_vec::finish_grow, applyImpl, js::RunScript, js::frontend::CompilationStencil::instantiateStencilsAfterPreparation, js_new, js_pod_arena_malloc, maybeCreateCacheForLookup, mozilla::EventDispatcher::Dispatch, mozilla::EventListenerManager::HandleEventInternal, mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal, mozilla::detail::HashTable, mozilla::detail::RunnableFunction, mozilla::dom::PContentChild::OnMessageReceived, mozilla::dom::Performance::CreateForMainThread, mozilla::dom::PerformanceMainThread::CreateNavigationTimingEntry, mozilla::dom::ProtoAndIfaceCache::PageTableCache::EntrySlotOrCreate, mozilla::dom::ScriptLoader::CreateLoadRequest, mozilla::dom::ScriptLoader::EvaluateScript, mozilla::intl::FluentBundle::Constructor, mozilla::intl::FluentResource::Constructor, mozilla::ipc::MessageChannel::RunMessage, mozilla::net::nsStandardURL::TemplatedMutator, nsDocumentOpenInfo::TryContentListener, nsDynamicAtom::Create, nsPresContext::NotifyContentfulPaint, nsThread::ProcessNextEvent, operator, search, unknown stack] |  | ||||||
|  |  | ||||||
|  | @ -1,8 +0,0 @@ | ||||||
| [child-navigates-parent-allowed.html]	 |  | ||||||
|   disabled: |  | ||||||
|     if os == "linux": https://bugzilla.mozilla.org/show_bug.cgi?id=1450660 |  | ||||||
|    |  | ||||||
|   expected: TIMEOUT |  | ||||||
| 
 |  | ||||||
|   [Test that the child can navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child, which has the policy `navigate-to 'self'`)] |  | ||||||
|     expected: NOTRUN |  | ||||||
|  | @ -1,12 +0,0 @@ | ||||||
| [child-navigates-parent-blocked.sub.html] |  | ||||||
|   disabled: |  | ||||||
|     if os == "linux": https://bugzilla.mozilla.org/show_bug.cgi?id=1845961 |  | ||||||
|     if os == "mac": https://bugzilla.mozilla.org/show_bug.cgi?id=1845961 |  | ||||||
|     if os == "android": https://bugzilla.mozilla.org/show_bug.cgi?id=1845961 |  | ||||||
|   expected: TIMEOUT |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: FAIL |  | ||||||
| 
 |  | ||||||
|   [Test that the child can't navigate the parent because the relevant policy belongs to the navigation initiator (in this case the child which has the policy `navigate-to 'none'`)] |  | ||||||
|     expected: NOTRUN |  | ||||||
| 
 |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [form-action-blocks-navigate-to-allows.sub.html] |  | ||||||
|   [Test that form-action overrides navigate-to when present.] |  | ||||||
|     expected: FAIL |  | ||||||
| 
 |  | ||||||
|  | @ -1,5 +0,0 @@ | ||||||
| [form-action-blocks-navigate-to-blocks.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|   [Test that form-action overrides navigate-to when present.] |  | ||||||
|     expected: FAIL |  | ||||||
|  | @ -1,9 +0,0 @@ | ||||||
| [form-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|   [Test that the child iframe navigation is not allowed] |  | ||||||
|     expected: FAIL |  | ||||||
| 
 |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: |  | ||||||
|       if (os == "android") and not debug: [PASS, FAIL] |  | ||||||
|  | @ -1,5 +0,0 @@ | ||||||
| [form-cross-origin-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|   [Test that the child iframe navigation is not allowed] |  | ||||||
|     expected: FAIL |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [form-redirected-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [href-location-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,6 +0,0 @@ | ||||||
| [href-location-blocked.sub.html] |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: |  | ||||||
|       if (os == "android") and debug and swgl: [PASS, FAIL] |  | ||||||
|       if (os == "android") and debug and not swgl: [FAIL, PASS] |  | ||||||
|       if (os == "android") and not debug: [PASS, FAIL] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [href-location-cross-origin-allowed.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [href-location-cross-origin-blocked.sub.html] |  | ||||||
|   disabled: |  | ||||||
|     if os == "android": Passes on debug but fails on optimized |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [href-location-redirected-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [href-location-redirected-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [link-click-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [TIMEOUT, OK] |  | ||||||
|  | @ -1,11 +0,0 @@ | ||||||
| [link-click-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if fission and (os == "linux") and not debug: [OK, TIMEOUT] |  | ||||||
|     if fission and (os == "android"): [OK, TIMEOUT] |  | ||||||
|   [Test that the child iframe navigation is not allowed] |  | ||||||
|     expected: |  | ||||||
|       if (os == "linux") and not debug and fission: [PASS, NOTRUN] |  | ||||||
| 
 |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: |  | ||||||
|       if (os == "linux") and not debug and fission: [PASS, FAIL] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [link-click-cross-origin-allowed.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [link-click-cross-origin-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,5 +0,0 @@ | ||||||
| [link-click-redirected-allowed.html] |  | ||||||
|   disabled: |  | ||||||
|     if os == "win": Bug 1440584 |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,4 +0,0 @@ | ||||||
| [link-click-redirected-blocked.sub.html] |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: |  | ||||||
|       if debug and (os == "linux") and not fission and not swgl: [PASS, FAIL] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-cross-origin-allowed.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-cross-origin-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-redirected-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [meta-refresh-redirected-blocked.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [parent-navigates-child-allowed.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [parent-navigates-child-blocked.html] |  | ||||||
|   expected: |  | ||||||
|     if (os == "android") and fission: [OK, TIMEOUT] |  | ||||||
|  | @ -1,17 +0,0 @@ | ||||||
| [spv-only-sent-to-initiator.sub.html] |  | ||||||
|   expected: |  | ||||||
|     if fission and (os == "linux") and debug and not swgl: [TIMEOUT, OK] |  | ||||||
|     if fission and (os == "linux") and debug and swgl: [TIMEOUT, OK] |  | ||||||
|     if fission and (os == "linux") and not debug and (processor == "x86_64"): [TIMEOUT, OK] |  | ||||||
|     if fission and (os == "mac") and debug: [TIMEOUT, OK] |  | ||||||
|     [OK, TIMEOUT] |  | ||||||
|   [Test that no spv event is raised] |  | ||||||
|     expected: |  | ||||||
|       if fission and (os == "linux") and not debug and (processor == "x86_64"): [NOTRUN, FAIL] |  | ||||||
|       if fission and (os == "linux") and debug and not swgl: [NOTRUN, FAIL] |  | ||||||
|       if fission and (os == "linux") and debug and swgl: [NOTRUN, FAIL] |  | ||||||
|       if fission and (os == "mac") and debug: [NOTRUN, FAIL] |  | ||||||
|       [FAIL, NOTRUN] |  | ||||||
| 
 |  | ||||||
|   [Violation report status OK.] |  | ||||||
|     expected: FAIL |  | ||||||
|  | @ -1,3 +0,0 @@ | ||||||
| [allowed-end-of-chain-because-of-same-origin.sub.html] |  | ||||||
|   disabled: |  | ||||||
|     if (os == "android"): https://bugzilla.mozilla.org/show_bug.cgi?id=1511193 |  | ||||||
|  | @ -1,6 +0,0 @@ | ||||||
| [blocked-end-of-chain.sub.html] |  | ||||||
|   expected: TIMEOUT |  | ||||||
| 
 |  | ||||||
|   [Test that the child iframe navigation is blocked] |  | ||||||
|     expected: NOTRUN |  | ||||||
| 
 |  | ||||||
|  | @ -902,9 +902,8 @@ with modules["SECURITY"]: | ||||||
|     errors["NS_ERROR_XFO_VIOLATION"] = FAILURE(96) |     errors["NS_ERROR_XFO_VIOLATION"] = FAILURE(96) | ||||||
| 
 | 
 | ||||||
|     # Error code for CSP |     # Error code for CSP | ||||||
|     errors["NS_ERROR_CSP_NAVIGATE_TO_VIOLATION"] = FAILURE(97) |     errors["NS_ERROR_CSP_FORM_ACTION_VIOLATION"] = FAILURE(97) | ||||||
|     errors["NS_ERROR_CSP_FORM_ACTION_VIOLATION"] = FAILURE(98) |     errors["NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION"] = FAILURE(98) | ||||||
|     errors["NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION"] = FAILURE(99) |  | ||||||
| 
 | 
 | ||||||
|     # Error code for Sub-Resource Integrity |     # Error code for Sub-Resource Integrity | ||||||
|     errors["NS_ERROR_SRI_CORRUPT"] = FAILURE(200) |     errors["NS_ERROR_SRI_CORRUPT"] = FAILURE(200) | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Oliver Medhurst
						Oliver Medhurst