nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1789751 - Remove localhost from MV3 CSP r=mixedpuppy

Browse source 
Differential Revision: https://phabricator.services.mozilla.com/D156758
This commit is contained in:
Rob Wu 2022-09-10 23:49:49 +00:00
parent 9e70d31e32
commit a181c16953
8 changed files with 22 additions and 28 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

2
caps/nsIAddonPolicyService.idl
View file

@ -84,7 +84,7 @@ interface nsIAddonContentPolicy : nsISupports
/* options to pass to validateAddonCSP
*
* Manifest V2 uses CSP_ALLOW_ANY.
* In Manifest V3, extension_pages would use CSP_ALLOW_LOCALHOST|CSP_ALLOW_WASM
* In Manifest V3, extension_pages would use CSP_ALLOW_WASM
* and sandbox would use CSP_ALLOW_EVAL.
*/
const unsigned long CSP_ALLOW_ANY = 0xFFFF;

2
modules/libpref/init/all.js
View file

@ -3614,7 +3614,7 @@ pref("extensions.webcompat-reporter.newIssueEndpoint", "https://webcompat.com/is
// Add-on content security policies.
pref("extensions.webextensions.base-content-security-policy", "script-src 'self' https://* http://localhost:* http://127.0.0.1:* moz-extension: blob: filesystem: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';");
pref("extensions.webextensions.base-content-security-policy.v3", "script-src 'self' 'wasm-unsafe-eval' http://localhost:* http://127.0.0.1:*;");
pref("extensions.webextensions.base-content-security-policy.v3", "script-src 'self' 'wasm-unsafe-eval';");
pref("extensions.webextensions.default-content-security-policy", "script-src 'self' 'wasm-unsafe-eval';");
pref("extensions.webextensions.default-content-security-policy.v3", "script-src 'self';");

5
toolkit/components/extensions/Schemas.jsm
View file

@ -1153,14 +1153,13 @@ const FORMATS = {
},
contentSecurityPolicy(string, context) {
// Manifest V3 extension_pages allows localhost and WASM. When sandbox is
// Manifest V3 extension_pages allows WASM. When sandbox is
// implemented, or any other V3 or later directive, the flags
// logic will need to be updated.
let flags =
context.manifestVersion < 3
? Ci.nsIAddonContentPolicy.CSP_ALLOW_ANY
: Ci.nsIAddonContentPolicy.CSP_ALLOW_LOCALHOST |
Ci.nsIAddonContentPolicy.CSP_ALLOW_WASM;
: Ci.nsIAddonContentPolicy.CSP_ALLOW_WASM;
let error = lazy.contentPolicyService.validateAddonCSP(string, flags);
if (error != null) {
// The CSP validation error is not reported as part of the "choices" error message,

4
toolkit/components/extensions/WebExtensionPolicy.cpp
View file

@ -49,9 +49,7 @@ static const char kBackgroundPageHTMLEnd[] =
#define BASE_CSP_PREF_V3 \
"extensions.webextensions.base-content-security-policy.v3"
#define DEFAULT_BASE_CSP_V3 \
"script-src 'self' 'wasm-unsafe-eval' http://localhost:* " \
"http://127.0.0.1:*;"
#define DEFAULT_BASE_CSP_V3 "script-src 'self' 'wasm-unsafe-eval';"
static const char kRestrictedDomainPref[] =
"extensions.webextensions.restrictedDomains";

8
toolkit/components/extensions/test/xpcshell/test_csp_custom_policies.js
View file

@ -203,24 +203,24 @@ add_task(async function test_extension_csp() {
expectedPolicy: aps.defaultCSPV3,
},
{
name: "manifest_v3 allows localhost",
name: "manifest_v3 disallows localhost",
manifest: {
manifest_version: 3,
content_security_policy: {
extension_pages: `script-src 'self' https://localhost`,
},
},
expectedPolicy: `script-src 'self' https://localhost`,
expectedPolicy: aps.defaultCSPV3,
},
{
name: "manifest_v3 allows 127.0.0.1",
name: "manifest_v3 disallows 127.0.0.1",
manifest: {
manifest_version: 3,
content_security_policy: {
extension_pages: `script-src 'self' https://127.0.0.1`,
},
},
expectedPolicy: `script-src 'self' https://127.0.0.1`,
expectedPolicy: aps.defaultCSPV3,
},
{
name: "manifest_v3 allows wasm-unsafe-eval",

16
toolkit/components/extensions/test/xpcshell/test_csp_validator.js
View file

@ -202,10 +202,10 @@ add_task(async function test_csp_validator_extension_pages() {
let checkPolicy = (policy, expectedResult, message = null) => {
info(`Checking policy: ${policy}`);
let result = cps.validateAddonCSP(
policy,
Ci.nsIAddonContentPolicy.CSP_ALLOW_LOCALHOST
);
// While Schemas.jsm uses Ci.nsIAddonContentPolicy.CSP_ALLOW_WASM, we don't
// pass that here because we are only verifying that remote scripts are
// blocked here.
let result = cps.validateAddonCSP(policy, 0);
equal(result, expectedResult);
};
@ -273,14 +273,18 @@ add_task(async function test_csp_validator_extension_pages() {
"\u2018script-src\u2019 directive contains a forbidden 'unsafe-eval' keyword"
);
// Localhost is always valid
// Localhost is invalid
for (let src of [
"http://localhost",
"https://localhost",
"http://127.0.0.1",
"https://127.0.0.1",
]) {
checkPolicy(`script-src 'self' ${src};`, null);
const protocol = src.split(":")[0];
checkPolicy(
`script-src 'self' ${src};`,
`\u2018script-src\u2019 directive contains a forbidden ${protocol}: protocol source`
);
}
let directives = ["script-src", "worker-src"];

11
toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js
View file

@ -34,12 +34,7 @@ baseCSP[2] = {
};
// Keep in sync with extensions.webextensions.base-content-security-policy.v3
baseCSP[3] = {
"script-src": [
"http://localhost:*",
"http://127.0.0.1:*",
"'self'",
"'wasm-unsafe-eval'",
],
"script-src": ["'self'", "'wasm-unsafe-eval'"],
};
/**
@ -323,8 +318,8 @@ add_task(async function testCSP() {
await testPolicy({
manifest_version: 3,
customCSP: {
"script-src": `'self' http://localhost:123 ${hash}`,
"worker-src": `'self' http://127.0.0.1:*`,
"script-src": `'self' ${hash}`,
"worker-src": `'self'`,
},
expects: {
workerEvalAllowed: false,

2
toolkit/mozapps/extensions/AddonContentPolicy.cpp
View file

@ -178,8 +178,6 @@ static const char* allowedHostSchemes[] = {"http", "https", "moz-extension",
* worker-src directives may only be the following:
* - self
* - none
* - Any localhost source, (http://localhost, http://127.0.0.1, or any port
* on those domains)
*/
class CSPValidator final : public nsCSPSrcVisitor {
public: