#602: CSP semantics update, fix wss: access
This commit is contained in:
Cameron Kaiser
parent
a5a4a7ecf9
commit
5785a7c366
|
|
@ -574,7 +574,8 @@ nsCSPParser::keywordSource()
|
|||
// Special case handling for 'self' which is not stored internally as a keyword,
|
||||
// but rather creates a nsCSPHostSrc using the selfURI
|
||||
if (CSP_IsKeyword(mCurToken, CSP_SELF)) {
|
||||
return CSP_CreateHostSrcFromURI(mSelfURI);
|
||||
// TenFourFox issue 602
|
||||
return CSP_CreateHostSrcFromURI(mSelfURI, /* aIsSelf */ true);
|
||||
}
|
||||
|
||||
if (CSP_IsKeyword(mCurToken, CSP_UNSAFE_INLINE)) {
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@ CSP_ContentTypeToDirective(nsContentPolicyType aType)
|
|||
}
|
||||
|
||||
nsCSPHostSrc*
|
||||
CSP_CreateHostSrcFromURI(nsIURI* aURI)
|
||||
CSP_CreateHostSrcFromURI(nsIURI* aURI, bool aIsSelf)
|
||||
{
|
||||
// Create the host first
|
||||
nsCString host;
|
||||
|
|
@ -211,6 +211,10 @@ CSP_CreateHostSrcFromURI(nsIURI* aURI)
|
|||
portStr.AppendInt(port);
|
||||
hostsrc->setPort(portStr);
|
||||
}
|
||||
|
||||
// Mark if this came from 'self' originally (TenFourFox issue 602).
|
||||
hostsrc->setCameFromSelf(aIsSelf);
|
||||
|
||||
return hostsrc;
|
||||
}
|
||||
|
||||
|
|
@ -303,6 +307,14 @@ permitsScheme(const nsAString& aEnforcementScheme,
|
|||
return true;
|
||||
}
|
||||
|
||||
// TenFourFox issue 602: allow loading wss if the enforcement scheme is TLS,
|
||||
// or if we are promised an upgrade of ws.
|
||||
if (aEnforcementScheme.EqualsASCII("https") &&
|
||||
(scheme.EqualsASCII("wss") ||
|
||||
(aUpgradeInsecure && !aReportOnly && scheme.EqualsASCII("ws")))) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Allow the load when enforcing upgrade-insecure-requests with the
|
||||
// promise the request gets upgraded from http to https and ws to wss.
|
||||
// See nsHttpChannel::Connect() and also WebSocket.cpp. Please note,
|
||||
|
|
@ -316,6 +328,7 @@ permitsScheme(const nsAString& aEnforcementScheme,
|
|||
/* ===== nsCSPSrc ============================ */
|
||||
|
||||
nsCSPBaseSrc::nsCSPBaseSrc()
|
||||
: mCameFromSelf(false) // TenFourFox issue 602
|
||||
{
|
||||
}
|
||||
|
||||
|
|
@ -323,6 +336,18 @@ nsCSPBaseSrc::~nsCSPBaseSrc()
|
|||
{
|
||||
}
|
||||
|
||||
/* TenFourFox issue 602 */
|
||||
bool
|
||||
nsCSPBaseSrc::getCameFromSelf() const
|
||||
{
|
||||
return mCameFromSelf;
|
||||
}
|
||||
void
|
||||
nsCSPBaseSrc::setCameFromSelf(bool aIsSelf)
|
||||
{
|
||||
mCameFromSelf = aIsSelf;
|
||||
}
|
||||
|
||||
// ::permits is only called for external load requests, therefore:
|
||||
// nsCSPKeywordSrc and nsCSPHashSource fall back to this base class
|
||||
// implementation which will never allow the load.
|
||||
|
|
@ -338,8 +363,7 @@ nsCSPBaseSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
|
|||
return false;
|
||||
}
|
||||
|
||||
// ::allows is only called for inlined loads, therefore:
|
||||
// nsCSPSchemeSrc, nsCSPHostSrc fall back
|
||||
// ::allows is only called for inlined loads, therefore externals fall back
|
||||
// to this base class implementation which will never allow the load.
|
||||
bool
|
||||
nsCSPBaseSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const
|
||||
|
|
@ -534,6 +558,13 @@ nsCSPHostSrc::permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected
|
|||
return true;
|
||||
}
|
||||
|
||||
// TenFourFox issue 602. Called for inlined loads only.
|
||||
bool
|
||||
nsCSPHostSrc::allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const
|
||||
{
|
||||
return getCameFromSelf();
|
||||
}
|
||||
|
||||
void
|
||||
nsCSPHostSrc::toString(nsAString& outStr) const
|
||||
{
|
||||
|
|
|
|||
|
|
@ -169,7 +169,8 @@ inline CSPKeyword CSP_KeywordToEnum(const nsAString& aKey)
|
|||
|
||||
class nsCSPHostSrc;
|
||||
|
||||
nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI);
|
||||
// TenFourFox issue 602
|
||||
nsCSPHostSrc* CSP_CreateHostSrcFromURI(nsIURI* aURI, bool aIsSelf = false);
|
||||
bool CSP_IsValidDirective(const nsAString& aDir);
|
||||
bool CSP_IsDirective(const nsAString& aValue, CSPDirective aDir);
|
||||
bool CSP_IsKeyword(const nsAString& aValue, enum CSPKeyword aKey);
|
||||
|
|
@ -188,6 +189,12 @@ class nsCSPBaseSrc {
|
|||
bool aReportOnly, bool aUpgradeInsecure) const;
|
||||
virtual bool allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const;
|
||||
virtual void toString(nsAString& outStr) const = 0;
|
||||
|
||||
/* TenFourFox issue 602 */
|
||||
bool getCameFromSelf() const;
|
||||
void setCameFromSelf(bool isSelf);
|
||||
private:
|
||||
bool mCameFromSelf;
|
||||
};
|
||||
|
||||
/* =============== nsCSPSchemeSrc ============ */
|
||||
|
|
@ -214,6 +221,9 @@ class nsCSPHostSrc : public nsCSPBaseSrc {
|
|||
|
||||
bool permits(nsIURI* aUri, const nsAString& aNonce, bool aWasRedirected,
|
||||
bool aReportOnly, bool aUpgradeInsecure) const;
|
||||
/* TenFourFox issue 602 */
|
||||
bool allows(enum CSPKeyword aKeyword, const nsAString& aHashOrNonce) const;
|
||||
|
||||
void toString(nsAString& outStr) const;
|
||||
|
||||
void setScheme(const nsAString& aScheme);
|
||||
|
|
|
|||
Loading…
Reference in New Issue