Bug 1594234 remove extensions.content_script_csp preferences in favor of extensions.manifestV3.enabled r=robwu

Differential Revision: https://phabricator.services.mozilla.com/D101212
2021-01-19 19:43:09 +00:00 · 2021-01-19 19:43:09 +00:00 · 6a2b434485
commit 6a2b434485
parent 98c9307c72
5 changed files with 11 additions and 44 deletions
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@ -414,9 +414,6 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
  nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
  if (!csp) {
    if (!StaticPrefs::extensions_content_script_csp_enabled()) {
      return true;
    }
    // Get the CSP for addon sandboxes.  If the principal is expanded and has a
    // csp, we're probably in luck.
    auto* basePrin = BasePrincipal::Cast(subjectPrincipal);
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -1113,9 +1113,6 @@ bool xpc::GlobalProperties::DefineInSandbox(JSContext* cx,
 * provided by the extension in its manifest.
 */
 nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) {
  if (!StaticPrefs::extensions_content_script_csp_enabled()) {
    return NS_OK;
  }
  nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(prinOrSop);
  if (!principal) {
    return NS_OK;
@ -1166,9 +1163,7 @@ nsresult ApplyAddonContentScriptCSP(nsISupports* prinOrSop) {
  csp = new nsCSPContext();
  MOZ_TRY(csp->SetRequestContextWithPrincipal(expanded, selfURI, u""_ns, 0));
-  bool reportOnly = StaticPrefs::extensions_content_script_csp_report_only();
+  MOZ_TRY(csp->AppendPolicy(baseCSP, false, false));
  MOZ_TRY(csp->AppendPolicy(baseCSP, reportOnly, false));
  expanded->SetCsp(csp);
  return NS_OK;
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -3660,18 +3660,6 @@
  value: false
  mirror: always
 # This pref governs whether we enable content script CSP in extensions.
 - name: extensions.content_script_csp.enabled
  type: bool
  value: false
  mirror: always
 # This pref governs whether content script CSP is report-only.
 - name: extensions.content_script_csp.report_only
  type: bool
  value: true
  mirror: always
 # This pref governs whether we run webextensions in a separate process (true)
 # or the parent/main process (false)
 - name: extensions.webextensions.remote
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js
@ -6,9 +6,6 @@ const { TestUtils } = ChromeUtils.import(
  "resource://testing-common/TestUtils.jsm"
 );
 // Enable and turn off report-only so we can validate the results.
 Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true);
 Services.prefs.setBoolPref("extensions.content_script_csp.report_only", false);
 Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
 const server = createHttpServer({
--- a/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_triggeringPrincipal.js
@ -39,7 +39,6 @@ var gContentSecurityPolicy = null;
 const BASE_URL = `http://example.com`;
 const CSP_REPORT_PATH = "/csp-report.sjs";
 const CSP_REPORT_URL = `http://csplog.example.net/csp-report.sjs`;
 /**
 * Registers a static HTML document with the given content at the given
@ -1320,24 +1319,7 @@ add_task(async function test_contentscript_csp() {
 * content page.
 */
 add_task(async function test_extension_contentscript_csp() {
-  Services.prefs.setBoolPref("extensions.content_script_csp.enabled", true);
+  Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
  Services.prefs.setBoolPref(
    "extensions.content_script_csp.report_only",
    false
  );
  // Add reporting to base and default CSP as this cannot be done via manifest.
  let baseCSP = Services.prefs.getStringPref(
    "extensions.webextensions.base-content-security-policy"
  );
  Services.prefs.setStringPref(
    "extensions.webextensions.base-content-security-policy",
    `${baseCSP} report-uri ${CSP_REPORT_URL};`
  );
  Services.prefs.setStringPref(
    "extensions.webextensions.default-content-security-policy",
    `script-src 'self' 'report-sample'; object-src 'self' 'report-sample'; report-uri ${CSP_REPORT_URL};`
  );
  // TODO bug 1408193: We currently don't get the full set of CSP reports when
  // running in network scheduling chaos mode. It's not entirely clear why.
@ -1346,7 +1328,14 @@ add_task(async function test_extension_contentscript_csp() {
  gContentSecurityPolicy = `default-src 'none' 'report-sample'; script-src 'nonce-deadbeef' 'unsafe-eval' 'report-sample'; report-uri ${CSP_REPORT_PATH};`;
-  let extension = ExtensionTestUtils.loadExtension(EXTENSION_DATA);
+  let data = {
    ...EXTENSION_DATA,
    manifest: {
      ...EXTENSION_DATA.manifest,
      manifest_version: 3,
    },
  };
  let extension = ExtensionTestUtils.loadExtension(data);
  await extension.startup();
  let urlsPromise = extension.awaitMessage("css-sources").then(msg => {
@ -1369,4 +1358,5 @@ add_task(async function test_extension_contentscript_csp() {
  await extension.unload();
  await contentPage.close();
  Services.prefs.clearUserPref("extensions.manifestV3.enabled");
 });