Bug 1770468 - Report-only wasm-unsafe-eval in MV2 r=mixedpuppy,freddyb,ckerschb

For backcompat, do not enforce wasm-unsafe-eval even if the extension has specified a custom CSP. Do report the errors though, to allow extension authors to discover the issue and fix it. Differential Revision: https://phabricator.services.mozilla.com/D147105
2022-05-24 13:56:22 +00:00 · 2022-05-24 13:56:22 +00:00 · c0e20dd0b0
commit c0e20dd0b0
parent 2486c41016
2 changed files with 43 additions and 3 deletions
--- a/caps/nsScriptSecurityManager.cpp
+++ b/caps/nsScriptSecurityManager.cpp
@ -515,6 +515,17 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
    if (NS_FAILED(csp->GetAllowsWasmEval(&reportViolation, &evalOK))) {
      return false;
    }
    if (!evalOK) {
      // Historically, CSP did not block WebAssembly in Firefox, and some
      // add-ons use wasm and a stricter CSP. To avoid breaking them, ignore
      // 'wasm-unsafe-eval' violations for MV2 extensions.
      // TODO bug 1770909: remove this exception.
      auto* addonPolicy = BasePrincipal::Cast(subjectPrincipal)->AddonPolicy();
      if (addonPolicy && addonPolicy->ManifestVersion() == 2) {
        reportViolation = true;
        evalOK = true;
      }
    }
  }
  if (reportViolation) {
--- a/toolkit/components/extensions/test/xpcshell/test_ext_wasm.js
+++ b/toolkit/components/extensions/test/xpcshell/test_ext_wasm.js
@ -8,6 +8,12 @@ Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
 function background() {
  globalThis.onsecuritypolicyviolation = event => {
    browser.test.assertEq("wasm-eval", event.blockedURI, "blockedURI");
    if (browser.runtime.getManifest().version === 2) {
      // In MV2, wasm eval violations are advisory only, as a transition tool.
      browser.test.assertEq(event.disposition, "report", "MV2 disposition");
    } else {
      browser.test.assertEq(event.disposition, "enforce", "MV3 disposition");
    }
    browser.test.sendMessage("violated_csp", event.originalPolicy);
  };
  try {
@ -53,7 +59,8 @@ add_task(async function test_wasm_v2_explicit() {
  await extension.unload();
 });
-add_task(async function test_wasm_v2_blocked() {
+// MV3 counterpart is test_wasm_v3_blocked_by_custom_csp.
 add_task(async function test_wasm_v2_blocked_in_report_only_mode() {
  let extension = ExtensionTestUtils.loadExtension({
    background,
    manifest: {
@ -63,7 +70,8 @@ add_task(async function test_wasm_v2_blocked() {
  });
  await extension.startup();
-  equal(await extension.awaitMessage("result"), "blocked");
+  // "allowed" because wasm-unsafe-eval in MV2 is in report-only mode.
  equal(await extension.awaitMessage("result"), "allowed");
  equal(
    await extension.awaitMessage("violated_csp"),
    "object-src 'none'; script-src 'self'"
@ -71,7 +79,7 @@ add_task(async function test_wasm_v2_blocked() {
  await extension.unload();
 });
-add_task(async function test_wasm_v3() {
+add_task(async function test_wasm_v3_blocked_by_default() {
  let extension = ExtensionTestUtils.loadExtension({
    background,
    manifest: {
@ -88,6 +96,27 @@ add_task(async function test_wasm_v3() {
  await extension.unload();
 });
 // MV2 counterpart is test_wasm_v2_blocked_in_report_only_mode.
 add_task(async function test_wasm_v3_blocked_by_custom_csp() {
  let extension = ExtensionTestUtils.loadExtension({
    background,
    manifest: {
      manifest_version: 3,
      content_security_policy: {
        extension_pages: "object-src; script-src 'self'",
      },
    },
  });
  await extension.startup();
  equal(await extension.awaitMessage("result"), "blocked");
  equal(
    await extension.awaitMessage("violated_csp"),
    "object-src 'none'; script-src 'self'"
  );
  await extension.unload();
 });
 add_task(async function test_wasm_v3_allowed() {
  let extension = ExtensionTestUtils.loadExtension({
    background,